Privacy policy and cookies

This Privacy and Cookies Policy (hereinafter also referred to as: Policy) describes the rules for processing personal data and using Cookies in connection with the operation of the website

https://eatyx.com/ (hereinafter: Website) in the manner required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR).

 

Unless otherwise indicated, the definitions used in the Policy have the meaning given to them in the Terms and Conditions

 

 

§ 1 Preliminary provisions

Website Operator, Personal Data Controller:  The operator of the Website and the controller of personal data of natural persons visiting and using the Website (hereinafter: User) is eatyx Polska sp. z o.o. with its registered office in Krakow, Al. 3 Maja 9, 30-062 Krakow, KRS: 0001005514, REGON: 523795322, NIP: 6772487175 (hereinafter also referred to as: Operator or Controller). In matters related to the protection of personal data and the use of Cookies, the Controller can be contacted by post at: Aleja 3 Maja 9, 30-062 Krakow, or by e-mail at: iod@eatyx.com.

 

 

§ 2 Purposes, legal basis for data processing, data retention periods

Purpose of processing	Legal basis for processing	Retention period
Conclusion and performance of an agreement between the User and the Controller, including Account registration on the Website	Art. 6(1)(b) GDPR	Until the termination of cooperation between the User and the Controller, after which the data will be deleted, unless the Controller previously demonstrates the necessity of their further processing
Fulfilment of legal obligations incumbent on the Controller, including those resulting from tax and accounting regulations	Art. 6(1)(c) GDPR in conjunction with relevant provisions of generally applicable law	Until the expiry of the legally stipulated period for archiving documentation (including accounting and financial documentation), after which the data will be deleted, unless the Controller previously demonstrates the necessity of their further processing
Marketing of products or services provided by the Controller	Art. 6(1)(a) GDPR	Until the User withdraws the granted consent to personal data processing or until the Controller determines that the data are no longer useful for the purpose of processing, after which the data will be deleted, unless the Controller previously demonstrates the necessity of their further processing
Personalisation of advertisements directed to the User on the Internet (including profiling)	Art. 6(1)(a) GDPR	Until the User withdraws the granted consent to personal data processing or until the Controller determines that the data are no longer useful for the purpose of processing, after which the data will be deleted, unless the Controller previously demonstrates the necessity of their further processing
Newsletter distribution by the Controller	Art. 6(1)(a) GDPR	Until the User withdraws the granted consent to personal data processing or until the Controller determines that the data are no longer useful for the purpose of processing, after which the data will be deleted, unless the Controller previously demonstrates the necessity of their further processing
Providing the User with notifications regarding product availability on the Website	Art. 6(1)(a) GDPR	Until the User withdraws the granted consent to personal data processing or until the Controller determines that the data are no longer useful for the purpose of processing, after which the data will be deleted, unless the Controller previously demonstrates the necessity of their further processing
Operation of the Website by the Controller	Legitimate interest of the Administrator  Art. 6(1)(f) GDPR	Until the User raises a justified objection to the processing of personal data or until the Administrator determines that such data are no longer useful for the processing purpose, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Establishing and maintaining contact with the Administrator via the contact form available on the Website.	Legitimate interest of the Administrator  Art. 6(1)(f) GDPR	For the period of contact between the User and the Administrator, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Conducting analyses and statistics regarding Users' use of the Website	Legitimate interest of the Administrator  Art. 6(1)(f) GDPR	For the period necessary to conduct analyses and statistics regarding the use of the Website, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Processing of Cookies necessary to ensure the proper functioning of the Website, in accordance with the rules described in § 8 of the Policy.	Legitimate interest of the Administrator  Art. 6(1)(f) GDPR	For the period specified in the descriptions of individual Cookies, in accordance with § 8 of the Policy, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Processing of Cookies other than those necessary to ensure the proper functioning of the Website, in accordance with the rules described in § 8 of the Policy.	Art. 6(1)(a) GDPR	For the period specified in the descriptions of individual Cookies, in accordance with § 8 of the Policy, or until the User withdraws the consent given for the processing of personal data, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Recording User activity in server logs	Legitimate interest of the Administrator Art. 6(1)(f) GDPR	For the period resulting from the Administrator's adopted IT system protection rules, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Maintaining the confidentiality of legally protected information and the necessity of protecting IT systems.	Legitimate interest of the Administrator Art. 6(1)(f) GDPR	For the period resulting from the Administrator's adopted IT system protection rules, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.
Establishing, pursuing claims or defending against claims	Legitimate interest of the Administrator Art. 6(1)(f) GDPR, Art. 9(2)(f) GDPR	Until the expiry of the limitation periods for claims under legal provisions or until the final conclusion of proceedings concerning such claims, after which the data will be deleted, unless the Administrator has previously demonstrated the necessity of their further processing.

