INTO's Privacy Policy

§ I. General Provisions

1. Definitions

   Personal data– this should be understood as personal data within the meaning of the definition of Art. 4 point 1 of the GDPR, and therefore information about an identified or identifiable natural person, and therefore the data subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, the economic, cultural or social identity of a natural person, including in particular name and surname, telephone number, e-mail address, delivery address, device IP, location data, online identifier and information collected via cookies and other similar technology.

   Account- a collection of resources maintained for the registered User by INTO at the e-mail address, in which the User's data and information about his Transactions within the Website are collected.

   Policy- this Privacy Policy.

   Ticket– subject of the sales contract between INTO and the Customer.

   Registration- procedure for creating an Account.

   SHOWING- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

   INTO Website or Website- website run by INTO at: intoapp.pl

   Company or INTO– INTO APP Prosta Spółka Akcyjna with its registered office in Warsaw at: Al. Solidarności 68/121, 00-240 Warszawa, entered into the Register of Entrepreneurs of the National Court Register under KRS number: 0001018516, with NIP number: 7011128598 and share capital of PLN 100,000.00.

   Transactions- Ticket sales contracts concluded on the Website.

   Accompanying Services- services or functionalities provided or made available by the Company or by third parties, including services provided on the basis of separate regulations, which support the main activities of the Company or facilitate the Users' use of the Company's services, including by financing, securing or advertising Transactions.

   User- an entity that has gained access to the services provided by the Company as part of the Website, on the terms specified in the Regulations, and which therefore provides its Personal Data.

2. Objectives and scope of the Policy
   1. The purpose of the Policy is to define the actions taken by the Company in the field of protection of Users' Personal Data processed via the Website, as well as as part of related services, including Accompanying Services.
   2. The Policy specifies in particular the scope and legal basis for the processing of Users' Personal Data, which are collected by the Company in connection with the use of the Website and Accompanying Services.
   3. Personal Data is obtained from the User in connection with creating an Account on the Website, in connection with activities (including the purchase of Tickets) performed by Users on the Website, browsing offers on the Website and in connection with updates of Personal Data made by Users via the Account.
   4. The processing of Personal Data may also be related to the User's performance of other activities directly related to the use of the Website and Accompanying Services.
   5. Personal Data necessary for the performance of the contract related to the purchase of a Ticket may be transferred to the event organizer, unless the event organizer or separate regulations require it. If you use Companion Services, Personal Data may also be transferred by the provider of those Companion Services.
   6. Using the Website or related services is possible only after reading the provisions of this Privacy Policy and the INTO Website Regulations (hereinafter referred to as: Regulations).
   7. By clicking on links posted on the Website, the User may be redirected to websites or services that are administered or are services provided by entities independent of the Company. In such a case, the processing of Personal Data takes place in accordance with the principles set out by these entities - e.g. in the privacy policy applicable to services or applications available on external websites or websites.
   8. All activities of the Company are subject to the provisions of the law applicable to the protection of personal data, in particular the provisions of the GDPR and the Personal Data Protection Act of May 10, 2018. In case of questions or doubts regarding the principles and method of protection of Personal Data by the Company, you can contact the Company. Contact details can be found in Part IX of the Policy.

