Privacy policy of Qtravel.ai
§1. Preliminary Provisions
- This Policy describes how the Data Controller of qtravel.ai processes personal data.
- The Controller of personal data shall be Q&Q Sp. z o.o. with its registered office in Gdańsk (80-175), ul. Jabłoniowa 20, entered in the register of entrepreneurs of the National Court Register under the KRS number 0000347581 by the District Court Gdańsk-Północ in Gdańsk, 7th Commercial Division of the National Court Register, NIP (Tax Identification Number): 5833091911, REGON (Business Registry Number) 220945813, share capital of PLN 334 000.00.
§2. Definitions
- For the purposes of this Policy, the following definitions shall mean:
- Controller / Service Provider – Q&Q Sp. z o.o. with its registered office in Gdańsk.
- Contact Form – means a form through which the User sends a message to the Service Provider.
- Personal data – means any information relating to an identified or identifiable natural person through one or more specific factors, including image, contact data, location data, information contained in correspondence, information collected through recording equipment or other technology.
- Cookies – means text files saved by the web browser on the User’s computer disk or mobile device in order to store information used to identify the User or remember the history of actions taken by the User on the Website.
- Privacy Policy / Policy – means this document.
- Processing of Personal Data – means an operation or set of operations performed upon Personal Data or sets of Personal Data in an automated or non-automated manner, such as collection, recording, arranging, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, disseminating or otherwise making available, matching or combining, limiting, erasing, or destroying.
- GDPR – Regulation of the European Parliament and the Council (EU) No. 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
- Website – means the website made available electronically by the Service Provider at qtravel.ai.
- User – means any natural person who uses the Website or the Controller’s services in any way.
§3. General Principles of Personal Data Processing
- In connection with its business activities, the Controller collects and processes Personal Data in accordance with generally applicable laws, including in particular the GDPR.
- The scope of Personal Data required to perform a given service is each time indicated on the Website or in the information provided by the Controller.
- Providing Personal Data is necessary in order to use certain services, including the submission of the Contact Form. Mandatory data are automatically marked for completion as the User is filling in the data in the Contact Form. A failure to provide mandatory Personal Data by the User may result in the User being unable to use the services provided by the Service Provider.
- The Controller uses and discloses Personal Data:
- to the extent necessary to provide the services requested by the User,
- to the extent not exceeding the consent granted by the User (which the User may withdraw at any time),
- in order to protect the interests of the User,
- in accordance with generally applicable legal regulations.
§4. Purpose and scope of personal data collection and processing
Possible purposes of personal data collection and processing by the Controller:
- Conclusion and performance of the contract, delivery of confirmations and notifications regarding the submitted Contact Form
- The main purpose of personal data processing by the Controller is to carry out the services provided within the business activity conducted by the Controller and to maintain the functioning of the Website. The User has the possibility of submitting aContact Form via the Website. If the User fills in the Contact Form, the Controller will process the data entered by the User in the form.
- The legal basis for processing the Personal Data referred to in paragraph a) is Article 6(1)(b) of the GDPR (necessary to perform the contract).
- In the case of collecting Personal Data for purposes related to the performance of a specific contract, the Controller shall provide the User to whom the data relate with detailed information on the processing of his/her Personal Data at the time of concluding the contract, or at the time of obtaining the Personal Data, in the event that the processing is necessary for the Controller to take action at the request of the User prior to the conclusion of the contract.
- In connection with the conclusion of contracts within the scope of its business activity, the Controller receives data from customers/contractors on persons involved in the performance of the contract in question (e.g. data on coordinators authorized to contact, execute the contract, etc.). The scope of the data is in each case limited to the extent necessary for the execution of the contract in question (usually personal data other than name and surname as well as business contact data are not included).
- The legal basis for the processing of the data referred to in item d) is Article 6(1)(f) of the GDPR (legitimate interest of the Controller and its customer or contractor that enables the execution and performance of the contract). These data may be disclosed to other third parties involved in the performance of the contract.
- Securing claims
- In order to establish, assert and enforce possible claims, the Controller may also process some of the submitted Personal Data, data concerning the use of services, as well as other data that will be necessary to prove the existence of a claim, its enforcement, and defence against claims in proceedings before courts and other state authorities, to conduct court proceedings, and to store data for archiving purposes.
- The legal basis for processing is Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller. Data in this regard are processed for the statutory period of limitation
- Tests and Development
- The Controller may use the collected information to carry out tests, research, and analysis and to develop new services, which may help it to increase the security of the offered services and develop new products or services.
- The legal basis for the processing is Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller, whose purpose is to facilitate the use of services provided electronically to the User and improve the functionality of these services.
- Ensuring security of information processing on the Website
- The Controller also uses the information in its possession to remove inappropriate behaviour and other actions that threaten the safe operation and use of the Website services.
- The legal basis for the processing is Article 6(1)(f) of the GDPR, i.e. the legitimate interest of the Controller, whose purpose is to facilitate the use of services provided electronically to the User and improve the functionality of these services.
