PRIVACY POLICY

This Privacy Policy contains information about the rules of processing Personal Data by the company under the business name: RestBill spółka z ograniczoną odpowiedzialnością with its registered office in Warsaw as part of using the “Restbill” mobile application in the online version and its functionalities. The protection and security of information obtained from Application Customers, in particular Personal Data, is the highest priority for the Service Provider. To this end, we make every effort to provide the Personal Data with a sufficiently high level of security.

This Policy describes the rules of collecting and using the data of Application Customers collected directly from them or through cookies and similar technologies.

I. Terms we use in the Privacy Policy

Personal Data – any information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity, including in particular their first and last name, identification number, IP of the device, location data, online identifier and information collected through cookies and other similar technology.

Policy – this Privacy Policy provided in the Service Provider’s Application as part of the services provided, specifying the principles of privacy and protection of Customer Personal Data.

Regulations – a document constituting the regulations for the provision of services by electronic means by the Service Provider, the rules of operation of the Application and the rights and obligations of the entities listed therein, available here.

Application – an online application owned by the Service Provider called “RestBill”, available for Android and iOS operating systems, which has been prepared and made available by the Service Provider, enabling the Customers to use IT mechanisms and information developed by the Service Provider through the Application. The Application provides IT tools for making payments for goods and/or services to the Restaurant, which occurs through the provision of payment services and other services by the Supplier directly to these Restaurants, including the use of third party payment systems provided by entities other than the Service Provider.

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation”).

Service Provider – RestBill Sp. z o.o. with its registered office in Warsaw, ul. Cybernetyki 19B, 02-677 Warsaw, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław Fabryczna in Wrocław, VI [6th] Commercial Division of the National Court Register under KRS number: 0000921324, NIP: 8971892330, and REGON: 389021839.

Supplier – means payment service providers within the meaning of the Payment Services Act, providing payment services for the Customers on their own behalf, referred to, for example, in Article 3(1) of the Payment Services Act. The list of Suppliers is available at: https://stripe.com/en-pl

Restaurant – an entity that is an entrepreneur within the meaning of the Entrepreneurs Law Act (Polish Journal of Laws of 2021, item 162, as amended) running a restaurant/gastronomic point that enables Customers to use the Application.

Customer – a natural person of legal age with full capacity for legal transactions, a legal person or an organisational unit without legal personality, having capacity for legal transactions, who uses the functionalities offered by the Application on their mobile device.

II. Controller and their details

The Controller of the Personal Data processed in the Application is the Service Provider, i.e. RestBill sp. z o.o. with its registered office in Warsaw, ul. Cybernetyki 19B, 02-677 Warsaw, KRS: 0000921324, REGON: 389021839, NIP: 8971892330, contact: hello@restbill.com

III. Data Protection Officer

The Service Provider established a contact point for personal data protection issues – please send enquiries to the following e-mail address lko@restbill.pl or in writing to the address of the Controller’s registered office, i.e. ul. Cybernetyki 19B, 02-677 Warsaw. You may contact us in any case concerning the processing of Personal Data, in particular regarding the exercise of rights related to the processing of Personal Data.

IV. Processing of personal data

1. In connection with the use of the Application by the Customers, the Service Provider collects data, including Personal Data, to the extent necessary to provide particular services offered in the Application. Detailed rules and purposes for the processing of Personal Data collected during the Customer’s use of Application are described below.

2. The Service Provider collects and processes Personal Data in accordance with the applicable provisions of law, including in particular the GDPR, special provisions enabling the application of the GDPR and the data processing rules provided for therein.

3. The Service Provider ensures that in situations where the legal basis for the processing of Personal Data is the legitimate interest of the Controller, a test of weighing the interests of the Controller and data subjects was carried out, as a result of which the purpose of the processing will prevail over the rights and freedoms of the Customers.

4. The Personal Data will be stored in a form enabling identification of the data subject for a period of using the Application services by the Customers (i.e. having an account/profile), subject to section 5 below.

5. After Customers cease to use the services offered in the Application, the Controller may process data about the Customer, provided that they are necessary for settling the services and pursuing claims for payment for using the services available in the Application.

V. Purposes and legal basis for processing

Using of the Application

1. Personal data of all persons using the Application (including IP address or other identifiers and information collected through cookies or other similar technologies) are processed by the Service Provider:

a) in order to provide services by electronic means to the extent of making available to Customers the content gathered in the Application – then the legal basis for processing is the necessity of processing for the performance of the agreement as part of the service provided by the Service Provider by electronic means (Article 6(1)(b) of the GDPR);

b) for analytical and statistical purposes – then the legal basis for processing is the legitimate interest of the Service Provider (Article 6(1)(f) of the GDPR), consisting in conducting analyses of the activity of the Customers, as well as their preferences in order to improve the applied functionalities and services provided as part of the Application;

c) for marketing purposes – the rules of processing Personal Data for marketing purposes are described in the “Marketing” part.

d) In order to issue and send an electronic invoice, when making the Payment – to which the Customer agreed by accepting the Regulations. The legal basis is the necessity to perform the agreement – Article 6(1)(b) of the GDPR, therefore the provision of personal data necessary to issue an invoice is voluntary, but necessary for the proper provision of services via the Application.

