PRIVACY POLICY OF BILETOMAT.PL ONLINE SHOP

Clause 1 General Provisions

1. This Privacy Policy of the Online Shop is for reference only, which means that it is not a source of obligations for the Users or the Customers of the Online Shop.

2. The Controller of the personal data collected via the Online Shop shall be BPM Media Spółka z ograniczoną odpowiedzialnością with its registered office in Poznań (mailing address: ul. Głogowska 31/33, 60-702 Poznań), entered into the Register of Entrepreneurs of the National Court Register under number KRS 0000352132; the Registry Court that keeps the company's documentation: District Court of Poznań – Nowe Miasto i Wilda in Poznań, 8^th Economic Division of the National Court Register; share capital: PLN 70,000.00; Tax No: 9721211542, REGON No: 301386541; e-mail: witaj@biletomat.pl, (“Controller”), acting as the operator of the Online Shop and the Seller.

3. The personal data of the User and of the Customer shall be processed under the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and national laws on the protection of personal data, including the Act on Provision of Electronic Services of 18 July 2002 (Journal of Laws of 2002, No 144, item 1204, as amended).

4. The Controller shall act with due diligence to protect any interests of data subjects, in particular the Controller shall ensure that the data are:

1. processed lawfully, fairly and in a transparent manner in relation to a data subject (“lawfulness, fairness and transparency”);

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ("purpose limitation");

3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

4. accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage restriction”);

6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

5. Any and all terms, expressions and acronyms that are used and capitalized on this website (e.g. Seller, Online Shop, Electronic Service) shall be defined in the Terms and Conditions of the Online Shop available on the Online Shop websites.

6. The Controller has not appointed the Personal Data Protection Inspector.

Clause 2 Method of collecting personal data on the website

1. The Users’ personal data shall be collected on the Online Shop in the following ways:

1. providing personal data by the User or the Customer when purchasing the Ticket;

2. providing personal data by the User or the Customer when registering in the Online Shop or using a data editing form available in the Account;

3. assigning an individual identifier - User name - during registration;

4. subscribing to the newsletter;

5. collecting data by using cookies in the User's or the Customer's device provided that the User consents to their use.

2. The Users or the Customers may voluntarily provide personal data in forms but if they fail to provide personal data that are indicated on the Online Shop website and in the Terms and Conditions of the Online Shop and that are required to make and perform the Sales Contract or the contract for the provision of Electronic Services, the Users or the Customers shall not make such contract.

Clause 3 Information on the scope of personal data processing

1. Information on the type of data collected, the purpose of processing and the legal basis for processing the User’s or the Customer’s personal data shall be included in the table below:

Type of data	Purpose of processing	Legal basis
Name Surname E-mail Telephone User name   Tax ID number Mailing address (optional) Purchase history Tax ID number (for invoices)	Performing a ticket sales contract or taking actions upon the User's request prior to making such a contract, including: - registering and maintaining the User Account; - handling orders; - sending tickets ordered in paper or electronic form; - handling complaints	Article 6(1)(b) of the GDPR (Contract performance)
	Performing the Controller’s legal obligations, including issuing and storing invoices and accounting documents	Article 6(1)(c) of the GDPR (Legal obligation)
	Determining, defending against and seeking claims	Article 6(1)(f) of the GDPR (Controller’s legitimate interests)
	Direct marketing, including profiling	Article 6(1)(f) of the GDPR (Controller’s legitimate interests)
E-mail	Sending commercial information ordered by the User by electronic means (newsletter).	Article 6(1)(a) of the GDPR (Consent)
Data on the User’s activity collected from cookies	Direct marketing, including profiling	Article 6(1)(a) of the GDPR (User’s consent)
Data included in contact forms or correspondence	Responding contact form questions available on the Online Shop website	Article 6(1)(f) of the GDPR (Controller’s legitimate interests)
All data processed in the Controller’s IT system	Performing and storing backup, ensuring the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services; ensuring the ability to rapidly restore the availability of personal data and access to them in the event of a physical or technical incident	Article 32(1)(b) and (c) of the GDPR

2. Personal data of the User or the Customer may be made available to the following types of recipients:

1. organisers of events for which tickets were purchased (name, surname, order code, e-mail);

2. providers of ticket checking services at the event for which the ticket was purchased;

3. payment intermediaries;

4. postal entrepreneurs and courier companies;

5. providers of software solutions in the cloud (SaaS) used by the Controller;

6. providers of IT or software services, website maintenance services, as well as the services, tools and scripts used on the website www.biletomat.pl, including the contact form;

7. Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA);

8. Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 D02 X525) – for Facebook Pixel.

3. The User’s or the Customer’s personal data shall be processed for such period as is necessary for this purpose, including:

1. until the deregistration from the Online Shop - processing carried out to register and maintain the User Account;

2. until the expiry of the statute of limitations of claims arising from the contracts - processing carried out to perform the contract or seek or defend against claims;

3. until the Users exercise their rights that exclude the processing of personal data for direct marketing, including until the Users raise objections or revoke their consent - processing for marketing purposes.

4. The User or the Customer may affect the purpose, scope and recipients of the data processed by the Controller, including by selecting the type of services ordered, expressing or revoking consent, exercising other rights of the data subject. In particular:

1. selecting electronic delivery instead of standard one enables the User not to provide his/her mailing address;

2. setting browser privacy levels in an appropriate manner enables the User to block the collection of data from cookies in the User's or the Customer's device;

3. granting or refusing to grant consent to the receipt of newsletters enables the User to decide whether to receive e-mails with the Controller's offers.

