Privacy Policy Privacy policy and use of cookies

Privacy Policy

I. [Content of the Controller's Privacy Policy]

• The controller's privacy policy contains information regarding the processing of personal data and other information concerning the users of the website (hereinafter referred to as the "Website"). In this privacy policy, the controller has simultaneously included all the information that data subjects should receive in accordance with the GDPR.
• The privacy policy contains information on the processing of data obtained through the Website. Detailed information regarding the use of cookies or other similar technologies can also be found in the cookie policy.
• The privacy policy contains information regarding the privacy of users of the contact form service.
• The privacy policy contains information regarding the processing of Personal Data and other information concerning users of Facebook and Instagram on the Controller's fanpage. In this privacy policy, the Controller has simultaneously included all the information that data subjects should receive in accordance with the GDPR.
• The privacy policy contains information regarding the processing of Personal Data contained in electronic correspondence.

II. [Data Controller]

The controller of the Website users' personal data is Businessman Fun Club Sp. z o.o., the owner of Hotel BoniFaCio Spa & Sport Resort ****. The Controller can be contacted:

• by correspondence address: Warsaw (02-202), ul. Drawska 22, 1st floor, unit 1.23
• by e-mail address: rodo@hotelbonifacio.pl

III. [Purposes, legal bases, and retention periods of personal data processing]

Personal Data is processed by the Controller for various purposes, to a varying extent, and on different legal bases provided for in the GDPR. Below is the information regarding the processing of Personal Data, grouped according to the purposes for which this data is processed by the Controller.

Website operation

• In order to provide the Website's services, the service provider processes:
  • Information concerning the user's device to ensure the proper functioning of services: the computer's IP address, information contained in cookies or other similar technologies, session data, web browser data, device data, data regarding activity on the Website, including on specific subpages.
• This information does not contain data regarding the users' identities, but in combination with other information, it may constitute personal data, and therefore the controller applies to it the full protection provided under the GDPR.
• The data is processed in accordance with Article 6(1)(b) of the GDPR, in order to provide the Website's service, i.e., an agreement for the provision of electronic services, and in accordance with Article 6(1)(a) of the GDPR in connection with consenting to the use of specific cookies or other similar technologies, expressed through the appropriate settings of the web browser in accordance with the Telecommunications Law. The data is processed until the user ceases to use the Website.

Service usage statistics

• To improve the quality of its services, the controller processes statistical information concerning the use of the Website, including session information, IP number, time spent on individual subpages, use of specific service functionalities, device, and web browser information. The controller uses cookies or other similar technologies and statistical tools.
• This data is processed in accordance with Article 6(1)(f) of the GDPR based on the legitimate interest of the controller, which consists of facilitating the use of the Website, improving the quality and functionality of the provided services, and the processing of this data does not violate the rights and freedoms of users. Information about users is not used for any additional purposes, and due to the specific nature of the website service, adjusting the way website content is displayed, facilitating website use, and improving service quality on the website is not only a market standard but also the users' expectation towards website providers.
• Furthermore, the user can withdraw their consent at any time by changing the web browser settings regarding the admissibility of using cookies or other similar technologies.
• This data is processed as part of the controller's ongoing operations, but no longer than for 90 days from the receipt of the information. After this time, the controller may further process general statistical data, which will be devoid of any information concerning individual users.
• The availability period for statistical data may, however, be longer than 60 days, but this is beyond the controller's decision-making scope. The controller will no longer use it, but will have potential access to it until it is deleted by the tool provider.
• The controller uses the Google Analytics tool provided by Google LLC, whose infrastructure is located at Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The controller points out that Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA) has joined the EU-US Data Privacy Framework agreement, i.e., it ensures an adequate level of security for the processing of personal data, in accordance with the GDPR.
• Google Analytics allows for:
  • a) tracking website traffic: information about the number of users, number of visits, traffic sources (e.g., ads, search engines, social media).
  • b) monitoring user behavior: analyzing which pages are most frequently visited, time spent on the page, bounce rate.
  • c) user segmentation: demographic, geographic, and technological data (e.g., device type, browser).
  • d) tracking goals and conversions: analyzing how users complete specific actions, such as purchases, signing up for a newsletter, or downloading materials.
•  
  8. Google Analytics processes data which may include:
  9. a) IP addresses: used to identify the geographical location of users, which combined with other data may constitute personal data.