§ II. Scope of Personal Data processed by the Company

1. The scope of Personal Data processed by the Company depends on the type of services or functionalities provided by the Company that the User uses.
2. Taking into account the principle in point 1 above, the Company processes the following categories of Personal Data:
   1. User's e-mail address and password - in connection with User Registration on the Website.
      • If you refuse to provide the data indicated above, it will not be possible to conclude a contract with the User and, as a consequence, the User will not be able to use the Company's services available to Users who have registered.
      • For some functionalities offered by the Website, the User will have to register. During Registration, the User should provide the email address and password that he will use on the Website or he will be asked to log in to the Website using external authentication services.
   2. When the User uses the Account, information about the User's activities on the Website will be additionally processed, including: about your purchase history and selected payment methods.
   3. The User's Personal Data may also be obtained in connection with using the option of logging in to the Website or registering on the Website via external authentication services offered by other entities operating independently of the Company (e.g. services offered by Google, Allegro or services offered as part of websites , including social media - e.g. Facebook). In such a case, the User's Personal Data, including name and surname and e-mail address, are collected. These Personal Data may be assigned to the User Account or may be processed for the purposes of such logging in or Registration on the Website. When using external authentication services, please read the regulations and principles of personal data processing of entities offering such services. Notwithstanding the above, it should be borne in mind that when using social media on their own, the User uses a public profile (i.e. a profile that can be accessed by anyone using the Internet), and thus provides their Personal Data on the basis of their own , thoughtful and conscious decision.
   4. When ordering a Ticket, the User is required to provide the following Personal Data: name, surname, e-mail address and telephone number.
   5. If you express your will to receive a VAT invoice, you must additionally provide: the name of the entity - taxpayer, NIP and address of the entity - taxpayer and send the data to [email protected].
   6. It is not possible to complete a Transaction without Registration.
   7. If the User uses the Accompanying Services, Personal Data necessary to provide these services will be processed, including, among others: current payment status, data necessary to offer or conclude an insurance contract.
   8. In the scope of the User's use of contact forms, Personal Data is processed, including contact details necessary for communication (e.g. answering a question) and to fulfill the User's request, including: name and surname, e-mail address or telephone number.
   9. Additionally, as part of the User's service, the Company may establish contact with the User by using Personal Data placed for this purpose in the User Account or provided by the User via social media channels (e.g. Facebook Messenger, Instagram, Twitter, WhatsApp). In the event of contact with the Company via social media channels offered by entities independent of the Company, the Company obtains Personal Data in the form of a User name (in the case of e.g. Facebook Messenger, Instagram, Twitter) or telephone number (e.g. in the case of WhatsApp) only for the purposes of contact. If permitted under applicable law, the Company will also be entitled to obtain (and process in another way, for example storing) other Personal Data regarding communications with the User, e.g. information about support requests or feedback from Users.
   10. In connection with the User's participation in competitions or promotional campaigns, Personal Data that are necessary for the implementation of the events will be processed. Depending on the type of event being organized, these may include: name and surname, contact details (such as telephone number or e-mail address), or other data necessary to meet the criteria for participation in these events. If a given event provides for a prize, in order to be able to deliver it to you, the User may be required to additionally provide his/her residential address, ID card number or other document confirming identity, PESEL number, NIP number and other data necessary to issue the prize (e.g. number bank account).
   11. In the scope of its marketing activities, the Company may, based on the legitimate interest of the Company or the legitimate interest of entities cooperating with the Company, in particular as part of the Accompanying Services, or based on the User's consent, process information that helps match advertisements and content to the User's preferences and expectations (including related to the display of behavioral advertising). These may include, among others: IP address, data from cookies, or information about website traffic, including the products viewed and the User's preferences. Additionally, based on the above premises, the Company will also process the User's contact details, including data necessary to send information, including commercial information, to the extent provided by the User (telephone number or e-mail address).
   12. The User's Personal Data may also be processed by the Company for analytical and statistical purposes, including for conducting surveys. For this purpose, the Company will primarily use information about the User's activity on the Website, including information related to the use of individual services, as well as Personal Data regarding the User's preferences and expectations. Through surveys sent to the User via e-mail or made available directly on the Website, the Company may collect Personal Data from the User, which may include, for example, age. The User's Personal Data may also be used to ensure an appropriate level of security of the Website.
   13. The User's Personal Data may be processed in connection with the Company's right to pursue or defend against claims. For this purpose, the Company processes Personal Data no longer than for the entire period in which claims arising from the contract concluded by the User with the Company or related to the User's use of the services provided by the Company or Accompanying Services have not become time-barred in accordance with applicable law. This may be, for example, the amount of debt, information related to a specific order, data about Transactions, or information obtained in connection with the User contacting the Company's hotline. The scope of Personal Data processed may change each time, depending on the subject of the claim.

§ III. Purposes, grounds and period of processing of Personal Data by the Company

They take into account the provisions of point II above, depending on which services provided by the Company the User uses, different purposes and legal bases for the processing of Personal Data by the Company and the periods during which the Company may store or use Personal Data are indicated.

Standard activities with respect to Personal Data in connection with the use of services provided by the Company are indicated below. More detailed information regarding the processing of Personal Data when using specific services may also be included in the regulations of these services.

