PRIVACY POLICY AND COOKIES POLICY
IN EFFECT AT TRAVELTECH SP. Z O.O. SEATED IN CRACOW
-
General Rules
-
TravelTECH Sp. z o.o. with its registered office in Cracow, 31-864, at 20 Prof. M. Życzkowskiego street, entered in the Register of Entrepreneurs kept by the District Court for Cracow-Śródmieście, XI Commercial Division of the National Court Register, under KRS number 0000258229, NIP 675-13-45-369, REGON: 120268474, with the share capital of 50,000.00 (in words: fifty thousand) zlotys, paid-up in full, phone No. 12 345 16 61 (fee based on the operator's tariff), hereinafter referred to as “TravelTECH”, provides the Users of its services with security and confidentiality of the data provided by them, especially personal data.
-
This Privacy Policy and Cookies Policy is a set of rules for the processing of personal data and the collection of cookies by TravelTECH on the website www.polishtrains.eu, hereinafter collectively referred to as: “Website”).
-
A User of the Website is any person who uses TravelTECH services or visits websites within the Website.
-
Before using the Website and the services of the Data Controller, the User should read this privacy and cookies policy. The purpose of the document is, among others, to fulfill the information obligation referred to in Article 13(1) and (2) and Article 14(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter: “GDPR” and to implement the requirements of the Act on Electronic Services of 18 July 2002 (Journal of Laws 2002 No. 144, item 1204, as amended).
-
TravelTECH reserves the right to make changes to the Privacy Policy and Cookies Policy by publishing the current version on the website www.polishtrains.eu, and in any other way available to the User.
-
TravelTECH Sp. z o.o. with its registered office in Cracow, 31-864, at 20 Prof. M. Życzkowskiego street, entered in the Register of Entrepreneurs kept by the District Court for Cracow-Śródmieście, XI Commercial Division of the National Court Register, under KRS number 0000258229, NIP 675-13-45-369, REGON: 120268474, with the share capital of 50,000.00 (in words: fifty thousand) zlotys, paid-up in full, phone No. 12 345 16 61 (fee based on the operator's tariff), hereinafter referred to as “TravelTECH”, provides the Users of its services with security and confidentiality of the data provided by them, especially personal data.
-
Privacy Policy
-
The Controller of the personal data is TravelTECH, hereinafter also referred to as the “Controller”.
-
The Controller can be contacted on matters of data protection:
- by mail at the following address: ul. Prof. Michała Życzkowskiego 20, 31-864 Kraków
- by phone at: +48 12 412 18 92
- by email at: iod@traveltech.pl
-
Purposes of personal data processing and legal basis for processing:
- Contacting Users on current matters, including in particular the execution of agreements between the Controller and the User, responding to Users’ inquiries to the Controller, providing offers, answering questions. The legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the need for ongoing contact with the Controller's contractors.
- Performance of agreements concluded between the Controller and the User, performance of ticket purchase activities on behalf of the User, contacting carriers to fulfill the User’s orders, enabling the process of booking and purchasing the services. The legal basis is the need to possess the data to perform the agreement or to take action before concluding an agreement with the User (Article 6(1)(b) GDPR), as well as the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the need for proper performance of agreements with customers.
- Enabling the payment process - The legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR) to secure payment for services rendered and the necessity of the data to perform the agreement in the form of making payment for the website (Article 6(1)(b) GDPR).
- Conducting marketing activities, including Marketing Automation and in the form of a newsletter to promote the Controller's offerings, present personalized website offerings or advertising. The legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) GDPR), consisting in the need to collect data in order to develop the website offer and promote the services provided.
- Fulfillment of legal obligations incumbent on the Controller including, in particular, those under tax law (legal basis - Article 6(1)(c) GDPR).
- Data analysis to detect possible unauthorized activities of the User and to ensure security of the Website. The legal basis is the Controller's legitimate interest (Article 6(1)(f) GDPR) consisting in ensuring the security and legality of the website's operation.
- Determining, securing and asserting potential claims on the part of both the Controller and the User. The legal basis is the Controller's legitimate interest (Article 6(1)(f) GDPR) consisting in being able to establish, assert or defend claims.