- Cookies
- In order to optimise the content available on the Website and adjust it to individual needs, the Controller uses information stored by means of Cookies on the Users’ end devices. No information is collected automatically, with the exception of information contained in Cookies.
- The Controller places Cookies on the User’s end device and has access to them.
- Possibilities and ways to handle Cookies can be found in the User’s web browser settings. Most browsers are set by default to accept the storage of Cookies on the end device. Changing these settings is possible at any time and may involve, among other things, blocking the use of Cookies or notifying the User of their placement on his/her device. Changing the default settings may result in restrictions on the availability and functionality of the content of the Website.
- Detailed information on Cookies can be found in the menu of the web browser or on the website of a given browser producer.
- The Controller collects information on the User’s location. Depending on the Services used by the User and the settings of the Website, the Controller may collect information regarding the exact or estimated location of the User determined by the use of data such as GPS position, IP address or Wi-Fi network data.
- The Controller also collects information regarding the manner in which the User uses the Website. This may include information such as dates and times of access, features of the Website or viewed pages, Website crashes and other activity, browser type, and information about third-party sites or services the User visited before using the Website. In some cases, the Controller collects this information with the use of Cookies.
- Cookies are used:
i. to optimise the content of the Website by adjusting its content to the individual needs of Users, including recognising the User’s device in order to display the Website according to his/her preferences,
ii. to prepare statistics which enable the understanding of how the Website is used and adjust its content to Users’ preferences as well as to evaluate the popularity of the Website,
iii. to develop, test and improve the provided services, as well as to conduct research and surveys, to test new products and features and to solve issues related to them,
iv. to enable interaction with social networking sites,
v. to adjust advertising content displayed on the Website. - The Controller also monitors the quality of the services it provides. For this purpose a statistical analysis is conducted with regard to how the User makes use of individual functions and subpages of the Website using:
i. internal analytical tools,
ii. statistical tools provided by partners who provide analytical services.
i. The legal basis for conducting a statistical analysis is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), which consists in conducting analyses of User activity on the Website in order to improve its functionality.
j. The legal basis for sending marketing messages is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR), which consists in promoting its own brand.
k. For the purposes of cooperation, the browser or other software installed on the User’s device also stores Cookies from entities engaged in {similar marketing…?}such marketing activities. {These Cookies may…?} that may become the Controller of the User’s Personal Data.
- Communication
- The Controller may communicate with the Users by e-mail or by phone.
- The User can at any time contact the Controller directly by sending a message in writing or by e-mail to the Controller’s e-mail address indicated in §10.5 of the Policy.
- Using the Contact Form requires the provision of Personal Data necessary for contacting the User and responding to the query.
- The Controller stores the correspondence with the User for statistical purposes and in order to respond to queries in the best and quickest way possible, as well as for the purpose of conducting complaint proceedings. The data will not be used by the Controller for other purposes.
- When the User contacts the Controller, the Controller reserves the right to ask the User once again to provide data, e.g. first name, surname, e-mail address, etc., in order to confirm the User’s identity and enable the Controller to contact him or her again. The above refers to the data which had previously been provided by the User and to the processing of which the User gave his/her prior consent. The provision of such data is not compulsory, but may be necessary for carrying out actions or obtaining information the User wishes to receive.
- The personal data are processed in order to identify the User and to handle his/her enquiry.
- The legal basis for data processing is the necessity for the performance of the contract for the provision of services (Article 6(1)(b) of the GDPR), with regard to data provided optionally the consent is the legal basis for processing (Article 6(1)(a) of the GDPR).
- Newsletter
- The User may give the Controller his/her consent to process his/her Personal Data in the form of an e-mail address and telephone number for the purpose of direct marketing of the Controller’s Services, during and after the provision of services. Granting consent to data processing is voluntary.
- The provision of Personal Data is necessary for the User to use the Newsletter service. Failure to provide data will result in the lack of possibility of using the Newsletter service.
- The User may cancel the Newsletter service at any time by withdrawing his/her consent without incurring any costs. For this purpose, it is sufficient to send information to the contact data (e.g. email) listed in § 10 (5) of the Policy.
- The legal basis for directing marketing messages to the User is the legitimate interest of the Controller (Article 6(1)(f ) of the GDPR) which consists in promoting the Controller’s own brand, as well as products and services.
- Social networking sites
- The Controller also processes Personal Data left by visitors on its profiles on social networking sites (Facebook and LinkedIn) (e.g. comments, likes, user IDs). The data are processed in order to enable the Users to be active on these profiles, in connection with running the profile, including informing the Users about the Controller’s activities and promoting various events, services and products, as well as for statistical and analytical purposes, and may also be processed for the purpose of asserting claims and protecting against claims.
- The legal basis for the processing of personal data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), which consists in promoting its own brand, services, and products and improving the quality of the provided services, and if necessary, in asserting and defending against claims.
- The above information does not apply to the processing of personal data by administrators of social networking sites (Facebook and LinkedIn).