1. Registration and account maintenance, transaction and User management.

   Using some of the functionalities available on the Website requires the User to register in accordance with the Regulations. As part of the services provided by the Company, it is possible to create an Account. Creating and using an Account involves the processing of your Personal Data by the Company.

   The Company also processes your Personal Data in connection with the processing of your Transactions. Through the Website you can in particular:

   • make Purchase Transactions as an individual or entrepreneur under the Account;

   In connection with the operation of the Account and Transactions, the User's Personal Data are processed according to the principles described in the table below. Additionally, Personal Data may be processed for other purposes, including analytical and marketing purposes or to ensure the security of the services provided.

   In connection with the execution of certain Transactions (Transactions subject to the obligation to archive or settle VAT by the Company), the Company is obliged to process, including archiving, personal data, including the User's Personal Data relating to these Transactions.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Taking actions related to the processing of Registration made by the User and providing services electronically in the field of User Accounts	Art. 6 section 1 letter b GDPR (necessity to conclude and perform the contract) and art. 6 section 1 letter f GDPR (protection of own economic interests - counteracting fraud and abuse)	5 years from the end of the year in which the contract on the account was terminated
   Taking actions related to the processing of Transactions made by the User within the Account	Art. 6 section 1 letter b GDPR (necessity to conclude and perform the contract) and Art. 6 section 1 letter c GDPR in connection with Art. 74 of the Accounting Act (necessity to fulfill the Administrator's legal obligation)	5 years from the end of the year in which the contract on the account was terminated
   Providing Personal Data when logging in to the Website via an external service	Art. 6(1)(a) of the GDPR (User's consent) - only in the scope of optional Personal Data that are not necessary to use the Account	Until the service is completed
   Complaint handling, including solving technical problems	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in protecting the rights of the Company and the User)	Until the complaint is processed or the reported problem is resolved
   Pursuing claims and defending against claims arising from a concluded contract or related to the provision of services, including debt collection, conducting court, arbitration and mediation proceedings	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in the protection of the Company's rights)	Until the last day of the calendar year following 3 years from the date of termination of the service
   Fulfillment of obligations regarding processing, including archiving of transaction data resulting from the VAT e-commerce Package	Art. 6 section 1 letter c GDPR (legal obligation)	10 years from the end of the year in which the Transaction was carried out

2. Accompanying services, including financial services from external providers

   In connection with its business, the Company enables the User to use Accompanying Services provided or made available by the Company or third parties. Accompanying Services also include insurance services. Accompanying Services may be provided or made available on the terms set out in the Regulations or separate regulations for such services.

   The Company may also participate in the provision of Accompanying Services by third parties, e.g. through:

   • providing the User with information about services and offers of third parties;
   • mediating the User's conclusion of contracts for the provision of Companion Services of third parties, including by providing services related to, among others, with financing and securing Transactions, such as, among others, Ticket insurance or consumer credit for the purchase of the Ticket.

   In the case described above, the Company may act as an entity processing Personal Data on behalf of the administrator who provides services.

   In connection with the provision of Accompanying Services, the Company processes the User's Personal Data according to the principles described in the table below.

   If you use Companion Services provided by third parties independent of the Company, the rules for the processing of Personal Data may be included in documents made available by these entities on external websites or services, e.g. in the regulations of such a service or in the privacy policy.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Support for insurance of the purchased Ticket	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in improving the quality of services provided to the User)	Until you stop using the Company's services or express an effective objection to the processing of Personal Data
   Providing payment services, payment of commissions for Transactions and securing payments on the Website	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in improving the quality of services provided to the User)	Until you stop using the Company's services or express an effective objection to the processing of Personal Data
   Fulfillment of statutory obligations arising from tax and accounting regulations regarding the settlement of Accompanying Services, if such a need arises in relation to the service	Art. 6(1)(a) c GDPR in connection with Art. 70 § 1 of the Tax Ordinance (necessity to fulfill a legal obligation)	5 years from the end of the calendar year in which the tax payment deadline expired
   Fulfillment of statutory obligations arising from tax and accounting regulations regarding the settlement of Accompanying Services, if such a need arises in relation to the service	Article 6(1)(a) c GDPR in connection with Art. 74 of the Accounting Act (necessity to fulfill a legal obligation)	5 years from the beginning of the year following the financial year in which the Transaction was made
   Pursuing claims and defending against claims arising from the concluded contract or related to the provision of Accompanying Services, including debt collection, conducting court, arbitration and mediation proceedings	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in the protection of the Company's rights)	Until the last day of the calendar year following 3 years from the date of termination of the service. The processing time may be extended until the final completion of civil, enforcement, administrative or criminal proceedings requiring the processing of personal data

3. User service and contact form

   If the User contacts the User service department run by the Company, including by making a telephone call to the Company's hotline, the Company may process (e.g. store or analyze) the User's Personal Data as part of running the Website.