 

 

§ 3 Information on the obligation to provide data

The provision of personal data is necessary for the conclusion and performance of the contract between the User and the Administrator (applies to processing operations indicated in § 2 of the Policy, the legal basis for which is Article 6(1)(b) of the GDPR) and for the fulfillment of legal obligations incumbent on the Administrator (applies to processing operations indicated in § 2 of the Policy, the legal basis for which is Article 6(1)(c) of the GDPR). Failure to provide data will result in the impossibility of concluding and performing the contract.

The provision of personal data, the processing of which is based on the User's consent (applies to processing operations indicated in § 2 of the Policy, the legal basis for which is Article 6(1)(a) of the GDPR), is voluntary. The consequence of not providing them will be the Administrator's inability to carry out processes for which the provision of personal data is necessary. 

The provision of personal data, the processing of which is based on the legitimate interest of the Administrator (applies to processing operations indicated in § 2 of the Policy, the legal basis for which is Article 6(1)(f) of the GDPR), is voluntary. The consequence of not providing them will be the Administrator's inability to carry out processes for which the provision of personal data is necessary. 

 

§ 4  Recipients of data

The User's personal data may be disclosed to employees, associates, advisors, service providers to the Administrator, e.g., legal, marketing or IT services, as well as to public authorities acting on the basis of generally applicable legal provisions, with the exception of public authorities that may receive personal data within the framework of a specific proceeding in accordance with Union law or the law of a Member State.

 

The recipients of the User's personal data also include the following service providers to the Administrator, under the unchangeable data rules set by these providers:

• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: Google LLC), link to Google LLC Privacy Policy: https://policies.google.com/privacy?hl=pl;
• Meta Platforms, Inc., 1601 Willow Road Menlo Park, CA 94025 USA (hereinafter: Meta Platforms, Inc.), link to Meta Platforms, Inc. Privacy Policy:  https://www.facebook.com/privacy/policy/
• Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-7329, USA (hereinafter: Microsoft Corporation), link to Microsoft Corporation Privacy Policy: https://www.microsoft.com/pl-pl/privacy/privacystatement.

A detailed description of the tools provided by the aforementioned entities can be found in § 9 of the Policy.

 

§ 5 Transfer of data to a third country or international organization

The Administrator uses IT services provided by an entity from the USA. In order to use these services, the Administrator's subcontractor must have access to personal data managed by the Administrator – this leads to the transfer of personal data to another country, i.e., to the USA. Although European data protection regulations do not apply in the USA, the USA has been recognized as a country ensuring adequate protection of personal data if the transfer takes place within the framework of the so-called Data Privacy Framework. Because personal data are transferred under the Data Privacy Framework, these data will be protected in the same way as if they were processed in Poland. Detailed information on this subject can be obtained here: https://www.dataprivacyframework.gov/ or by contacting the Administrator.

 

The service providers to the Administrator indicated in §4 of the Policy may use servers located in third countries within the meaning of the GDPR to store personal data.  