5. The User’s or the Customer's personal data may be transferred to a third country - the United States of America, in connection with the Controller's use of the services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

The transfer is based on the decision of the European Commission ("Privacy Shield") stating that entrepreneurs which are seated in the United States of America and have joined the Privacy Shield program ensure an adequate level of personal data protection. You are entitled to obtain from the Controller a copy of the personal data transferred to a third country.

Clause 4 Cookies and operating data

1. Cookies are small text information in the form of text files sent by a server and saved on the website of a visitor to the Online Shop (e.g. on a hard drive of a computer, laptop or smartphone memory card - depending on the device used by a visitor to our Online Shop). Details on cookies and their history are available here: http://pl.wikipedia.org/wiki/Ciasteczko.

2. While using the Online Shop website by visitors the Controller may process the data contained in cookies for the following purposes:

a. identifying the Users as logged in to the Online Shop and showing that they are logged in;

b. remembering the selected Tickets added to the Order Form in order to place the Order;

c. storing the Online Shop login data;

d. adjusting the content of the Online Shop website to the User’s individual preferences (e.g. colours, font size, page layout) and optimising the use of the Online Shop websites;

e. keeping anonymous statistics on the use of the Online Shop website;

f. remarketing, i.e. research into the behaviour of visitors to the Online Shop website through analysing their actions (repeated visits to websites, keywords, etc.) in order to create their profiles and provide them with advertisements tailored to their anticipated interests, also when they visit other websites. Remarketing is an advertising function that enables its users to reach people who have previously visited the Online Shop website. Advertisements may be displayed to these people when they visit other sites on the advertising network. The Users may opt out of the Google cookies in Advertising settings or by using the options on the Network Advertising Initiative and Your Online Choices websites.

In case of remarketing, we use the services provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and Sociomantic Labs GmbH (Paul-Lincke-Ufer 39/40, 10999 Berlin).

3. As a standard, most web browsers available in the market accept cookies by default. Everyone has an option to determine the terms of the use of cookies by using the settings of their own web browser. This means that you can, for example, partially (e.g. temporarily) or completely disable cookies - in the latter case, however, it may affect some functions of the Online Shop (for example, it may not be possible to go through the Order Form as the selected Tickets are not remembered during the next steps of placing the Order).

4. Cookie settings in your browser are important for your consent to the use of cookies by our Online Shop - according to the applicable laws this consent may also be expressed by using your browser settings. In the absence of such consent, you must change cookie settings of your browser accordingly.

5. Details on how to change cookie settings and how to delete them yourself in the most popular browsers are available in the help section of your browser and on the following pages (just click on the link):

• Chrome

• Firefox

• Explorer

• Opera

• Safari

6. The Controller also processes anonymised operating data on the use of the Online Shop (IP address, domain) to generate statistics helpful in administering the Online Shop. These data are collected on an aggregated and anonymous basis, i.e. they do not contain features identifying visitors to the Online Shop. These data are not disclosed to any third parties.

Clause 5 Rights of data subjects

1. Each person whose personal data are processed by the Controller shall have the rights as described in the table below and further provisions of this Policy.

Right of access	Article 15 of the GDPR Principle of law: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information set forth in this provision.
Right to rectification	Article 16 of the GDPR Principle of law: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of processing, the data subject has the right to request completion of incomplete personal data, including by submitting an additional statement.
Right to erasure (“right to be forgotten”)	Article 17 of the GDPR Principle of law: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds as set forth in this provision applies.
Right to restriction of processing	Article 18 of the GDPR Principle of law: The restriction of processing means the marking of the stored personal data in order to restrict their future processing. After such marking, their processing, apart from storage, shall only be possible on the basis of consent or for the purposes as specified in this provision. Restrictions may be requested in the cases as referred to in that provision.
Right to data portability	Article 20 of the GDPR Principle of law: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller.

2. If the Controller processes the User's or Customer's personal data on the basis of consent, consent may be withdrawn at any time, without affecting the legality of the processing carried out before withdrawal of consent.

Clause 6 Objection to the processing of personal data for marketing purposes

1. If the Controller intends to process or processes the User’s or the Customer’s data for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of his/her personal data, including profiling.

2. If the data are processed for the purpose of direct marketing, the User’s or the Customer’s personal data may be processed in an automated manner, including profiling. Profiling is the analysis of the User's or Customer's behaviour on the Online Shop website (in particular purchases of specific goods) and the analysis of data collected from cookies, under which the Controller's offer of goods and services is adjusted. The User and the Customer shall have the right not to be profiled, in particular the right to object according to the terms and conditions set forth in this section.

3. In order to exercise the aforesaid rights, the Controller may be contacted by sending an appropriate message in writing or by e-mail, using contact details, to the Controller's address indicated at the beginning of this Privacy Policy.

Clause 7 Final Provisions

1. The Online Shop may contain links to other websites. The Controller recommends that visitors to other websites should read through their privacy policies. This Privacy Policy shall only apply to this Online Shop.

2. The Controller shall apply technical and organisational measures to ensure the protection of the personal data processed, appropriate to the risks and categories of data covered by the protection, and in particular the Controller shall protect the data against disclosing them to any unauthorised persons, taking them away by any unauthorised persons, processing in violation of the applicable laws and regulations, as well as against any change, loss, damage or destruction.

3. The Controller shall provide appropriate technical means preventing any unauthorised persons from obtaining and modifying personal data sent electronically, including protecting the data collection against any unauthorised access and allowing access to the Account only after providing an individual login and password.

4. If the personal data are considered to be processed in violation of the applicable laws, the User and the Customer shall have the right to lodge a complaint with the Inspector General for Personal Data Protection (following the scheduled change of the name of the President of the Office for Personal Data Protection).