This document (hereinafter referred to as the "Policy") contains information concerning the processing by Digital Dragon with its registered office in Krakow (hereinafter referred to as the "Administrator") of personal data of persons using the Online Shop available at: www.questingo.com (hereinafter referred to as the "Internet Shop and Mobile Application"). The Policy is made available in order to provide the persons whose personal data are processed by the Administrator with the widest possible information about the scope of the processed data, ways and principles of data processing and about their rights. The basic legal regulation on the protection of personal data is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/WE (hereinafter 'RODO').
I. GLOSSARY OF TERMS
1) Browser - an IT program used to display websites (e.g. Chrome, Firefox, Safari);
2) Cookies - text files placed by the server on the device on which the browser operates. Cookies are IT data, in particular text files that are stored in the User's terminal equipment (e.g. computer memory) and are designed to use the Online Shop and the Application;
3) Third country - country outside the European Economic Area;
4) Personal data - any information about an identified or identifiable natural person, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;
5) Profiling - any form of automated processing of personal data which consists in the use of personal data for the assessment of certain personal factors of an individual, in particular for the analysis or forecasting of aspects relating to the individual's performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement;
6) Services - services provided by the Administrator via the Online Shop and the Application to the Users;
7) Processing - any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limiting, erasure or destruction;
8) Mobile application - an application available free of charge in Play and Apple stores, made available to customers of the online store, in order to complete the purchased trip. The Aribo application is an external tool provided by Aribo Sp. z o.o. for the purposes of the Questingo Online Shop on the basis of commercial contracts.
II. SCOPE OF USING
This Policy applies to the processing of Personal Data in connection with the use of the Online Shop and Mobile Application and the Services provided by the Administrator, available to Users via the Online Shop and Mobile Application, described in detail below.
III. LEGAL BASIS, PURPOSES, PRINCIPLES AND TIME OF DATA PROCESSING IN THE SERVICE
1. Users may send the Administrator Personal Data when using the Online Shop and the Mobile Application, filling out forms (allowing, among other things, Registration and setting up an Account), as well as by means of any exchange of information with the Administrator by telephone, e-mail, ordering Services, reporting on participation in the campaign or in any other way, as well as when reporting problems concerning the Online Shop and the Mobile Application.
2. Personal data is processed by the Administrator for the purpose:
1) exercising the rights and obligations resulting from the agreement concluded between the User and the Administrator or making the necessary settlements in connection with its conclusion (among others, Article 6 act 1 lit. b) RODO), as well as providing the User with information related to the Services provided, which is necessary for the performance of mutual contractual obligations, and after its completion, the data will be stored for the period necessary to prove the correctness of the performance of the obligations resulting from the agreement until the expiry of the deadlines indicated in the regulations on archiving and the expiry of the deadlines for claiming under the agreement;
2) fulfilment of the Administrator's statutory duties, in particular tax and reporting duties (inter alia Article 6 act 1 lit. c) RODO) - for the time necessary to perform the Administrator's statutory duties, in particular until the expiry of the limitation period for tax liabilities;
3) enable the User to communicate and exchange information with other Users or contact the Administrator, which entails the exercise of mutual rights and obligations resulting from the agreement concluded between the User and the Administrator (Article 6 act 1 lit. b) RODO) - for the time necessary for the performance of the contract, and after its completion, the data will be stored for the time necessary to prove the correctness of the performance of the obligations under the contract until the expiry of the deadlines indicated in the regulations on archiving and the expiry of the deadlines for claims under the contract;
4) ensure that the Administrator performs the Services in accordance with the applicable laws, including in particular the rules of the Online Shop and the Application and this Policy, which is necessary for the Administrator to perform its mutual contractual obligations (Article 6 act 1 lit. b) RODO), fulfil its statutory obligations (Article 6 act 1 lit. c) RODO) and perform and defend the claims resulting from the concluded agreement (Article 6 act 1 lit. f) RODO) - for the time necessary for the performance of the contract, and after its completion, the data will be stored for the time necessary to prove the correctness of the performance of the obligations under the contract until the expiry of the deadlines indicated in the regulations on archiving and the expiry of the deadlines for claims under the contract; in case of the Administrator's statutory obligations, the processing of Personal Data shall be carried out for the time necessary to fulfil the Administrator's statutory obligations; in case of defence and execution of claims resulting from the contract for the time necessary to fulfil the Administrator's legally justified interest or until the User submits a justified objection;