 

§ 6 Rights related to data processing

In connection with the personal data processing described above, the User has the following rights:

a)      the right to access data (Article 15 of the GDPR);

b)     the right to rectification of data (Article 16 of the GDPR);

c)      the right to erasure of data (Article 17 of the GDPR), subject to Article 17(3) of the GDPR;

d)     the right to restriction of data processing (Article 18 of the GDPR);

e)      the right to data portability (Article 20 of the GDPR) – applies to processing based on consent under Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on the basis of a contract under Article 6(1)(b) of the GDPR and is carried out by automated means;

f)       the right to object to data processing (Article 21 of the GDPR) – applies to processing based on Article 6(1)(e) or (f) of the GDPR;

g)     the right to withdraw consent at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal - this applies to processing based on consent within the meaning of Art. 6(1)(a) of the GDPR or Art. 9(2)(a) of the GDPR;

h)     the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (address: ul. Stawki 2, 00-193 Warsaw).

The rights indicated above are not absolute and will not apply to all personal data processing activities of the User.

If you wish to exercise the rights indicated in subparagraphs (a)-(g) above, or if you have any questions or comments regarding the processing of personal data, you can contact the Administrator using the contact details provided in § 1 of the Policy.

 

The User can independently modify some settings of the Website related to the processing of personal data in the following processes according to the instructions below:

 

1. Newsletter distribution: Joining the newsletter is done by entering the User's e-mail address in the form at the bottom of the Website page, and then confirming the desire to receive the newsletter by clicking on the link in the message sent to the User's provided e-mail address. The User can withdraw consent to receive the newsletter at any time by sending a relevant message to the e-mail address: sklep@eatyx.com.

2. Use of Cookies other than Cookies necessary to ensure the proper functioning of the Website: The User can at any time change the scope of consents granted regarding Cookies, using the mechanisms described in § 8 of the Policy.

3. Notifications about product availability on the Website: to receive notifications about product availability, you must provide an e-mail address in the form that appears next to products unavailable when browsing the Website. The User can withdraw consent at any time by sending a relevant message to the e-mail address: sklep@eatyx.com.

4. Marketing of Administrator's products or services: consent to receive marketing information is expressed by checking the appropriate box during Account registration on the Website. The User can withdraw consent at any time by sending a relevant message to the e-mail address: sklep@eatyx.com.

5. Personalization of advertisements directed to the User online: consent to personalize advertisements is expressed by checking the appropriate box during Account registration on the Website. The User can withdraw consent at any time by sending a relevant message to the e-mail address: sklep@eatyx.com.

 

 

§ 7 Automated decision-making

In connection with the functioning of the Website, User profiling may occur, i.e., creating profiles containing information about users' interests. Some functions of the Website may allow the use of personal data to create statistics that enable tailoring content and advertisements to specific Users. Based on the conducted profiling, the Administrator will not make decisions concerning the User that would produce legal effects concerning the User or similarly significantly affect the User.

 

 

§ 8 Cookies

1. The Website uses Cookies, which are small text files that the Website saves in the memory of the device used by the User when browsing the Website. Cookies may be stored by the operator of the Website visited by the User (First-party Cookies) or by third parties (Third-party Cookies).

2. The Website may use different types of Cookies. Some Cookies (so-called session Cookies) are stored on the User's device only until the browser is closed or logging out of the website, and some (so-called persistent Cookies) are stored in the device's memory for a period specified in the Cookie parameters or until they are deleted by the User.

3. The Operator may store Cookies on the User's device if they are necessary to ensure the proper functioning of the Website, i.e., to enable communication via the Website. Storing Cookies for any other purpose (e.g., providing personalized advertisements) is only possible if the User consents thereto.

