Privacy policy of the route2open.com website

Change the language version


TABLE OF CONTENTS:

  1. GENERAL PROVISIONS
  2. BASIS FOR DATA PROCESSING
  3. PURPOSE, BASIS AND PERIOD OF DATA PROCESSING ON THE WEBSITE
  4. RECIPIENTS OF DATA ON THE WEBSITE
  5. PROFILING ON A WEBSITE
  6. RIGHTS OF THE DATA SUBJECT
  7. COOKIES ON THE WEBSITE AND ANALYTICS
  8. FINAL PROVISIONS

1)       GENERAL PROVISIONS

  1. This privacy policy of the Website is for information purposes only, which means that it does not constitute an obligations for the Customers using the Website. The privacy policy primarily contains rules concerning the processing of personal data by the Controller in the Website, including the grounds, purposes and period of personal data processing and the rights of data subjects, as well as information on the use of cookies and analytical tools on the Website.
  2. The Controller of personal data collected via the Website is ROUTE2OPEN SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered office in Leszno (registered office and correspondence address: Austriacka 4, 64-100 Leszno, Poland), entered in the register of entrepreneurs of the National Court Register under the KRS number 0000932849; the registration court, where the company’s documentation is kept: District Court Poznań-Nowe Miasto and Wilda in Poznań, VIII Commercial Division of the National Court Register; share capital amounting to: 5000,00 PLN; NIP 7831846387 , REGON 520458535, e-mail address: info@route2open.com – hereinafter referred to as “Controller” and being at the same time Service Provider on the Website.
  3. Personal data on the Website are processed by the Controller in accordance with the applicable legal provisions, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as “RODO” or “RODO Regulation“. Official text of the RODO Regulation: http://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679.
  4. The use of the Website, including making purchases, is voluntary. Similarly, the related provision of personal data by the Customer using the Website is voluntary, subject to two exceptions: (1) conclusion of contracts with the Controller – failure to provide, in the cases and to the extent indicated on the Website and in the Regulations of the Website and this privacy policy, personal data necessary for the conclusion and performance of a specific contract with the Controller (e.g. an contract for the supply of Digital Products or the provision of Electronic Services) results in the inability of concluding that contract. Providing personal data in such a case is a contractual requirement and if the data subject wants to conclude a given contract with the Controller, he/she is obliged to provide the required data. Each time the scope of data required to conclude a contract is indicated previously on the Website and in the Regulations of the Website; (2) the Controller’s statutory obligations – providing personal data is a statutory requirement resulting from generally applicable provisions of law, which impose on the Controller the obligation to process personal data (e.g. in order to keep accounting records) and failure to provide such data will prevent the Controller from fulfilling those obligations.
  5. The Controller shall take particular care to protect the interests of persons to whom the personal data the Controller processes relate, and in particular shall be responsible for and ensure that the data the Controller collects are (1) processed lawfully; (2) collected for specified, legitimate purposes and not subject to further processing incompatible with those purposes; (3) substantively correct and adequate in relation to the purposes for which they are processed; (4) kept in a form which permits identification of data subjects for no longer than is necessary to achieve the purpose of processing; and (5) processed in a manner which ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
  6. Having regard to the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of varying probability and gravity, the Controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the RODO Regulation and to be able to demonstrate this. These measures shall be reviewed and updated as necessary. The Controller shall apply technical measures to prevent unauthorised persons from obtaining and modifying personal data transmitted electronically.
  7. All words, phrases and acronyms appearing in this privacy policy and beginning with a capital letter (e.g. Service Provider, Website, Electronic Service) shall be understood as defined in the Website Regulations available on the Website.

2)       BASIS FOR DATA PROCESSING

  1. The Controller shall be entitled to process personal data where, and to the extent that, at least one of the following conditions is fulfilled: (1) the data subject has given his or her consent to the processing of his or her personal data for one or more specified purposes; (2) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the Controller is subject; or (4) processing is necessary for the purposes of legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  2. The processing of personal data by the Controller requires in each case the existence of at least one of the basis indicated in point. 2.1 of the privacy policy. Specific basis for processing personal data of persons using the Website by the Controller are indicated in the next point of the privacy policy – with reference to a given purpose of personal data processing by the Controller.