5) provide the User (in a manner consistent with the applicable regulations) with marketing materials and information, instructions and guidelines necessary to improve the performance of the Services - the processing of the User's Personal Data is then carried out with the User's consent (Article 6 act 1 lit. a) RODO) and/or in the Administrator's legitimate interest, i.e. improvement of the provided Services and direct marketing (Article 6 act 1 lit. f) RODO) for the time necessary to achieve the Administrator's legitimate interest or until the User submits a justified objection, and in the case of direct marketing no longer than until the time of objection;
6) managing the Online Shop and the Application and in order to solve problems connected with the use of the Service, data analysis and supervision - the basis for processing User's Personal Data is then the Administrator's justified interest, which is to ensure security the Service provided as well as the improvement of the functions available on the Online Shop and the Application (Article 6 act 1 lit. f) RODO); in such a case, Personal Data shall be processed for the time necessary to pursue the Administrator's legitimate interest or until the User submits a justified objection;
7) improvement of the Online Shop and the Services provided, as well as to ensure that their content will be communicated to the User in an appropriate manner, in particular taking into account the devices used by the User to use the Online Shop, which constitutes a legitimate interest of the Administrator (Article 6 act 1 lit. f) RODO); in such a case, Personal Data is processed for the time necessary to realize the Administrator's legitimate interest or until the User submits a legitimate objection;
8) for analytical and statistical purposes, including User Satisfaction Survey (processing is necessary due to the legitimate interest of the Administrator - Article 6 act 1 lit. f) RODO), Personal Data will be processed until there is an additional legal basis (e.g. allowing for processing in order to perform the contract) - if the Administrator loses this basis, Personal Data will be anonymized;
9) ensure security of using the Services available on the Online Shop and the Application, which is necessary to perform mutual contractual obligations, prepare, perform or defend claims resulting from the agreement (Article 6 act 1 lit. b) RODO), fulfil the Administrator's statutory obligations (Article 6 act 1 lit. c) RODO), as well as in the Administrator's legitimate interest (to ensure security of the Services provided) (Article 6 act 1 lit. f) RODO) - for the time necessary for the execution of the agreement, and after its termination, the data will be stored for the time necessary to prove the correctness of the execution of the obligations arising from the agreement until the expiry of the time limits indicated in the archiving regulations; in the case of the Administrator's statutory obligations, the processing of Personal Data will be carried out for the time necessary for the execution of the Administrator's statutory obligations; in the case of security for the time necessary for the execution of the Administrator's legally justified interest or until the User submits a justified objection;
10) perform other statutory duties of the Administrator, in particular tax and reporting duties (Article 6 act 1 lit. c) RODO) - for the time necessary to perform the Administrator's statutory duties, in particular until the expiry of the limitation period for tax liabilities;
11) in the case of expressing voluntary and optional consents (Article 6 act 1 lit. a) RODO and Article 10 of the Act of 18.07.2002 on the provision of services by electronic means and Article 172 of the Act of 16.07.2004. - Telecommunications law) data shall also be processed for marketing purposes consisting in:
a) providing information about services provided by the Administrator,
b) providing information on campaigns organised by the Administrator,
also on the basis of separate approvals given by e-mail or during a telephone call - until withdrawal of consent.
At the end of the processing period, Personal Data is immediately deleted or rendered anonymous.
3. The Administrator will process the following Personal Data provided by the User:
1) for Users who are Consumers:
a) first and last name,
b) email address,
c) date of birth (for the purpose of verifying the age of users using the Online Shop and filtering the available options according to age),
2) for Users who are Entrepreneurs:
a) first and last name (in case of physical persons conducting business activity, legal persons and organizational units which are not legal persons: name - company, NIP number and - if possessed - KRS number and first and last name of a person authorized to represent);
b) email address,
c) telephone number,
d) address of residence and/or business activity,
e) account number,
3) records of all types of correspondence between the User and the Administrator and records of correspondence between the Users within the functionalities of the Online Shop and the Application;
4) data concerning visits to the Site and the Application and the resources used by the User; including information on connection parameters (time stamp, IP address);
5) answers to any surveys or questionnaires concerning the Services provided (these data may be used for the purposes of analysis, including the behaviour of Users);
6) comments (feedbacks) of Users, which will be added after the completed Service.
4. With regard to Personal Data concerning your visits to the Online Shop and the Application, the Administrator may (where required and obtained consent to do so) obtain data concerning the devices and networks used by the User to access the Services on the Online Shop and the Application. This data may include: User's IP address, login data, browser type and version, types and versions of plug-ins used by web browsers, operating system and platform, advertising identifier, information about visits, including the URL of the site on which the link leading to the Site was clicked, data download errors, time of visits to specific sites. These data are collected by the Administrator, who collects these data in particular through cookies.