• b) Cookies: storing unique user and session identifiers, enabling tracking of their activity, only after the User has given appropriate consent.

• c) Technical data: e.g., browser type, operating system, screen resolution, Internet service provider.

•  
  9. The user can configure their browser to block cookies associated with Google Analytics.
•  
  10. Google Analytics uses cookies such as _ga, _gid, and _gat.
•  
  11. The user may use a plugin to block Google Analytics. Google offers a browser add-on to block Google Analytics; it can be downloaded from the official website: https://tools.google.com/dlpage/gaoptout. Once installed, the plugin will prevent data from being sent to Google Analytics from all visited websites.

Marketing activities

On the website, the controller may post marketing information about its services. The display of this content is carried out by the controller in accordance with Article 6(1)(f) of the GDPR, based on the legitimate interest of the controller consisting of publishing content related to the services provided. At the same time, this action does not violate the rights and freedoms of users; users expect to receive content of a similar nature, and sometimes even anticipate it, or it is their direct purpose for visiting the Website.

Providing answers, resolving matters

• The content of the correspondence and contact information are processed for the time necessary to resolve the user's matter, including sending marketing information about the services selected by the user, and no longer than for 3 months after resolving the matter for archiving purposes, in case of the need to defend against potential claims against the controller.
• This data will then be processed in order to provide the online contact form service – Article 6(1)(b) of the GDPR.
• In terms of sending commercial information electronically, the data will be processed based on consent expressed through a clear affirmative action (Article 6(1)(a) in connection with Article 4(11) of the GDPR), consisting of filling in the appropriate field to enter an e-mail address or phone number.

E-mail correspondence

The legal basis for processing the data contained in e-mail correspondence is:

• The legitimate interest of the data controller and senders of electronic messages (Article 6(1)(f) of the GDPR) – regarding incidental correspondence, consisting of enabling electronic contact with the controller;
• Necessity for the performance of a contract concluded with our clients or contractors (Article 6(1)(b) of the GDPR) in terms of correspondence conducted to perform the contract;
• Voluntarily given consent – if special categories of data are included in the sent correspondence. The given consent can be withdrawn at any time, without providing a reason, but without affecting the lawfulness of its processing prior to its withdrawal;
• Voluntarily given consent through a clear affirmative action – if the sender of a message requests information regarding the controller's brand or its services, the response given to the sender will contain the information requested by the sender, and sending the inquiry will constitute consent for the controller to send commercial information to the sender at the e-mail address provided by the sender to the extent necessary to provide an answer (Article 10 of the Act on Providing Services by Electronic Means); the given consent can be withdrawn at any time, without providing a reason, but commercial information sent after the inquiry for it was sent and before the consent was withdrawn will be sent lawfully; withdrawing consent may prevent a full response to the asked question;
• The legitimate interest of the controller consisting of establishing, pursuing, or defending against claims, in accordance with generally applicable laws, in particular the Civil Code (Article 6(1)(f) and Article 9(2)(f) of the GDPR).

Running a fanpage

• The controller processes the Personal Data of users to enable them to use the fanpage. The controller possesses the following scope of data:
  • fanpage likes;
  • activity on the fanpage;
  • first and last name;
  • data contained in the profile that is publicly available (e.g., data about workplace, education, city of residence);
  • possible personal data that will be included in the content of your comments on the page;
• This data is processed in accordance with Article 6(1)(b) of the GDPR in order to provide the service and Article 6(1)(f) of the GDPR (the legitimate interest of the controller, consisting of the possibility of presenting and developing its services in social media).
• Meta Platforms is responsible for data security, having defined a privacy and data management policy. A detailed description regarding the security and sharing of Users' data is available on the website: {C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}{C}

Realization of contact with users – Messenger

• To enable the Controller's contact with the user, the Controller processes information regarding individuals contacting the Controller via the Facebook Messenger communicator, in particular their first name, last name, or username on Facebook, and the content of correspondence (messages, threads). Messages are not stored by the Controller in places other than Facebook.
• This data is processed in accordance with Article 6(1)(f) of the GDPR, in the legitimate interest of the Controller and users, consisting of the necessity to ensure contact between the users and the Controller, and the processing of this data does not violate the rights and freedoms of users.
• The content of the correspondence and contact information are processed for the time necessary to resolve the user's matter and no longer than for 3 months after resolving the matter for archiving purposes, in case of the need to defend against potential claims against the Controller. After this time, they are deleted from the Controller's fanpage level, after which the Controller will no longer be able to access this data.
• Meta Platforms is responsible for data security, having defined a privacy and data management policy. A detailed description regarding the security and sharing of Users' data is available on the website: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0