4. The User can manage Cookies using the Cookiebot available on the Website. When visiting the Website for the first time, the User will receive an automatic message about the Cookies being saved and will have the opportunity to specify the scope of Cookies for which they consent to their use. The User has the right to withdraw the granted consent at any time by changing the Cookie settings by clicking on the paperclip-like icon located in the lower-left corner of the displayed Website page. Using the icon, the User can also at any time obtain detailed information about the purposes of using individual Cookies, the entities that use these files, and the period of Cookie use.

5. The User can also manage Cookies through the settings of the web browser they use. The User has the right at any time, through browser settings, to obtain information about the type of Cookies used, the entities that use Cookies, and the period of Cookie use, as well as to modify the scope of granted consents and delete saved Cookies.

6. Instructions on managing Cookies in browser settings are available in various materials online, e.g., on this website.

 

§ 9 Analytical, statistical, and marketing tools within the Website

The Operator uses tools that enable analytical, statistical, and marketing activities within the Website.

The Administrator uses analytical and marketing tools that collect the following information about the User and the User's activity on the Website:

·       information about the operating system and web browser,

·       subpages viewed,

·       time spent on the Website,

·       transitions between individual subpages,

·       clicks on links,

·       sources from which the User accesses the Website,

·       the approximate location of the User,

·       the User's interests determined based on their online activity.

 

The Website uses the following analytical, statistical and marketing tools:

 

1. Google Analytics is a tool that allows for automatic collection of information about the User's use of the Website through a tracking code implemented in the website's code, which uses Google LLC Cookies. The Operator bases its activities within Google Analytics on its legitimate interest in conducting analyses and statistics regarding Users' use of the Website.

Google Analytics does not collect data that would allow for User identification, but only information regarding, among other things, the operating system and web browser used by the User, the subpages viewed by the User, the time spent on website pages and subpages, the sources from which the User accesses the Website, and the User's approximate location (limited to the town name).

Detailed information on data usage within Google Analytics is available here.

 

2. Google Ads Customer Match is a tool used for marketing products and services offered by the Website Operator. To use this mechanism, the Operator provides Google LLC with a hashed database of email addresses of Website Users, which enables personalized advertisements to be targeted to the User in the Google LLC advertising network (e.g., via YouTube, Gmail, Google Finance). The Website Operator bases its actions within Google Ads Customer Match on the consent of the Website User.

Detailed information on Google Ads Customer Match is available here.

 

3. Facebook Custom Audience is a tool that allows the Website Operator to target advertisements for the Operator's products to specific groups of Users using tools provided by Meta Platforms, Inc. Facebook Custom Audience works thanks to the Facebook Pixel implemented on the Website, which automatically collects information about User activity on the Website, including: viewing the content of a specific website, making a purchase on the Website, subscribing to the newsletter.

The use of Facebook Custom Audience is only possible with the consent of the Website User.

Detailed information on Facebook Custom Audience is available here.  

 

4. Microsoft Clarity is an analytical tool that allows for recording User behavior on the Website and replaying User movements on the Website in video form and generating so-called heatmaps. Microsoft Clarity is used to improve the operation of the Website and adapt the content displayed on the Website to the needs of Users.

Detailed information on Microsoft Clarity is available here.

 

 

§ 10 Server logs

Using the Website involves sending requests to the server where the Website is stored. Each request directed to the server is saved in server logs. Logs include, among other things, the User's IP address, the date and time of connection to the server, information about the web browser and operating system used by the User. The information stored in server logs is used to administer the Website.

 

§ 11 Links to other websites

The Website contains links that redirect the User to the Operator's profiles on social media platforms Facebook, Instagram, LinkedIn, X, TikTok, YouTube.

Information regarding the processing of personal data within individual social media platforms is available in the dedicated information note.

The Operator is not responsible for the functioning of social media platforms or for the ways in which social media platforms use the personal data of their users.  

 

§ 12 Policy Changes. Archived versions of the Policy

The Policy is continuously reviewed and updated as needed. The current version of the Policy was adopted and has been in force since June 23, 2023.