   The Company may also collect the User's Personal Data if he contacts us via the tools available on the Website, including the contact form. This Personal Data is necessary to enable the Company to contact the User. The contact form provided by the Company is not used for private correspondence unrelated to the execution of the Transaction and using it for such purposes may constitute a violation of the Regulations.

   In order to prevent violations of the law, including unfair practices, the Company collects data regarding communications made via the form mentioned above. The Company may also analyze and block, using special software, the content of messages via the above-mentioned contact form, in particular if they are spam (unwanted advertising information), contain prohibited content, e.g. encouragement to commit crimes, or otherwise threaten the security of Users, e.g. violate the Regulations.

   In connection with handling inquiries addressed to the Company. including via the contact form, Personal Data are processed according to the principles described in the table below. Personal Data may also be processed for other purposes, including analytical and marketing purposes and ensuring the security of the services provided, which you will learn more about in the further sections of this part of the Policy.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Contacting Users, including for purposes related to the provision of services, User support, via available communication channels, in particular e-mail, telephone and social media channels (e.g. Facebook Messenger, Instagram, Twitter, WhatsApp, chatbot (providing automatic responses) )	Art. 6 section 1 letter b GDPR (necessity to perform the contract)	Until the services are completed
   Handling User requests submitted in particular to the User service department and via the contact form when they are not directly related to the performance of the contract	Art. 6 section 1 letter f GDPR (the Company's legitimate interest in responding to inquiries)	Until the subject of the inquiry or request is answered or fulfilled
   Preventing violations in communication	Art. 6 section 1 letter f GDPR (the Company's legitimate interest in ensuring the security of the services provided)	Until the ongoing communication is completed
   Pursuing claims and defending against claims arising from a concluded contract or related to the provision of services, including debt collection, conducting court, arbitration and mediation proceedings	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in the protection of the Company's rights)	Until the last day of the calendar year following 3 years from the date of termination of the service

4. Programs, competitions, promotional campaigns

   The company plans to organize competitions or promotional campaigns. If the User decides to participate in such an event, Personal Data (e.g. information necessary for contact) may be used by the Company for the purpose of conducting the event, e.g. to notify about the victory. Contact details of Users who voluntarily take part in events are processed by the Company in accordance with the provisions of law and for purposes related to these events.

   If the User takes part in a program, competition or promotional campaign, his or her Personal Data may be used by the Company in accordance with the table below, however, more detailed rules for the processing of Personal Data may be included in the dedicated regulations of these events. Additionally, Personal Data may be processed for other purposes, including analytical and marketing purposes and ensuring the security of the services provided, which you will learn more about in the further sections of this part of the Policy.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Enabling participation in a competition or promotional campaign	Art. 6 section 1 letter f GDPR (legitimate interest consisting in fulfilling obligations arising from making a public promise, organizing competitions or similar actions, including in connection with activities aimed at promoting the Company's brand)	Until participation in the competition (e.g. prize issuance) or promotional campaign ends or until an effective objection is submitted
   Pursuing claims and defending against claims arising from the concluded contract or related to enabling participation in the event/implementation of the event, including debt collection, conducting court, arbitration and mediation proceedings	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in the protection of the Company's rights)	Until the last day of the calendar year following 3 years from the end of participation in the event/implementation of the event

5. Marketing activities

   The Company may use the User's Personal Data to conduct marketing activities, including in situations where the User provides his/her Personal Data or consents to their processing, and the Company provides the User with content or services in return. Such actions may include:

