Privacy Policy

How we use and process the personal data we receive from our customers when they contact us and make reservations on the website.

PRIVACY POLICY OF THE WEBSITE TRINKEJO.COM.PL

TABLE OF CONTENTS:

1. GENERAL PROVISIONS

1.1 This Website privacy policy is for information purposes only, which means that it is not a source of obligations for the Service Recipients or Customers of the Website. The privacy policy primarily contains the rules concerning the processing of personal data by the Controller on the Website, including the grounds, purposes and period of processing of personal data and the rights of data subjects, as well as information regarding the use of Cookies and analytical tools on the Website. 1.2 The controller of the personal data collected via the Website is REVUTSKYI IVAN, address: ZERBUŃ 9A, 11-320 JEZIORANY, Voivodeship: WARMIŃSKO-MAZURSKIE, and correspondence address: ZERBUŃ 9A, 11-320 JEZIORANY, Voivodeship: WARMIŃSKO-MAZURSKIE, email address: [email protected], telephone number: +48 885 567 100 – hereinafter referred to as the “Controller” and being at the same time the Service Provider. 1.3 Personal data on the Website is processed by the Controller in accordance with applicable law, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the “GDPR” or the “GDPR Regulation”. The official text of the GDPR Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679 1.4 Use of the Website, including making reservations, is voluntary. Likewise, the provision of personal data by the Service Recipient or Customer using the Website is voluntary, subject to two exceptions: (1) entering into agreements with the Controller – failure to provide, in the cases and to the extent indicated on the Website and in this privacy policy, the personal data necessary to conclude and perform a Sales Agreement or an agreement for the provision of an Electronic Service with the Controller, results in the inability to conclude such an agreement. In such a case, providing personal data is a contractual requirement, and if the data subject wishes to enter into a given agreement with the Controller, they are obliged to provide the required data. The scope of data required to conclude an agreement is indicated in advance on the website each time; (2) statutory obligations of the Controller – the provision of personal data is a statutory requirement arising from generally applicable legal provisions that impose on the Controller an obligation to process personal data (e.g. the processing of data for the purpose of keeping tax or accounting books), and failure to provide it will prevent the Controller from fulfilling these obligations. The Controller takes particular care to protect the interests of the data subjects whose personal data it processes, and in particular is responsible for and ensures that the data it collects is: (1) processed lawfully; (2) collected for specified, lawful purposes and not further processed in a manner incompatible with those purposes; (3) accurate and adequate in relation to the purposes for which it is processed; (4) kept in a form that permits identification of the data subjects for no longer than is necessary to achieve the purpose of the processing; and (5) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Taking into account the nature, scope, context and purposes of the processing, as well as the risk to the rights and freedoms of natural persons of varying likelihood and severity, the Controller implements appropriate technical and organisational measures to ensure that processing is carried out in accordance with this Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller applies technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically. All words, expressions and acronyms used in this privacy policy and beginning with a capital letter (e.g. Seller, Website, Electronic Service) should be understood in accordance with their definition contained in the Terms and Conditions available on the website.

2. GROUNDS FOR DATA PROCESSING

3.1. In each case, the purpose, legal basis and period of processing, as well as the recipients of the personal data processed by the Controller, result from the actions taken by a given Service Recipient or Customer on the Website or by the Controller. For example, if a Customer decides to make a reservation on the Website, their personal data will be processed for the purpose of transferring the data to administration, but will not be shared with entities acting on the Controller’s behalf. 3.2. The Controller may process personal data within the Website for the following purposes, on the bases and for the periods indicated in the table below:

Purpose of data processing

Legal basis for data processing

Period of data retention

Direct marketing

Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller – consisting in caring for the interests and good image of the Controller, its Website, and pursuing the sale of Products

The data is stored for the period during which the legitimate interest pursued by the Controller exists, but no longer than the limitation period for the Controller’s claims against the data subject in connection with the business activity carried out by the Controller. The limitation period is set out by law, in particular by the Civil Code (the basic limitation period for claims related to business activity is three years, and for a Sales Agreement, two years).

The Controller may not process data for the purposes of direct marketing where the data subject has effectively objected to it.

Marketing

Article 6(1)(a) of the GDPR Regulation (consent) – the data subject has consented to the processing of their personal data for marketing purposes by the Controller

The data is stored until the data subject withdraws their consent to the further processing of their data for this purpose.