-
Categories of personal data subject to processing:
- The Controller processes Users' personal data necessary for the purposes referred to in this Privacy Policy, in particular identification data, gender, age of the passenger, contact data (such as address, email address, phone number), data on purchased/booked tickets and connections, data justifying eligibility for railway discounts, data on education or professional status, as well as voice data obtained in connection with use of the helpline by the User.
- The Controller processes personal data of persons other than Users, but indicated by the Users, that is necessary for execution of purchases and ticket reservations. It is understood that the user is entitled to provide the Controller with the data of passengers for whom they are booking the tickets.
- The Controller processes personal data for the purpose of processing the payment through payment processing partners, in particular on the fact of payment, fragments of the payment card number, method of payment, first name, last name and associated email address, and the person authorized to use the bank account/payment card/credit card.
- The Controller may process for marketing purposes, including for customer satisfaction surveys and Marketing Automation, in particular the following categories of personal data: contact information, full name, IP address, place of use of the Website, URL, browser data, gender (with the User’s consent), age, destination.
- Among the categories of special data, the Controller may process the User’s gender data in situations where it is required for the purchase of a particular type of ticket and with the User’s consent for marketing purposes (voluntary provision of data).
-
Recipients of data (categories of recipients):
- Users' personal data may be shared with third-party providers of services to the Controller, such as accounting services, as well as providers of IT services, including email and contractor support system.
- Personal data may be shared with entities providing railway transportation or related services (in particular carriers, carrier agents, railway ticket sellers).
- The Controller allows the User to use the services that allow payment, but in this regard does not process personal data in terms of bank account details or method of payment of the Users who make payments directly with payment processors. The Controller provides the payment operators with data in the form of first name, last name and email address of the person making the payment.
- The Controller may share personal data with third countries outside the EU only if an adequate level of personal data protection is established in that country.
-
Users' personal data will be stored for the period necessary to fulfill the retention purposes specified above, whereby if:
- the User’s personal data is processed in connection with the performance of the agreement concluded with the User, we will store it for the period of performance of the agreement and to the extent necessary - for 5 years counting from the end of the calendar year in which the deadline for payment of tax due in connection with the conclusion and performance of the agreement has expired, or longer if required by law, and if there was no conclusion of the agreement or provision of services - the data is stored for a period of 180 days from the date of its registration in the reservation system;
- the User has contacted the Controller – the User’s data will be processed for the period necessary for the purposes of contacting the User and for a period of 2 years after the end of contact;
- data is processed in order to execute the payment - data stored for the period of execution of the agreement and to the extent necessary - for 5 years counting from the end of the calendar year in which the deadline for payment of the tax due in connection with the transaction expired;
- personal data is processed for marketing purposes - until the User objects or withdraws their consent to the processing of their personal data for marketing purposes;
- data is processed for the purpose of sending a newsletter – the User’s data will be processed only after the User has given additional consent when stating their email address, until the consent is withdrawn;
- If the User’s personal data is no longer necessary for the purposes for which it has been processed, the Controller will keep it for the purpose of establishing, investigating, or defending against possible claims on the part of both the Controller and the User only for the periods of the statute of limitations for claims, as defined by law.
-
Consequences of not providing personal data or withdrawing consent for processing:
- Except in cases where the provision of personal data is a legal requirement, the provision of personal data is entirely voluntary, but failure to do so will make it difficult or impossible for us to carry out the goals specified above.
- If the provision of personal data by the User is done for the purpose of transferring it to payment operators before the moment of purchasing a service on the Website, the provision of such data is a condition for the purchase of the service in connection with the business model of doing business adopted on the Website, and failure to provide the data will prevent the service from being provided.
- In the case of transfer of the User’s personal data to payment operators in connection with the processing and settlement of payments made by the User to the Website via the Internet using payment instruments, the provision of data is required in order to process the payment and provide confirmation of its execution by the above entities to the Website, and failure to provide data will prevent the service from being provided.
- In the case of transfer of personal data to payment operators for the purpose of verification by these entities of the proper performance of agreements concluded with TravelTECH, in particular to ensure the protection of the interests of payers in connection with their complaints, the provision of such data is required to enable the performance of agreements concluded between TravelTECH and the aforementioned entities, and failure to provide the data will make it impossible to provide the service.
-
Users' data may be processed by automated means, including profiling. For this purpose, data on user activity is used, including purchase history, geolocation, searches, browser data, operating system, screen resolution, IP address of the User. The collection of data in an automated manner allows the creation of a customer profile, which makes it possible to propose services tailored to the customer profile. These analyses are performed automatically based on data and statistical methods.