   • displaying marketing content on the Website that is not tailored to the User's preferences (contextual advertising). If Personal Data is used to display contextual advertising, their processing takes place in connection with the legitimate interest of the administrator or a third party consisting in promoting the Company's own business or the business of third parties;
   • displaying marketing content that is tailored to the User's preferences, including customizing offer categories or individual offers in the Website settings or settings of third-party services based on the User's activity on the Website (behavioral advertising). Personal Data, including Personal Data collected via cookies and other similar technologies, are then processed by the Company and external entities for marketing purposes. Such actions are taken only if the User gives consent, which can be withdrawn at any time. More information on this subject is included in Part IV of the Policy;
   • conducting other types of activities related to direct marketing of goods or services (sending commercial information by electronic means or other marketing activities) via various electronic communication channels, including e-mail, SMS/MMS, push. The company may also contact you by telephone. Such actions are taken based on the legitimate interest of the Company or the legitimate interest of entities cooperating with the Company, in particular as part of the Accompanying Services and on the basis of the User's consent to receive the above-mentioned. messages or information. You can withdraw your consent at any time.

   In connection with the implementation of marketing activities, Personal Data is processed according to the principles described in the table below. Personal Data may also be processed for other purposes, including analytical purposes and ensuring the security of the services provided, which you will learn more about in the further sections of this part of the Policy.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Displaying contextual advertising (conducting direct marketing of the Company's own services or goods or services or goods of third parties)	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in promoting the goods or services of the Company or third parties)	Until you stop using the Website.
   Displaying behavioral advertising based on previously viewed content, customizing offer categories or individual offers in the Website settings or settings of third-party services based on activity on the Website	Art. 6 section 1 letter f GDPR in connection with joke. 173 of the Telecommunications Law (the legitimate interest of the Company consisting in promoting the goods or services of the Company or third parties in connection with the consent given)	Until consent is withdrawn (pursuant to the provisions of telecommunications law) or effective objection to the processing of Personal Data is expressed
   Contacting Users for purposes related to permitted marketing activities, via available electronic communication channels, including e-mail, SMS/MMS push. Contact by phone	Art. 6 section 1 letter f GDPR in connection with joke. 10 of the Act on the provision of electronic services or Art. 172 of the Telecommunications Law (the legitimate interest of the Company consisting in promoting the goods or services of the Company or third parties in connection with the consent given to the communication channel)	Until you withdraw your consent to receive messages or information (pursuant to the provisions of the Act on the Provision of Services by Electronic Means or Telecommunications Law) or express an effective objection to the processing of Personal Data
   Contacting event organizers for purposes related to permitted marketing activities, as a result of contact via the Contact Form, including via e-mail, SMS/MMS. Contact by phone	Art. 6 section 1 letter f GDPR (the legitimate interest of the Company, which is direct marketing, in particular including the possibility of supporting your business by establishing cooperation with the Company, including establishing contact with you	Until consent to receiving messages or information is withdrawn (pursuant to the provisions of the Act on the provision of electronic services or telecommunications law)

6. Analytical, statistical activities and surveys

   The User's Personal Data may also be processed by the Company for analytical and statistical purposes. In such a case, the User's Personal Data are used to analyze activity, determine purchase preferences and to improve the functionality and quality of the Company's services. The Company's ability to process information collected via cookies and similar technology for analytical and statistical purposes depends on the User's consent to storing such information on the User's end device. More information on this subject can be found in part IV of the Policy.

   Through surveys sent to Users via e-mail or made available directly on the Website, the Company collects Personal Data from Users, which may be used to study Users' preferences and adapt the Company's offer to their expectations. Such Personal Data is also used to prepare statistical analyses.

   In connection with the implementation of analytical and statistical activities, Personal Data are processed according to the principles described in the table below. Personal Data may also be processed for other purposes, in particular to ensure the security of the services provided, which you will learn more about in the further sections of this part of the Policy.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Conducting statistical analyses	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in analyzing Users' activity, including historical activity, in order to optimize the services provided)	Until the end of storage of the User's Personal Data in connection with another active purpose of processing or until an effective objection to the processing of Personal Data is expressed (but no longer than until the last day of the calendar year following the expiration of 3 years from the date of termination of the provision of services by the Company)
   Conducting surveys, research and analyzes regarding the Website, including in terms of functioning, improving the operation of available services or estimating the main interests and needs of visitors	Art. 6 section 1 letter f GDPR (legitimate interest of the Company consisting in analyzing Users' activity in order to optimize the services provided)	Personal Data is processed in real time, so it will be stored until the User finishes using the services provided by the Company on the Website (i.e. until the survey, research or analysis is completed).