The Customer expressing an opinion about the concluded Sales Agreement

Article 6(1)(a) of the GDPR Regulation – the data subject has consented to the processing of their personal data for the purpose of expressing an opinion

Keeping tax books

Article 6(1)(c) of the GDPR Regulation in conjunction with Article 86 § 1 of the Tax Ordinance, i.e. of 17 January 2017 (Journal of Laws of 2017, item 201) – processing is necessary to fulfil a legal obligation incumbent on the Controller

The data is stored for the period required by the legal provisions ordering the Controller to keep tax books (until the limitation period for the tax liability expires, unless tax laws provide otherwise).

Establishing, pursuing or defending claims that the Controller may raise or that may be raised against the Controller

Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller – consisting in the establishment, pursuit or defence of claims that the Controller may raise or that may be raised against the Controller

The data is stored for the period during which the legitimate interest pursued by the Controller exists, but no longer than the limitation period for claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years).

Using the website and ensuring its proper functioning

Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller – consisting in running and maintaining the Website

Keeping statistics and analysing website traffic

Article 6(1)(f) of the GDPR Regulation (legitimate interest of the controller) – processing is necessary for the purposes of the legitimate interests pursued by the Controller – consisting in keeping statistics and analysing traffic on the Website in order to improve the functioning of the Website and increase the sale of Products

4. RECIPIENTS OF DATA ON THE WEBSITE

4.1. For the proper functioning of the Website, including the performance of the Sales Agreements concluded, it is necessary for the Controller to use the services of external entities (such as a software provider). The Controller uses only the services of such processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of data subjects. 4.2. The transfer of data by the Controller does not occur in every case and not to all of the recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only when it is necessary to achieve a given purpose of personal data processing and only to the extent necessary to achieve it. For example, if a Customer uses personal collection, their data will not be transferred to a carrier cooperating with the Controller. 4.2.1. providers of accounting, legal and advisory services that provide the Controller with accounting, legal or advisory support (in particular an accounting office, a law firm or a debt collection company) – the Controller makes the Customer’s collected personal data available to a selected provider acting on its behalf only in the case of, and to the extent necessary to achieve, a given purpose of data processing consistent with this privacy policy. 4.2.1.1. Facebook Ireland Ltd. – the Controller uses Facebook social plugins on the website (e.g. the Like, Share or log-in-with-Facebook buttons) and, in connection with this, collects and shares the personal data of the Service Recipient using the Website with Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) to the extent and in accordance with the privacy rules available here: https://www.facebook.com/about/privacy/ (this data includes information about activities on the Website – including information about the device, websites visited, purchases, advertisements displayed and the manner of using services – regardless of whether the Service Recipient has a Facebook account and whether they are logged in to Facebook).

5. PROFILING ON THE WEBSITE

5.1. The GDPR Regulation imposes on the Controller an obligation to inform about automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR Regulation, and – at least in those cases – to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides in this section of the privacy policy information regarding possible profiling. 5.2. The Controller may use profiling on the website for the purposes of direct marketing, but the decisions made by the Controller on its basis do not concern the conclusion or refusal to conclude a Sales Agreement, nor the possibility of using Electronic Services on the Website. The result of using profiling on the Website may be, for example, granting a given person a discount, sending them a discount code, reminding them of an unfinished purchase, sending a proposal for a Product that may match the interests or preferences of a given person, or offering better terms compared to the standard offer of the Website. Despite the profiling, the person freely decides whether they wish to take advantage of the discount or better terms obtained in this way and make a purchase on the Website. 5.3. Profiling on the Website consists in the automatic analysis or prediction of a given person’s behaviour on the Website, e.g. by adding a specific Product to the basket, viewing the page of a specific Product on the Website, or by analysing the previous history of purchases made on the Website. The condition for such profiling is that the Controller holds the personal data of the given person in order to subsequently be able to send them, for example, a discount code. 5.4. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

6. RIGHTS OF THE DATA SUBJECT

6.1. Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Controller access to their personal data, its rectification, erasure (“the right to be forgotten”) or restriction of processing, and has the right to object to the processing, as well as the right to data portability. The detailed conditions for exercising the rights indicated above are set out in Articles 15-21 of the GDPR Regulation. 6.2. Right to withdraw consent at any time – a person whose data is processed by the Controller on the basis of consent given (on the basis of Article 6(1)(a) or Article 9(2)(a) of the GDPR Regulation) has the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal. 6.3. Right to lodge a complaint with a supervisory authority – a person whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Act on the Protection of Personal Data. The supervisory authority in Poland is the President of the Personal Data Protection Office. 6.4. Right to object – the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of their personal data based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling on the basis of these provisions. In such a case, the Controller may no longer process this personal data unless it demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims. 6.5. Right to object to direct marketing – if personal data is processed for the purposes of direct marketing, the data subject has the right to object at any time to the processing of their personal data for the purposes of such marketing, including profiling, to the extent that the processing is related to such direct marketing. 6.6. In order to exercise the rights referred to in this section of the privacy policy, you may contact the Controller by sending an appropriate message in writing or by email to the Controller’s address indicated at the beginning of the privacy policy, or by using the contact form available on the Website.