Provision of services

The legal basis for processing data in connection with the provision of services is:

• Necessity for the performance of a contract concluded with our clients or contractors (Article 6(1)(b) of the GDPR), including to:
  • a) provide access to services offered by the Controller,
  • b) enable the use of functionalities available there. Data will be stored for the duration of the contract, and after its expiration, for the period necessary for:
  • a) post-sales customer service (e.g., handling complaints) – until the statute of limitations for claims arising from the contract expires,
  • b) securing or pursuing claims of the Controller – until the statute of limitations for the Controller's claims expires,
  • c) fulfilling a legal obligation by the Controller, wherein data processed for accounting purposes and tax reasons will be processed by the Controller for a period of 5 years, counted from the end of the calendar year in which the tax obligation arose.
• Legitimate interest of the Data Controller (Article 6(1)(f) of the GDPR). The Controller has determined that processing Personal Data for the following purposes complies with the pursuit of the legitimate interests of the Controller or a third party:
  • absolutely necessary to prevent fraud and ensure network and information security,
  • tailoring services to the needs of the Controller's clients,
  • optimizing products or services based on customer comments and feedback regarding them,
  • handling complaints,
  • archiving (evidentiary) purposes to secure information in the event of a legal need to prove specific facts (e.g., before a tax authority),
  • potential establishment, pursuit, or defense against claims,
  • researching customer satisfaction and determining the quality of the Controller's services and service level,
  • the possibility of using video monitoring in places where services offered by the Controller under the service agreement are provided, to prevent thefts, acts of vandalism, or other violations of order, safety, or generally accepted norms of behavior. The Controller processes personal data solely for specific, explicit, and legitimate purposes, and your personal data is not further processed in a manner incompatible with those purposes.
• Protection of the vital interests of the data subject or another natural person (Article 6(1)(d) of the GDPR).
  • The Controller has the right to process the Personal Data of clients to protect their vital interests or the vital interests of another natural person, i.e., those that are essential for the life of the client or another natural person.
  • The above catalogue primarily includes humanitarian purposes, in particular natural disasters and man-made disasters, as well as purposes related to the need to save life, health, or protect property (e.g., the Controller may contact a client to return a lost wallet or in connection with an event to Your detriment or the detriment of another natural person if the client was a participant or witness).
  • However, the Controller will not process special categories of Personal Data (including health data) on this basis, unless the client gives explicit consent to the processing of Data for this purpose, or is physically or legally incapable of giving this consent, and the processing of personal data is absolutely necessary to protect their vital interests or the vital interests of another natural person (Article 9(2)(a) or (c) of the GDPR).
• Voluntarily given consent (Article 6(1)(a) of the GDPR) – required in particular for:
  • the processing by the Controller of the Personal Data of clients for the purpose of:
    • direct marketing of products or services of the Controller or entities cooperating with the Controller (Controller's partners), carried out by: sending commercial information via electronic means of communication (e.g., by sending You a commercial offer to the e-mail address provided by You in the registration form) – the requirement to obtain consent is provided for in Article 10 of the Act of July 18, 2002, on Providing Services by Electronic Means.
    • contacting clients using telecommunications terminal equipment and automatic calling systems (e.g., by presenting You with a commercial offer during a telephone conversation) – the requirement to obtain Your consent is provided for in Article 172 of the Act of July 16, 2004, Telecommunications Law.
    • processing by the Controller of the Personal Data of clients regarding health – the requirement to obtain Your explicit consent to the processing of personal data for this purpose is provided for in Article 9(2)(a) of the GDPR.

IV. [Recipients of personal data]

• The Controller may disclose the content of correspondence solely for the purpose of pursuing its claims in proceedings and discloses the personal data of users, as well as personal data contained in the contact form and the content of correspondence to entities cooperating with the controller on the basis of written data processing agreements, to perform tasks and services for the controller specified in the agreement, in particular regarding email hosting, website hosting, IT services, debt collection, legal or advisory services, and administrative support.
• Due to the use of services by Meta Platforms Ireland Ltd (Facebook, Instagram, Pixel) or Google Ireland Limited (Google analytics and ads), Personal Data may be transferred to the United States of America (USA) and Canada in accordance with the principles set out by Facebook and Instagram in their privacy policy. These entities guarantee an adequate level of personal data protection required by European regulations. Meta Platforms has implemented standard contractual clauses between processors, which according to Meta's statement means that Personal Data is safe.