7. Ensuring the security of the services provided and enforcing the provisions of the Regulations

   If it is necessary to ensure the security of services, including IT resources or the security of other Users, the Company is entitled to automatically obtain and register User's Personal Data transmitted to the server by web browsers or the User's device when using the Website.

   In order to counteract abuses, frauds and activities violating good manners, Regulations, applicable law (including national or international restrictive measures) or which negatively affect the security of the Company's operation and harm other Users, we automatically process Personal Data regarding the User's activity on the Website, connections with other accounts and the functions and tools used.

   In order to counteract the above-mentioned situations, the Company will make decisions in each individual case based on automated data processing, including profiling.

   The effect of these actions may be, for example, automatic suspension/unsuspension of the Account, its individual functionalities, or preventing/enabling participation in programs.

   Personal Data are then processed according to the principles described in the table below.

   Purpose of processing	Legal basis for the processing of Personal Data	Period of storage of Personal Data for a specific purpose (retention period)
   Counteracting abuse, fraud, activities that violate good manners, Regulations, applicable law or that negatively affect safety	Art. 6 section 1 letter b GDPR (necessity to perform the contract in terms of supporting the security of the Company and Users and preventing abuse)	Until the User stops using the services
   Fulfillment of legal obligations related to the need to limit access to services provided by the Website on the basis of specific regulations	Art. 6(1)(a) c GDPR (necessity to fulfill a legal obligation under specific provisions)	Until the User stops using the services

§ IV. IP address, cookies, other identifying information and profiling information

As part of operating the Website, the Company may collect User's Personal Data via technologies such as cookies, tracking pixels and locally shared objects (e.g. in the browser or on the device). The rules for the Company's use of cookies and other technologies are regulated by the Cookie Policy referred to in § V below.

In order to achieve the processing purposes indicated in § 3 III, in particular for the purpose of carrying out marketing and analytical activities and in connection with the operation of the Account, in some cases the Company uses profiling, which means that thanks to the automatic processing of Personal Data, the Company evaluates selected factors and information regarding Users, in particular activities undertaken on the Website, including on the basis of purchases made, history of offers viewed and services used in order to analyze their behavior or create a forecast for the future. This allows for better matching of the displayed content to the User's individual preferences and interests.

§ V. Cookies Policy

1. The INTO website uses cookies. Using the Website may therefore involve the need to provide your data, such as information from cookies.
2. Cookies are small text files sent by a web server and stored by your computer's browser software. When the browser reconnects to the site, the site recognizes the type of device the user is connecting from. Parameters allow the information contained in them to be read only by the server that created them. Cookies therefore make it easier to use previously visited websites.
3. INTO, its service providers and trading partners collect certain information through automatic means, such as cookies, when you use the Website. The information collected in this way may include: IP address, browser type, operating system, URLs visited, as well as information regarding activities performed on the website.
4. Cookies contain little information and are downloaded to your computer or other device by the server operating the INTO website. The web browser used by the User sends them back to the INTO website each time the User uses it, thanks to which the server recognizes the User and remembers, for example, his preferences (visits or previous activities) or the User's login data. However, cookies may collect information about the User (e.g. language, country and previously viewed pages) each time the INTO website is visited.
5. INTO uses cookies only to test the functionality of the INTO website. INTO stores this information for a period of up to 5 years. This information cannot be associated with any individual.
6. By using the INTO website, the User may consent to the cookies described above being placed on their computer or other device. The user can always control the installed cookies. However, deleting or blocking cookies may affect the way you use the INTO website, as some areas may become inaccessible. This control is done via browser settings. Information on the possibility of modifying browser settings, blocking and filtering cookies can be found at:
   1. https://support.google.com/chrome/answer/95647?hl=plfor the Google Chrome web search engine
   2. https://support.mozilla.org/pl/kb/usuwanie-ciasteczekfor the Mozilla Firefox web search engine
   3. https://support.microsoft.com/pl-pl/help/278835/how-to-delete-cookie-files-in-internet-explorerfor the Microsoft Internet Explorer web search engine
   4. https://support.apple.com/kb/ph21411?locale=pl_PLfor the Safari web search engine.
7. In order to monitor the website, INTO may use third-party analysis software, e.g. Google Analytics. Google Analytics can be disabled using a browser extension that can be downloaded from: https://tools.google.com/dlpage/gaoptout.