3)       PURPOSE, BASIS AND PERIOD OF DATA PROCESSING ON THE WEBSITE

  1. In each case, the purpose, basis and period and recipients of the personal data processed by the Controller result from the activities undertaken by the person concerned on the Website.
  2. The Controller may process personal data on the Website for the following purposes, on the following basis and for the following period:
Purpose of data processingLegal basis for processing Period of data retention
Use of Electronic Services and Digital Products available on the WebsitePoint (b) of Article 6(1) of the RODO Regulation (contract) – processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.The data shall be stored for the period necessary to perform, terminate or otherwise expire the contract concluded for the provision of the Electronic Service or the supply of the Digital Product.
Direct marketingPoint (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for the purposes deriving from the Controller’s legitimate interests – consisting of taking care of the interests and good image of the Controller, Website of the Controller and striving to provide services and sell access to Digital ProductsThe data shall be stored for the period of existence of a legitimate interest pursued by the Controller, however, not longer than the period of limitation of the Controller’s claims against the data subject on account of the Controller’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years). The controller is not allowed to process data for direct marketing purposes if the data subject expresses an effective objection in this respect.
BookkeepingPoint (c) of Article 6(1) of the RODO Regulation (legal obligation) in connection with Article 74 sec. 2 of the Accounting Act, consolidated text of 30 January 2018 (Journal of Laws of 2018, item 395 as amended) – processing is necessary to fulfil a legal obligation incumbent on the ControllerThe data is kept for the period required by the law requiring the Administrator to store accounting books (5 years, counting from the beginning of the year following the financial year to which the data refers).
Determining, pursuing or defending claims that may be raised by the Administrator or which may be raised against the AdministratorPoint (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for the purposes deriving from the Controller’s legitimate interests – consisting of determining, asserting or defending claims which the Controller may raise or which may be raised against the Controller  The data shall be stored for the period of existence of the legally justified interest pursued by the Controller, however no longer than for the period of limitation of claims that may be raised against the Controller (the basic limitation period for claims against the Controller is six years).
Using the Website and ensuring that it works properlyPoint (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for the purposes deriving from the Controller’s legitimate interests – consisting in running and maintaining the WebsiteThe data shall be stored for the period of existence of a legitimate interest pursued by the Controller, however, not longer than the period of limitation of the Controller’s claims against the data subject on account of the Controller’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).
Keeping statistics and analysing traffic on the WebsitePont (f) of Article 6(1) of the RODO Regulation (legitimate interest of the Controller) – processing is necessary for purposes resulting from the Controller’s legitimate interests – consisting of conducting statistics and analysis of traffic on the Website in order to improve the functioning of the WebsiteThe data shall be stored for the period of existence of a legitimate interest pursued by the Controller, however, not longer than the period of limitation of the Controller’s claims against the data subject on account of the Controller’s business activities. The period of limitation shall be determined by law, in particular the Civil Code (the basic limitation period for claims related to business activities is three years).

4) RECIPIENTS OF DATA ON THE WEBSITE

  1. For the proper functioning of the Website, including the proper provision of Electronic Services and Digital Products by the Controller, it is necessary for the Controller to use the services of external entities (such as e.g. software provider, payment processor). The Controller shall only use the services of such processors who provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the RODO Regulation and protects the rights of data subjects.
  2. Personal data may be transferred by the Controller to a third country, whereby the Controller shall ensure that, in such a case, this will be done in relation to a country ensuring an adequate level of protection and, in the absence of an appropriate decision confirming its adequacy, at least on the basis of standard data protection clauses – in accordance with the RODO Regulation – and the data subject shall be able to obtain a copy of their data. The Controller shall transfer the collected personal data only if and to the extent necessary to fulfil the respective purpose of the processing in accordance with this privacy policy.
  3. Transfer of data by the Controller does not take place in every case and not to all recipients or categories of recipients indicated in the privacy policy – the Controller transfers data only if it is necessary for the realization of a given purpose of personal data processing and only to the extent necessary for its realization.
  4. The personal data of the Service Recipients using the Website may be transferred to the following recipients or categories of recipients:

    a. entities processing electronic or credit card payments – in the case of a Service Recipient who uses electronic or credit card payments on the Website, the Controller shall make the collected personal data of that person available to a selected entity processing the aforementioned payments on the Website at the request of the Controller to the extent necessary to process the payments.