Contact form

1. The Service Provider provides the possibility of contact using an electronic contact form. Using the form requires providing Personal Data necessary to contact the Customer and answer the query. The Customer may also provide other data in order to facilitate contact or handle a query. Providing data marked as mandatory is required in order to receive and handle a query, and failure to provide such data results in inability to handle a query. The provision of other data is voluntary.

2. Personal data transferred via the contact form are processed:

a) in order to identify the sender and handle their query – the legal basis for processing is the necessity of processing for the performance of the service agreement (Article 6(1)(b) of the GDPR); in the scope of data provided optionally and voluntarily (fields of the form marked as optional) – the legal basis for processing is the consent of the Customer expressed by clear affirmative actions (Article 6(1)(a) of the GDPR in connection with Article 4(11) of the GDPR);

b) in order to determine and pursue claims or defend against claims that may arise in connection with a cooperation agreement or an agreement for the provision of services by electronic means – the legal basis for processing is the legitimate interest of the Service Provider (Article 6(1)(f) of the GDPR);

c) for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Service Provider (Article 6(1)(f) of the GDPR), consisting in keeping statistics on queries submitted by Customers via the Website in order to improve its functionality.

Account operation in the Application

a. Customers who create an account in the Application are requested to provide the data necessary to provide the services. The provision of data marked as mandatory is required for the purpose of proper registration and operation of the Account, including its handling in the Application, and failure to provide such data results in inability to use the Application (Article 6(1)(b) of the GDPR).

b. The Customer is requested to provide the following data, the provision of which is necessary to register in the Application:

• e-mail (required);

• password (required);

• first and last name (required);

• address of residence with postal code (required);

• company name (optional);

• NIP (optional);

c. Detailed information on creating an account and services provided can be found in the Regulations available here.

Complaints

Personal Data will be processed for the purpose of handling complaints (Article 6(1)(f) of the GDPR).

Marketing

1. Transmission of commercial information by electronic means or direct marketing by telephone terminal equipment. The data will be processed on the basis of your consent in the scope of:

a. sending marketing information and sending offers within the meaning of the Civil Code about the products or services provided by the Personal Data Controller, including its external partners, chosen by you. (Article 6(1)(a) of the GDPR)

b. sending marketing information and sending offers within the meaning of the Civil Code about the products or services chosen by you.

c. providing information and commercial offers and in order to conclude an agreement for the provision of Services (Article 6(1)(b) of the GDPR). In the scope of sending commercial information by electronic means or direct marketing by means of telephone terminal devices, data will be processed on the basis of consent expressed by clear affirmative actions (Article 6(1)(a) in connection with Article 4(11) of the GDPR), consisting in filling in an appropriate field for entering an e-mail address or telephone number.

2. You have the right to withdraw consent to marketing by electronic means at any time, without affecting the lawfulness of processing carried out prior to the withdrawal of consent.

3. In order to withdraw your consent, please send an appropriate request to the following e-mail address: obo@restbill.pl

Automatically obtained data

1. The Controller collects the Customer's information while using the mobile device while using the Application. The information collected include: (1) IP address; (2) device type; (3) operating system; (4) device identifier; (5) browser language; (6) access time.

Cookies and similar technologies

1. The "Restbill" Application uses Cookies, i.e. text files saved by the browser on the mobile device of the Customer using the Application, which contain specific information enabling in particular identification of the connection. Cookies are a legally acceptable and useful tool, for example in analysing the effectiveness of mobile application and advertising design and in verifying the identity of online transaction users.

2. When the Customer uses the Application, cookies are used to identify their device – cookies collect various types of information which, in principle, do not constitute personal data (does not enable identification of the Customer). In some cases, this information may, depending on its content and manner of use, be linked to a specific person – assigning certain behaviours to a specific Customer, e.g. by linking them to the data obtained when registering an Account in the Application – and thus be considered personal data.

3. The Application uses internal Cookies to implement processes necessary to ensure the functionality of the Application, for statistical and advertising purposes, as well as to maintain the session of the logged-in Customer, including to the extent necessary to maintain in memory the choices made by the Customer regarding the order, proper configuration of selected functions of the Application, as well as to increase the usability and personalisation of the content of the Application sites, including presentation, creation, award and execution of advertisements, offers or discounts dedicated to the Customer according to their interest.

4. The Application uses external Cookies placed by third parties for analytical purposes, including the analysis and monitoring of traffic in the Application.

5. Cookies may also be placed in Customer terminal devices by entities cooperating with the “Restbill” Application.

6. Obtaining and storing information using cookies is possible based on the Customer’s consent. By default, software installed on a computer or other device connected to the network allows cookies to be placed on such a device and thus to collect information about Customers.