5. Administrator does not store confidential data, such as credit card numbers of Users or bank account access data.
6. The scope of the data indicated is in accordance with the principle of adequacy. Failure to indicate the above data makes it impossible to use the Services.
7. In relation to the performance of the Services, Personal Data will be disclosed to external recipients
1) business partnersts;
2) the Administrator's service providers (in particular in the technical field, hosting services, analytical and statistical tools, payments, accounting services, postal services);
3) persons cooperating with the Administrator as part of the Online Shop and the Application on the basis of issued authorisations;
4) state authorities, prosecutor's office, police (when required by law).
8. Administrator informs that the transfer of Personal Data to external recipients will take place when:
1) This is necessary to use the services of a third party;
2) this is necessary for contracts concluded with external parties;
3) it is necessary for the proper performance of the Service;
4) it is necessary for analytical purposes, including the optimisation of the Service and the Services provided by the Administrator;
5) this results from the provisions of generally applicable law;
6) it is necessary to defend the Administrator's claims or rights, including in connection with a pending trial;
7) a circumstance posing a threat to life, health, property or safety has occurred.
9. In accordance with the applicable regulations and if required, after obtaining the consent of the User, the Administrator may develop any combination of information concerning the User, including his Personal Data and data obtained using cookies, which may also be sent to or obtained from the Administrator's business partners. The Administrator may use this information and its combinations for the purposes specified in this Policy.
10. Taking into account the scope of the Administrator's activities, it may happen that the Administrator's service providers, e.g. in the area of servers, hosting, software or Entrepreneurs who organize Campaigns, are located in a third country then the User's Personal Data will be transferred outside the European Economic Area - in such a case all transfers of Personal Data will be made on the basis of so-called standard contractual clauses, adopted by the European Commission and ensuring an appropriate level of security in accordance with the applicable regulations.
11. The transfer of Personal Data by the Administrator may also take place if you order a Service that requires the transfer of Personal Data to a Third Country. In this case, the transfer of Personal Data may be based on the European Commission's decision stating the level of adequacy of protection, in particular for transfers to the United States of America, which is based on the European Commission's decision 2016/1250 regarding the finding of adequate protection for the processing of Personal Data under the EU-U.S. Privacy Shield of 12.07.2016. On the other hand, in case of transfer of Personal Data to a Third Country on which the European Commission has not issued an adequacy decision, the Administrator will apply appropriate safeguards:
a) binding corporate clauses for data controller
b) binding corporate clauses for processors
c) contractual clauses between a controller or processor and a controller, processor or recipient of personal data in a third country or international organisation
If the European Commission does not issue a decision stating the appropriate level of protection or if the Administrator does not provide appropriate legal safeguards, Personal Data may be transferred to a third country on the basis of one of the conditions listed in Article 49 act 1 RODO, including in particular on the basis of the explicit consent of the User.
12. When transferring personal data to an entity located in a third country (outside the European Economic Area), each export of Personal Data should be recorded in the Register of Data Processing Activities.
13. In accordance with the applicable regulations and if required, after obtaining the User's consent, the Administrator may use the information provided by the User for the purposes of direct marketing using electronic means of communication (e.g. sending informants or other messages that the Administrator believes may be of interest to the User or sending advertisements addressed to a particular User).
14. With regard to marketing messages sent by electronic means of communication: User may withdraw their consent at any time by:
a) uncheck the appropriate box in his/her Account
b) sending information by e-mail to email@example.com
IV. PROCESSING OF PERSONAL DATA BY AUTOMATIC METHODS
The Administrator uses Personal Data for automated decision making, including profiling, including information contained in cookies. The profiling will have an impact on the functionality and quality of the Online Shop and the Application, the content of the Services dedicated to a given User, as well as the actions proposed to increase the User's activity on the Online Shop and the Application. Furthermore, the profiling is carried out to achieve the aforementioned objectives described in Section III of the Policy.
Profiling has an impact on the User's use of the Online Shop and the Application, as on this basis the Administrator will be able to improve the quality of use of the Online Shop and the Application, as well as to assess the personal preferences and interests of the Users. Therefore, profiling also includes monitoring and tracking the Users' individual behaviour.