7. COOKIES ON THE WEBSITE AND ANALYTICS

7.1. Cookies are small pieces of text information in the form of text files, sent by the server and saved on the side of the person visiting the Website (e.g. on the hard drive of a computer or laptop, or on the memory card of a smartphone – depending on the device used by the person visiting our Website). Detailed information about Cookies, as well as the history of their origin, can be found, among other places, here: https://en.wikipedia.org/wiki/HTTP_cookie. 7.2. The Cookies that may be sent by the Website can be divided into different types, according to the following criteria:

By their provider:

  1. first-party (created by the Controller’s Website) and

  2. third-party (belonging to persons/entities other than the Controller)

By their storage period on the device of the person visiting the Website:

  1. session (stored until logging out of the Website or closing the web browser) and

  2. persistent (stored for a specified time, defined by the parameters of each file or until manually deleted)

By the purpose of their use:

  1. necessary (enabling the proper functioning of the Website),

  2. functional/preference (enabling the Website to be adapted to the preferences of the person visiting the site),

  3. analytical and performance (collecting information about the manner of using the Website),

  4. marketing, advertising and social (collecting information about the person visiting the Website in order to display personalised advertisements to that person and to carry out other marketing activities, including on websites separate from the Website, such as social networking sites)

7.3. The Controller may process the data contained in Cookies while visitors use the Website for the following specific purposes:

Purposes of using Cookies on the Controller’s Website

identifying Service Recipients as logged in to the Website and showing that they are logged in (necessary Cookies)

remembering the Products added to the basket in order to place an Order (necessary Cookies)

remembering data from completed Order Forms, surveys or login data for the Website (necessary and/or functional/preference Cookies)

adapting the content of the Website to the individual preferences of the Service Recipient (e.g. regarding colours, font size, page layout) and optimising the use of the Website (functional/preference Cookies)

keeping anonymous statistics showing how the Website is used (statistical Cookies)

7.4. You can check, in the most popular web browsers, which Cookies (including the operating period of the Cookies and their provider) are currently being sent by the Website in the following way:

In the Chrome browser: (1) in the address bar, click the padlock icon on the left, (2) go to the “Cookies” tab.

In the Firefox browser: (1) in the address bar, click the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click the “Cross-site tracking cookies”, “Social media trackers” or “Tracking content” field

In the Internet Explorer browser: (1) click the “Tools” menu, (2) go to the “Internet Options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “View files” field

In the Opera browser: (1) in the address bar, click the padlock icon on the left, (2) go to the “Cookies” tab.

In the Safari browser: (1) click the “Preferences” menu, (2) go to the “Privacy” tab, (3) click the “Manage Website Data” field

Regardless of the browser, using tools available, for example, at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/

7.5. As standard, most web browsers available on the market accept the saving of Cookies by default. Everyone has the option of specifying the conditions for the use of Cookies using their own web browser settings. This means that, for example, you can partially limit (e.g. temporarily) or completely disable the saving of Cookies – in the latter case, however, this may affect some of the Website’s functionalities (for example, it may prove impossible to complete the Order path via the Order Form, owing to Products not being remembered in the basket during the subsequent steps of placing an Order). 7.6. Web browser settings regarding Cookies are relevant from the point of view of consent to the use of Cookies by our Website – in accordance with the regulations, such consent may also be expressed through web browser settings. Detailed information on changing the settings concerning Cookies and on deleting them yourself in the most popular web browsers is available in the help section of the web browser and on the pages below (just click the relevant link):

7.7. The Controller may use, on the Website, the Google Analytics and Universal Analytics services provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller keep statistics and analyse traffic on the Website. The data collected is processed within the above services to generate statistics helpful in administering the Website and analysing traffic on the Website. This data is aggregate in nature. By using the above services on the Website, the Controller collects such data as the sources and medium of acquisition of Website visitors and how they behave on the Website, information about the devices and browsers from which they visit the site, the IP and domain, geographical data, and demographic data (age, gender) and interests. 7.8. A given person can easily block the sharing with Google Analytics of information about their activity on the Website – to this end, you can, for example, install the browser add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=en.

8. FINAL PROVISIONS

8.1. The Website may contain links to other websites. The Controller encourages you, after going to other sites, to read the privacy policy established there. This privacy policy applies only to the Controller’s Website.