    b. service providers who provide the Administrator with technical, IT and organizational solutions enabling the Administrator to conduct its business activity, including the Website and the Electronic Services provided through it as well as the Digital Products made available (in particular, providers of computer software for running the Website, e-mail and hosting providers and providers of business management and technical support software for the Controller) – the Controller shall make the collected personal data of the Service Recipient available to a selected provider acting on behalf of Service Provider only in the case and to the extent necessary to carry out a given purpose of data processing pursuant to this privacy policy.

    c. providers of accounting, legal and advisory services providing the Controller with legal or advisory support (in particular an accounting office, a law firm or a debt collection agency) – the Controller shall make the collected personal data of the Customer available to the selected provider acting on behalf of the Controller only in the case and to the extent necessary to carry out the given purpose of data processing in accordance with this privacy policy.

    d. providers of social plug-ins, scripts and other similar tools placed on the Website that enable a visitor’s browser to download content from the providers of these plug-ins and to transmit the visitor’s personal data to these providers for this purpose, including:

    i. Facebook Ireland Ltd. – The Controller may use Facebook social plug-ins on the Website (e.g. the “Like” button or login with your Facebook profile) and therefore collects and discloses personal data of the persons using the Website to Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland) to the extent and in accordance with the privacy policy available here: https://www.facebook.com/about/privacy/ (this data includes information about activities on the Website page – including information about the device, websites visited, purchases, advertisements displayed and the way of using the services – regardless of whether the person has a Facebook account and is logged in to Facebook).

    ii. LinkedIn Ireland Unlimited Company – The Controller uses social plugins of Linkedin.com on the Website and therefore collects and shares personal data of the Service Recipient using the Website to LinkedIn Ireland Unlimited Company (Gardner House, 2 Wilton Pl, Saint Peter’s, Dublin 2, Ireland) to the extent and in accordance with the privacy policy available here: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy (this data includes information about the activities on the Website – including information about the device, websites visited, purchases, advertisements displayed and the way of using the services – regardless of whether the Service Recipient has an account on the Linkedin.com portal and whether he or she is logged in to it.).

    iii. Google Ireland Limited – The Controller uses Google.com plug-ins on the Website and therefore collects and shares the personal data of the Service Recipient using the Website with Google.com (Gordon House, Barrow Street, Dublin 4, Ireland) to the extent and in accordance with the privacy policy available here: https://policies.google.com/privacy?hl=pl (this data includes information about activities on the Website – including information about the device, visited websites, purchases, displayed advertisements and how to use from services – regardless of whether the Service Recipient has a Google account and is logged in to it).

5)       PROFILING ON A WEBSITE

  1. The RODO Regulation imposes an obligation on the Controller to provide information on automated decision-making, including profiling as referred to in Article 22(1) and (4) of the RODO Regulation, and, at least in those cases, relevant information on the modalities of such decision-making, as well as on the significance and the envisaged consequences of such processing for the data subject. With this in mind, the Controller provides information on possible profiling in this point of the privacy policy.
  2. The Controller may use profiling on the Website for direct marketing purposes, but decisions made on its basis by the Controller do not concern conclusion or refusal of a specific contract with the Controller or the possibility to use Electronic Services and Digital Products on the Website. The effect of using profiling on the Website may be, for example, a reminder about unfinished purchases on the Website, sending a discount or a proposal for a service or product that may correspond to the interests or preferences of a given person, or proposing better conditions compared to the standard offer of the Website. Despite profiling, a given person makes a free decision whether he/she will want to use, for example, an offer or a discount received in this way.
  3. Profiling on the Website consists in automatic analysis or prediction of a given person’s behaviour on the Website, e.g. through analysis of previous purchases or history of activities undertaken on the Website. The condition of such profiling is that the Controller has the personal data of the given person in order to be able to send him/her e.g. a reminder about unfinished shopping, a discount code or an offer.
  4. The data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning that person or significantly affects him or her in a similar manner.