§5. Possible recipients of personal data
- The User’s personal data may be transferred by the Controller to entities that process them on its behalf, including:
- marketing agencies and marketing platform providers,
- cloud service providers,
- providers responsible for IT systems and equipment maintenance,
- providers of data analysis services,
- consultants, lawyers, accountants, and other professional service providers,
- postal operators, couriers.
- The Controller shall also disclose personal data to authorized bodies or third parties if they request such information from the Controller on the basis of an appropriate legal basis and in accordance with the applicable legal provisions.
§6. Transfer of data to third countries
- In the course of the Controller’s use of tools that support the Controller’s day-to-day business operations, Personal Data may be transferred to a country outside the European Economic Area, in particular to the United States of America or another country in which an entity cooperating with it maintains tools for processing Personal Data in cooperation with the Controller.
- The Controller shall ensure adequate safeguards for the Personal Data transferred to it. In the case of transferring data from Europe to the USA, some entities that operate there may additionally ensure an adequate level of data protection under the so-called Privacy Shield programme (more information at: https://www.privacyshield.gov/).
- The Controller always informs Users about the intention to transfer Personal Data outside the EEA at the stage of its collection.
§7. Users’ rights
- Users shall have the following rights with regard to the processing of their Personal Data:
- The right to information about the processing of their Personal Data,
- The right to obtain a copy of the data,
- The right to demand access to the Personal Data, their rectification, erasure, or restriction of processing,
- The right to object to the processing of Personal Data,
- The right to transfer the Personal Data,
- The right to withdraw consent to the processing of the Personal Data for a specific purpose, if the User had previously given such a consent,
- The right to lodge a complaint with a supervisory authority in relation to the processing of the User’s Personal Data by the Controller.
- The User may exercise the above rights in accordance with the principles described in Articles 16 – 21 of the GDPR by sending a message to the Controller’s e-mail address.
§8. Personal data retention period
- The Personal Data retention period depends, among other things, on the nature of the data, the type of the provided service, and the reason for collecting and processing them.
- Personal Data shall be stored for the period required by generally applicable laws, provided that this is regulated separately, with particular consideration given to the period of limitation of claims resulting from obligations to which the Controller and the data subject are parties. The Controller declares that the personal data shall not be processed for a period longer than the period required by law, or the period provided for in the Controller’s internal regulations.
- In the case of concluding a contract for the provision of services, the Personal Data shall be stored for the period necessary for the performance of the contract, including until they are needed by the Controller to provide and deliver the services.
- The data processing period may be extended if the processing is necessary to establish or assert claims or to protect against claims, and after this period, only if and to the extent required by law. After the expiry of the processing period, the data shall be deleted or anonymised.
- Personal data may be processed by the Controller, despite the withdrawal of the data subject’s consent, if this is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, in compliance with the requirements provided for in Article 6(1)(f) 16 of the GDPR.
- The Personal Data of Users who are not logged in shall be stored by the Controller for a period corresponding to the life cycle of Cookies stored on their devices.
§9. Safety
- The Controller shall use his best endeavours to ensure that the Personal Data are processed in accordance with the applicable legal provisions and that they are protected against loss, destruction, disclosure, access by unauthorized persons, or misuse, and shall guarantee the confidentiality of any data provided to it by Users by taking effective security and personal data protection measures.
- The Controller shall apply the following technical and organizational measures to ensure the protection of the processed Personal Data:
- securing the data set against unauthorized access,
- SSL certificate on the Website where Users’ Personal Data are provided,
- measures that prevent unauthorized copying of the processed Personal Data through the use of IT systems.
- In order to ensure the integrity and confidentiality of the Personal Data, the Controller has also implemented procedures which allow access to the Personal Data only to authorized persons and only to the extent which is necessary due to the tasks performed by them.
- In the course of processing the data, the Controller shall ensure their safety and confidentiality, as well as the access to information on the processing of the Personal Data.
§10. Final Provisions
- The Controller reserves the right to change the content of the Policy. The change may be effected for the following important reasons:
- change in the applicable provisions of law, in particular those concerning Personal Data protection, telecommunication law, services provided by electronic means which affect the Controller’s rights and obligations or the User’s rights and obligations;
- development of the functionality or services, including implementation of new technological or technical solutions which affect the scope of the Policy.
- The Controller shall each time post information about changes to the Policy on the Website.
- Should there be any doubts or discrepancies between the Policy and the consents given by the User, regardless of the provisions of the Policy, the basis for undertaking and determining the scope of activities by the Controller shall always be the consents voluntarily given by the User or the provisions of law. This document, however, has a general, informative character only (it is not a contract or a set of rules and regulations).
- Contact with the Controller is possible via e-mail: [email protected] or at the address Gdańsk (80-175), ul. Jabłoniowa 20.
- The Controller has appointed a Data Protection Officer – Agnieszka Kukałowicz. The DPO can be contacted by e-mail: [email protected].
- This version of the Privacy Policy shall be effective as of: 18/03/2021