V. USER RIGHTS
1. Under the rules of the RODO, User have the following rights to control the processing of Personal Data:
a) the right to access the contents of the Personal Data (e.g., to obtain information on what kind of Personal Data is being processed by the Administrator, to obtain a copy of his or her Personal Data);
b) the right to request that Personal Data be corrected, updated or rectified;
c) the right to demand the deletion of Personal Data if they are incomplete, outdated, untrue or have been collected in violation of the law or are unnecessary for the purpose for which they were collected; regardless of the above, the User and/or the Carrier has the right to delete an Account in the Service (however, this is not equivalent to the deletion of Personal Data);
d) the right to complain to the data protection supervisory authority - i.e., the President of the Office for Personal Data Protection (e.g., if the processing of Personal Data is considered to be in breach of the provisions of the RODO or other legislation regarding the protection of Personal Data);
e) the right to request restrictions on the processing of Personal Data;
f) the right to oppose the processing of Personal Data where the processing is carried out on the basis of the Administrator's legitimate interest or for direct marketing purposes.
g) If the Personal Data is processed on the basis of consent, the User is entitled to:
h) the right to withdraw consent at any time;
i) the right to transfer Personal Data.
2. In order to exercise his or her rights, the User may use the appropriate tabs on the Online Shop and the Application or send an e - mail to the following address firstname.lastname@example.org
VI. DATA PROVIDED ON THE USER'S PROFILE
1. The User's profile on the Online Shop and the Application shall display all data provided during registration, excluding the password. Additionally, other data provided by the User is displayed, optionally.
2. Basic information disclosed on the User's profile (user name) is visible for each User in the ranking of individual Trip.
3. Aribo Mobile App Provider has access to your data in order to properly verify the person and to solve problems related to the mobile app.
5. Additional data included in the user profile is optional.
2. Cookies are used for the purpose of:
1) improve the quality of Services provided by the Administrator;
2) determine the number of persons using the Online Shop and the Application and obtain information on how to use them;
3) remembering login data to the Online Shop and the Application;
4) maintaining anonymous, aggregate statistics allowing the Administrator to improve the functionality and Users satisfaction of the Online Shop and Application;
5) provide products or services meeting the expectations and needs of the User;
6) maintain the User session;
7) use the functionalities of the Online Shop and the Application, including logging into the Online Shop and the Application.
3. The following Cookies will be used in the Online Shop: essential, analytical, session, permanent
4. By default, most web browsers on the market accept cookies by default. It is possible to determine the conditions of use of the cookies by using the settings of individual web browsers. This means that it is possible, for example, to partially limit (e.g. temporarily) or completely disable the possibility of saving cookies on computer - in the latter case, however, it may affect some functionalities of the Online Shop.
6. Detailed information on changing the settings for cookies and removing them yourself in the most popular web browsers is available in the help section of your web browser and on the following pages (just click on the link):
1) in a Chrome browser ________________
2) in a Firefox browser _________________
3) in a Internet Explorer browser ________________
4) in a Opera browser ________________
5) in a Safari browser ________________
7. The Administrator also collects exploitation data (so-called logs - IP address, domain), which are stored for an indefinite period of time and used only to generate statistics helpful in administering the Online Shop and the Application. These data are of an aggregate and anonymous nature, i.e. they do not contain features identifying the persons visiting the Website. Logs are not disclosed to third parties.
The Administrator provides appropriate security measures to protect the Personal Data under our control from loss, misuse and alteration. The Administrator processes all Users' Personal Data in accordance with applicable laws and safety standards. Only authorized persons have access to the data and only to the extent necessary due to the tasks they perform. The Administrator shall take all steps to ensure that entities cooperating with him guarantee the application of appropriate security measures whenever they process personal data upon the Administrator's order.
The Personal Data processed by the Administrator is stored on special leased servers. The servers have appropriate security features.
Additional security measures:
- SSL certificates - which allows to protect data sent by customers. Such a certificate encrypts the information sent by the buyer, for example, through an application form, registration form, login panel, shopping cart
- using secure scripts
- catalogue code and password protection
- safeguards through access control
- frequent password changes
- programming updates
X. UNANNOUNCED MESSAGES
XI. CONTACT INFORMATION
If you have any questions, comments, applications or requests regarding your Personal Information, the practices of our Online Shop or wish to exercise a specific right, please contact us: email@example.com
The Administrator shall strive to ensure that this Policy is up to date and updated in the event of changes in the provisions of law, court rulings, guidelines of the authorities responsible for supervising the processing of personal data, introduction of codes of good practice (if the Administrator is bound by such codes), change of technology, methods, purposes or legal basis for processing of Personal Data.