7. The Customer may at any time limit or disable the possibility of processing Cookies by their ICT system. Failure to disable or limit the possibility of storing and sharing cookies means that the Customer agrees to such actions. Detailed information on the management of cookies on a mobile phone or other mobile device can be found in the user manual/instructions for a given phone or mobile device.

8. Storing Cookies or obtaining access to Cookies does not result in configuration changes in the Customer's telecommunications terminal device and software installed in this device.

VI. Period of personal data processing

1. The period of data processing by the Service Provider depends on the type of service provided and the purpose of the processing. As a rule, the data are processed for the time of providing the service or handling the query, until the consent is withdrawn (if the consent is the legal basis for the processing of Personal Data) or filing an effective objection against the processing of Personal Data in cases where the legal basis for the processing is the necessity to pursue the legitimate interest of the Service Provider.

2. The data processing period may be extended if the processing is necessary to establish and pursue possible claims or defend against claims, and thereafter only in the case and to the extent required by law. After the end of the processing period, the data are irreversibly deleted or anonymised.

3. Data related to network traffic analysis collected through cookies and similar technologies may be stored until the cookie file expires. Some cookies never expire, therefore the time of data storage will be equivalent to the time necessary for the Controller to achieve the purposes related to data collection, such as ensuring security and analysing historical data related to the traffic in the Application.

4. The content of queries and information in the forms are archived on the internal mail server. The archive is kept for no longer than 1 year.

5. If it is necessary for the Controller to pursue claims or to defend against claims, the Controller may process personal data of specific Customers expressed during the registration of the account until the end of the pending proceedings and until the expiry of the limitation period for the Controller's claims against the Customer, which usually is 2 years in accordance with Article 751 (1) of the Civil Code Act, but in special cases provided for by law, it may be longer – e.g. in the case of most claims it will be a period of 6 years, determined in accordance with Article 118 of the Civil Code Act.

VII. Rights of the Customer

1. The Customer has the right to access their Personal Data and to request their rectification, erasure, restriction of processing, the right to data portability and the right to object to data processing, as well as the right to lodge a complaint with the supervisory authority dealing with the protection of Personal Data, i.e. to the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw.

2. Insofar as the Customer’s data are processed based on consent, this consent may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

3. The Customer has the right to object to the processing of data for direct marketing purposes if the processing takes place in connection with the performance of the Service Provider's legitimate interest, as well as – for reasons related to the Customer's special situation – in other cases where the legal basis for the processing of data is the Service Provider's legitimate interest (e.g. in connection with the analytical and statistical purposes).

4. In the event of a request to cease the processing of Personal Data, the Service Provider may not be able to properly perform its services, in particular in the form of making the Application available to Customers.

VIII. Data recipients

1. In connection with the provision of services, Personal Data may be transferred or made available to other entities. Such recipients of the Personal Data of the Customers may be employees and associates of the Controller, entities to which the Controller has entrusted the processing of Personal Data and concluded relevant agreements for entrusting the processing of personal data, entities cooperating with the Controller (in particular restaurants in which the Customers use the Application), entities and bodies authorised to do so under separate regulations. These entities may be divided into the following categories: commercial, payment, intermediation, invoicing, hosting, accounting, IT, delivery of correspondence and parcels, legal, debt collection, website operation, marketing, PR and archiving.

2. The Service Provider reserves the right to disclose selected information concerning the Customer to competent authorities or other third parties that request such information, based on an appropriate legal basis and in accordance with the applicable law.

IX. Transmission of data to a third country

1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Service Provider transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily by:

a) cooperation with entities processing Personal Data in countries in respect of which a relevant decision of the European Commission concerning the determination of ensuring an adequate level of protection of Personal Data was issued;

b) the application of standard contractual clauses issued by the European Commission;

c) the application of binding corporate rules approved by the competent supervisory authority.

X. Principles of personal data processing

1. The Service Provider conducts an ongoing risk analysis to ensure that the Personal Data are processed in a safe manner, i.e. ensuring, first and foremost, that only authorised persons have access to the data and only to the extent necessary due to their tasks. The Service Provider ensures that all operations on Personal Data are recorded and performed only by authorised employees and associates.

2. The Service Provider takes all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process the Personal Data at the request of the Service Provider.

3. When processing the Personal Data, the Controller ensures their security and confidentiality as well as access to information about the processing to data subjects. If, despite the applied security measures, personal data protection is breached (e.g. “leakage” of data or their loss), the Controller takes appropriate measures in accordance with the applicable provisions of law.

XI. Automated decision-making and profiling

1. The Application may use the Customer device location data (computer, mobile phone, tablet, etc.).

2. Access to your device location services is required for the Application to offer you location-based features such as displaying offers available in your vicinity. If you do not allow access, it will be possible to display only limited content depending on the location.

XII. Amendments to the Privacy Policy

1. The Policy is reviewed on an ongoing basis and updated by the Controller in justified cases.

2. The current version of the Policy has been adopted and has been in force since 03.03.2022.
Send your inquiry