V. [Transfer of personal data to third countries]

As a rule, the Controller does not transfer personal data outside the European Economic Area (EEA). However, in connection with the use of services provided by Google Ireland Limited and Meta Platforms Ireland Limited, data may be transferred to the servers of these entities in third countries - to the United States of America (USA) and Canada. This transfer takes place based on a European Commission decision confirming an adequate level of protection (Data Privacy Framework) or based on standard contractual clauses approved by the European Commission, which ensures an adequate level of data security.

VI. [Rights of data subjects]

• Every data subject has the right to:
  • access – to obtain confirmation from the controller as to whether or not their personal data is being processed. If personal data is processed, they are entitled to access it and obtain the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data has been or will be disclosed, the envisioned period for which the personal data will be stored, or the criteria used to determine that period, the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing (Article 15 GDPR).
  • receive a copy of the data – to obtain a copy of the personal data undergoing processing, provided that the first copy is free of charge, and for any further copies, the controller may charge a reasonable fee based on administrative costs (Article 16 GDPR).
  • rectification – to request the rectification of inaccurate personal data concerning them, or to have incomplete data completed (Article 17 GDPR).
  • erasure of data – to request the erasure of their personal data if the controller no longer has a legal basis for processing it or the data is no longer necessary in relation to the purposes for which it was processed (Article 18 GDPR).
  • restriction of processing – to request restriction of processing of personal data (Article 18 GDPR) when:
    • the data subject contests the accuracy of the personal data – for a period enabling the controller to verify the accuracy of these data;
    • the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
    • the controller no longer needs these data, but they are required by the data subject for the establishment, pursuit, or defense of claims;
    • the data subject has objected to processing – pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • data portability – to receive in a structured, commonly used and machine-readable format the personal data concerning them, which they have provided to the controller, and the right to request the transmission of those data to another controller, if the data is processed on the basis of the data subject's consent or a contract concluded with them and if the processing is carried out by automated means (Article 20 GDPR).
  • object – to object to the processing of their personal data for the controller's legitimate interests, on grounds relating to their particular situation, including profiling. In such a case, the controller shall evaluate the existence of compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subjects or grounds for the establishment, pursuit, or defense of legal claims. If, according to the evaluation, the data subject's interests override the controller's interests, the controller shall be obliged to cease processing the data for these purposes (Article 21 GDPR).

• withdraw consent at any time and without giving a reason, but the processing of personal data performed before the consent was withdrawn remains lawful. Withdrawing consent will cause the controller to cease processing personal data for the purpose for which the consent was given.

• To exercise the aforementioned rights, the data subject should contact the controller using the provided contact details and inform them which right and to what extent they wish to exercise.

[President of the Personal Data Protection Office]

The data subject has the right to lodge a complaint with a supervisory authority, which in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) based in Warsaw, ul. Stawki 2, who can be contacted in the following ways:

• by post: ul. St. Moniuszki 1A, 00-014 Warsaw
• via the electronic inbox available on the website: https://www.uodo.gov.pl/pl/p/kontakt
• by phone: (22) 531 03 00

[How "cookies" are used]

• The Controller informs that they use a "cookies" mechanism on their website, which, while the client uses the website, are saved by the Controller's server on the hard drive of the end device (e.g., computer, smartphone, tablet).
• The purpose of using "cookies" is to improve the operation of the Controller's website on the end devices of its clients. This mechanism does not damage the end device, nor does it cause configuration changes to this device or the software installed on it. "Cookies" are not intended for the Controller to identify the client.
• The Controller uses "cookies" in order to:
  • remember information about the end device,
  • verify and develop its offer,
  • for statistical purposes.
• The client can disable the "cookies" mechanism in the web browser of their end device at any time. However, the Controller informs that disabling "cookies" may cause difficulties or prevent the use of the Controller's website.

IX. [Changes to the privacy policy]

The privacy policy may be supplemented or updated according to the current needs of the controller in order to provide users with up-to-date and reliable information regarding their personal data and information about them. Users will be informed about any changes to the privacy policy on the Website.