-
By consenting to the processing of personal data for marketing purposes, the User agrees to be contacted by the Controller by phone, text, email or through their customer account.
-
The Controller processes data characterizing the User’s use of the Website (operational data): (a.) identification markings of the User assigned on the basis of data, (b.) markings identifying the terminal of the telecommunications network or information and communication system used by the User; (c.) information about the beginning, end and scope of each use of the website provided electronically; (d.) information about the use of services provided electronically by the User.
-
The User has the following rights related to the processing of their personal data:
- The right to access the User’s personal data, the right to request its rectification, erasure or restriction of the processing of personal data, unless these rights are excluded or restricted by law.
- The right to object to the processing of personal data due to the User’s particular situation - in cases where the User’s personal data is processed on the basis of our legitimate interest.
- The right to portability of personal data, i.e. the right to receive personal data in a structured, commonly used machine-readable computer format. The User may send the data to another controller or request that we send the data to another controller. However, we will do it only if technically possible.
- The right to lodge a complaint with the supervisory authority - President of the Polish Personal Data Protection Authority.
- Other rights under generally applicable laws.
- In order to exercise the User’s rights, the User should contact the Controller using one of the contact channels (email, phone, mail).
-
The Controller of the personal data is TravelTECH, hereinafter also referred to as the “Controller”.
-
Cookies Policy
-
Our servers use cookie technology (so-called “cookies”). Cookie information may be collected using the servers of TravelTECH or of third parties.
-
In order to ensure the highest level of confidentiality of the transmitted data, communication between the User’s browser and the servers of the Polishtrains website is carried out in an encrypted manner using SSL protocol. In addition, TravelTECH's systems and servers meet the highest security standards for data processing and storage and are protected from third-party access. Cookies are not used to view data stored on the User’s terminal device.
-
Cookies are computer data, in particular small text information, sent by the TravelTECH server or one of its partners and stored on the User’s device. The default parameters of cookies allow only the server that created them to read the information they contain each time a device connects to that server. Cookies do not take up much space and do not interfere with the operation of the terminal device. Cookies are stored for a specific period of time, but this may vary from file to file.
-
Cookies may also use geolocation data (based on users' IP addresses), but we do not use it to identify a specific user by name.
-
With the help of cookies, TravelTECH receives statistical information about Users' traffic on the website, Users' activity and how the Website is used. They allow us to tailor content and services to Users' preferences.
-
The information contained in cookies is necessary for:
- adapting the presented content, including advertising content, to the individual preferences and needs of the Users, thus facilitating the use of the Website;
- collecting and analyzing statistical data about Users' Internet traffic, which allows to improve the operation of the Website and improve the quality of the presented content;
- ensuring proper operation of the Website on the User’s device, in particular maintaining the session of the website and the data entered.
-
As part of the collection of cookies, it is also possible to use so-called third-party remarketing codes to personalize advertising. The User agrees to this by using the Website. The User may revoke or modify their consent to the use of remarketing codes by modifying the cookie settings within the web browser the User is using.
-
The following types of cookies are used within the Website:
- the “necessary” cookies that make it possible to use the services available within the Website, e.g. authentication cookies used for the services that require authentication within the Website, including for purchasing tickets;
- the cookies used to ensure security, such as those used to detect abuse of authentication on the Website;
- the “performance” cookies that enable the collection of information on how the Website pages are used;
- the “functional” cookies which allow to “remember” selected settings by the User and personalizing the User’s interface, e.g. with regard to the chosen language or region of their origin, font size, website layout, etc.
-
The cookies stored on the User’s computer, can be deleted by the User at any time. Detailed instructions are provided by the manufacturer of the browser used by the User. When the User visits the Website again, it will generate and save cookies again.
-
The User can independently manage the scope of creation of cookies at the level of the web browser used by the User, in particular, the User can block the placement of cookies on the terminal device, as well as modify the scope of their use, for example, by requiring to inform the User each time cookies are placed on the User’s device. Detailed information is available at the level of the web browser used.
-
Deleting or blocking the possibility of creating cookies on the User’s terminal device may cause significant limitations in the use of the Website or even make it impossible.
-
Our servers use cookie technology (so-called “cookies”). Cookie information may be collected using the servers of TravelTECH or of third parties.