6)       RIGHTS OF THE DATA SUBJECT

  1. Right of access, rectification, restriction, erasure or portability – the data subject has the right to request from the Controller access to his/her personal data, their rectification, erasure (“right to be forgotten”) or restriction of processing and has the right to object to the processing, as well as has the right to portability of his/her data. The detailed conditions for exercising the rights indicated above are indicated in Articles 15-21 of the RODO Regulation.
  2. Right to withdraw consent at any time – the person whose data are processed by the Controller on the basis of the consent given (on the basis of point (a) of Article 6(1) or point (a) of Article 9(2) of the RODO Regulation) has the right to withdraw consent at any time without affecting the legality of the processing carried out on the basis of consent before its withdrawal.
  3. The right to lodge a complaint to the supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint to the supervisory authority in the manner and mode specified in the provisions of the RODO Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office.
  4. Right to object – The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on point (e) of Article 6(1) (public interest or tasks) or point (f) of Article 6(1) (legitimate interest of the controller), including profiling under these provisions. The Controller shall in that case no longer be permitted to process those personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of claims.
  5. Right to object to direct marketing – where personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling, to the extent which processing is related to such direct marketing.
  6. In order to exercise the rights referred to in this section of the privacy policy, you may contact the Controller by sending a relevant message in writing or by e-mail to the Controller’s address indicated at the beginning of the privacy policy.