§ VI. Users' rights regarding the processing of Personal Data and their implementation

The Company ensures that the User can exercise all rights arising from the GDPR, i.e. the rights described in Art. 15-22 GDPR, including:

1. The right to access Personal Data enables you to obtain information from the Company about the processing of your Personal Data by the Company, including, in particular, the purposes and legal basis for processing, the scope of data held, entities to which the data is disclosed and the planned date of data deletion.
2. The right to obtain a copy of Personal Data, which enables the User to obtain a copy of their Personal Data that is processed by the Company.
3. The right to rectify Personal Data, which the User may exercise if he notices that his Personal Data is incorrect or incomplete. In such a case, the Company undertakes to remove any inconsistencies or errors in the Personal Data being processed and to supplement them if they are incomplete.
4. The right to delete Personal Data, which the User may exercise if his Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed by the Company; and if he withdraws his consent to the processing of Personal Data or objects to the processing of his Personal Data and there is no other legal basis for the processing; and also when Personal Data will be processed unlawfully.
5. The right to limit the processing of Personal Data, which the User may exercise if: he or she notices that his or her Personal Data is incorrect - then he or she may request that the processing of Personal Data be limited for a period enabling the accuracy of the data to be checked; Personal Data will be processed unlawfully, but the User does not want them to be deleted; The User's Personal Data will no longer be needed by the Company, but the User may need it to defend or pursue claims; The User will object to the processing of Personal Data - until we determine whether our legitimate grounds override the grounds for objection.
6. The right to transfer Personal Data, which the User may exercise if the processing of his Personal Data is based on the User's consent or a contractual relationship between the User and the Company, and when this processing is carried out in an automated manner.
7. The right to object to the processing of Personal Data for marketing purposes, which the User may exercise at any time if his Personal Data is processed for marketing purposes, without the need to justify such objection.
8. The right to object to other purposes of processing Personal Data, which the User may exercise at any time, for reasons related to the User's particular situation, if Personal Data are processed on the basis of the legitimate interest of the Company (e.g. for analytical or statistical purposes). Objections in this respect should include justification.
9. The right to withdraw consent, which the User may exercise at any time if his Personal Data is processed on the basis of the consent expressed by the User, which, however, does not affect the lawfulness of the processing carried out before its withdrawal.
10. The right to object to the profiling of Personal Data - in such a case, the User should log out of all devices and delete cookies from them (in some cases, the process may take up to 48 hours), in accordance with the Cookie Policy.
11. The User can also contact the personal data protection officer using the contact form.
12. The right to lodge a complaint regarding the processing of User's Personal Data by the Company to the supervisory body, which is the President of the Office for Personal Data Protection (address: President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw).

§ VII. Recipients of Personal Data - third parties

The Company may transfer the User's Personal Data to the following third parties:

1. entities cooperating with the Company, running websites or providing online applications, in order to publish User Transactions,
2. entities cooperating with the Company, offering their financial services as part of the Accompanying Services, in order to assess the User's creditworthiness and analyze credit risk and possibly grant a loan in order to perform the contract concluded by you, including debt collection.

The Company may cooperate with third parties, e.g. specialized providers of Personal Data storage services, analytical services, debt collection services, in order for these entities to provide services to the Company. In such a case, these entities are not authorized to use the User's Personal Data for their own purposes (Personal Data will always be processed on behalf and for the needs of the Company), and their activities are subject to the provisions of applicable law and this Policy;

The scope of cooperation includes:

1. storage and access to information: storing information or accessing information that is already stored on the User's device, such as advertising identifiers, device identifiers, cookies and similar technologies,
2. personalization: collecting and processing information to personalize advertising and/or content on websites or applications,
3. ad selection, delivery and reporting: collecting information and combining it with previously collected information to select and deliver ads to you and measure their effectiveness (what ads were shown, how often, when and where they were shown, and whether you took any action advertising-related, including, for example, clicking on an ad or making a purchase),
4. conducting debt collection proceedings,
5. providing services enabling e-learning training,
6. providing support services/improving the process of fulfilling orders placed on the Website.

The Company may also make your Personal Data available to other entities (such as entities providing delivery services) when it is necessary to conclude a contract (including event organizers) or perform a contract concluded by them to which you are a party or in order to support/ improving the process of processing orders placed on the Website, which includes in particular:

1. acceptance of the order for execution,
2. packing the shipment,
3. delivery of the shipment to the indicated address, including information about tracking the shipment status.

In the cases indicated above, entities to which the User's Personal Data will be made available may become separate administrators of the User's Personal Data.

The User's Personal Data is made available to the organizers (in the case of personalized tickets) and entities supporting the Company in providing services electronically, i.e. those that provide payment, credit and insurance services, provide consulting or audit services, support User service, support the promotion of Offers, cooperate as part of marketing campaigns.

The Company may disclose the User's Personal Data to public authorities pursuant to legal provisions in connection with ongoing proceedings regarding possible violations of the law or combating other possible violations of the Regulations (including in connection with proceedings regarding fraud and abuse within the Website).

Under the adopted Policy, the Company undertakes not to sell Users' Personal Data. In the event of restructuring or sale of the business or its part and transfer of all assets or a significant part thereof to a new owner, Users' Personal Data may be transferred to the new owner in order to ensure the continuation of the provision of services within the Website or Accompanying Services.

Due to the need to prevent internet robots from performing certain functions on the Website, the Company uses Google reCAPTCHA mechanisms to occasionally check whether Users' behavior does not bear the hallmarks of robot behavior. The functionality of reCaptcha is based on obtaining information about your hardware, its identifiers and software (such as device data, search engines, IP address) and analyzing and using it by Google to provide, maintain and improve functionality and for general security purposes.

The Company declares that in connection with running the Website it uses Microsoft Entra ID technology for Single Sign-On services (hereinafter: SSO). Taking into account the above, Users' Personal Data will be collected and processed directly using Microsoft tools, taking into account the following security measures:

1. https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27001 – Information Security Management System
2. https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27701 – Privacy Information Management System
3. https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27018 – Cloud Privacy

Logging in to the Website or Registration on the Website using the functionality of Meta Platforms Ireland Limited (Facebook) takes place through co-administration of Meta's personal data with INTO.

INTO and Meta have agreed that Meta is responsible for ensuring the enforcement of the rights of data subjects in accordance with Art. 15-20 GDPR in relation to personal data stored by Meta after joint processing.

Arrangements for joint administration of INTO and Meta are available at: https://www.facebook.com/legal/controller_addendum, and information on data that may be processed as part of joint control is available at: https://www.facebook.com/legal/terms/businesstools_jointprocessing.

The Company may share anonymized Personal Data (i.e. data that does not identify specific Users) with external service providers, trusted partners or research agencies in order to better recognize the attractiveness of advertisements and services for Users, improve the overall quality and effectiveness of services provided by the Company or the mentioned entities , or participation in scientific research that brings broadly understood social benefit.

§ VIII. Transfer of Personal Data to countries outside the European Economic Area

1. The User's Personal Data will not be directly transferred by the Company outside the European Economic Area.
2. At the same time, as part of cooperation with processing entities, data processing may be further entrusted to entities that may transfer data to countries outside the European Economic Area. Entities that systematically process data for the Company include:
   1. Google Ireland, Ltd based in Dublin, Ireland Google LLC based in Mountain View, United States, in connection with the use of the Google reCAPTCHA mechanism to ensure security,
   2. Google Cloud Poland sp. z o. o. based in Warsaw, Poland, in connection with the use of the e-mail system and tools included in Google Workspace, for statistical and administrative purposes and in connection with the use of Personal Data processing services offered by this entity , aimed at ensuring the provision of services by the Company offered as part of the Website,
   3. Microsoft Ireland Operations, Ltd with its registered office in Dublin, Ireland, in connection with the use of Personal Data processing services offered by this entity, aimed at ensuring the provision of services by the Company offered as part of the Website,
3. The company always operates based on mechanisms ensuring an appropriate level of protection, including: by using standard contractual clauses regarding the transfer of Personal Data to entities processing Personal Data based in third countries, approved by the European Commission.

§ IX. Change of provisions

If necessary, the Company may change the provisions of this Policy.

§ X. Contact details

If you have any questions regarding this Policy, please contact our personal data protection officer at the following e-mail address: [email protected]