7)       COOKIES ON THE WEBSITE AND ANALYTICS

  1. Cookies are small information in the form of text files sent by a server and stored on the Website visitor’s side (e.g. on the hard drive of a computer, laptop or smartphone memory card – depending on the device used by the Website visitor). Detailed information on cookies, as well as the history of their creation can be found, among others, here: https://pl.wikipedia.org/wiki/HTTP_cookie.
  2. The cookies that may be sent by the Website can be divided into different types, according to the following criteria:
Because of their supplier:Due to their storage period on the device of the visitor to the Website:In view of the purpose of their use:
1) own (created by the Controller’s Website) and
2) belonging to third parties (other than the Controller)
1) session (stored until logging out of the Website or turning off the web browser) and
2) permanent (stored for a specific period defined by the parameters of each file or until manually deleted)
In view of the purpose of their use:
1) necessary (to enable the proper functioning of the Website),
2) functional/preferential (enabling the Website to adapt to the visitor’s preferences),
3) analytical and performance (gathering information about how the Website is used),
4) marketing, advertising and social networking (collecting information about a visitor to a Website in order to display advertisements to that person, personalise them and conduct other marketing activities, including on websites separate from the Website, such as social networking sites or other sites belonging to the same advertising network as the Website)
  1. The Controller may process the data contained in cookies when visitors use the Website for the following specific purposes:
Purposes of using cookies on the Controller’s WebsiteIdentifying a given person as logged in to the Website and showing that he/she is logged in (necessary cookies)
remembering the Digital Products added to the electronic shopping basket in order to be able to place an Order (essential cookies)
remembering data from completed forms, surveys or login data to the Website (necessary and / or functional / preferential cookies)
adapting the content of the Website to individual preferences of a given person (e.g. with regard to colours, font size, page layout) and optimisation of use of the Website’s pages (functional/preference cookies)
keeping anonymous statistics showing how the Website is used (analytical and performance cookies)
displaying and rendering advertisements, limiting the number of advertisements displayed and ignoring advertisements that a given person does not want to see, measuring the effectiveness of advertisements, as well as personalizing advertisements, i.e. researching the behavioral characteristics of visitors to the Website by anonymous analysis of their activities (e.g. repeated visits to the website specific pages, keywords, etc.) in order to create their profile and provide them with advertisements tailored to their expected interests, also when they visit other websites in the advertising network of Google Ireland Ltd. and Facebook Ireland Ltd. (marketing and advertising cookies and social)
monitoring of unfinished purchases (abandoned baskets) in order to send reminders about unfinished purchases
  1. Checking in the most popular web browsers which cookies (including the period of operation of cookies and their provider) are being sent at a given moment by the Website is possible in the following way:
In the Chrome browser:
(1) in the address bar, click on the lock icon on the left, (2) go to the “Cookies” tab.
In Firefox:
(1) in the address bar, click on the shield icon on the left, (2) go to the “Allowed” or “Blocked” tab, (3) click on the box “Tracking cookies between sites”, “Social media tracking elements” or “Content with tracking elements”
In Internet Explorer:
(1) click the “Tools” menu, (2) go to the “Internet Options” tab, (3) go to the “General” tab, (4) go to the “Settings” tab, (5) click the “View Files” box
In the Opera browser:
(1) in the address bar click on the padlock icon on the left, (2) go to the “Cookies” tab.
in the Safari browser:
(1) click the “Preferences” menu, (2) go to the “Privacy” tab, (3) click in the “Manage site data” box
Irrespective of the browser, using the tools available, for example, at: https://www.cookiemetrix.com/ or: https://www.cookie-checker.com/
  1. By default, most internet browsers available on the market accept cookies by default. Everyone has the option of specifying the conditions for the use of cookies using the settings of their own web browser. This means that you can, for example, partially limit (e.g. temporarily) or completely disable the option of saving cookies – in the latter case, however, it may affect some functionalities of the Website.
  2. The web browser settings in the field of cookies are important from the point of view of consent to the use of cookies by the Website – in accordance with the law, such consent may also be expressed through the settings of the web browser. Detailed information on changing cookie settings and their self-removal in the most popular web browsers is available in the help section of the web browser and on the following pages (just click on the link):
    in Chrome browser
    in Firefox
    in Internet Explorer
    in Opera browser
    in the Safari browser
    in the Microsoft Edge browser
  3. The Controller may use Google Analytics and Universal Analytics services on the Website provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). These services help the Controller keep statistics and analyse traffic on the Website. The data collected are processed by the above services to generate statistics that help administer the Website and analyse Website traffic. The data are of an aggregate nature. When using the above services in the Website, the Controller collects such data as the sources and medium of obtaining persons visiting the Website and their behaviour in the Website, information on the devices and browsers from which they visit the Website, IP and domain, geographical data and demographic data (age, gender) and interests.
  4. It is possible for a given person to easily block the provision of information to Google Analytics about his or her activities on the Website – for this purpose, you can, for example, install a browser add-on provided by Google Ireland Ltd. available here: https://tools.google.com/dlpage/gaoptout?hl=pl.
  5. In connection with the possibility of using by the Controller in the Website advertising and analytical services provided by Google Ireland Ltd., the Controller points out that full information on the principles of processing of data of visitors to the Website (including information stored in cookies) by Google Ireland Ltd. can be found in the privacy policy of Google services available at: https://policies.google.com/technologies/partner-sites.
  6. On the Website the Controller may use the Facebook Pixel service provided by Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This service helps the Controller to measure the effectiveness of advertisements and find out what actions visitors take on the Website, and to display tailored advertisements to these visitors. You can find detailed information on how Facebook Pixel works at the following website address: https://www.facebook.com/business/help/742478679120153?helpref=page_content.
  7. Managing the operation of Facebook’s Pixel is possible through the ad settings in your Facebook account: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
  8. The Controller may use CartFlows services on the Website to monitor and remind of unfinished purchases on the Website. CartFlows services are provided by BRAINSTORM FORCE US LLC, 300 Delaware Ave, Suite 210-A, Wilmington, DE 19801 US. Detailed information on how the Service works is available at: https://cartflows.com/docs/gdpr-compliance/

8)       FINAL PROVISIONS

The Website may contain links to other websites. The Controller urges users to familiarise themselves with the privacy policy of other websites after having visited them. This privacy policy applies only to the Controller’s Website.

"Please be informed that in order to carry out the services available on our website, optimise its content, adapt the website to your individual needs and display, personalise and measure the effectiveness of advertisements within external advertising networks, we use information saved using cookies on users' end devices. You can control cookies using the settings of your web browser. By continuing to use our website without changing the browser settings, the user accepts the use of cookies. More information is contained in the privacy policy of the website."