This Privacy Policy contains information on the rules for the processing of Personal Data by the company under the name: RestBill spółka z ograniczoną odpowiedzialnością [limited liability company] with its registered office in Wrocław (50-078 Wrocław), at Leszczyńskiego 4/78 street as part of the use of the "RestBill" mobile Application and its functionality. For the Service Provider, the protection and security of information obtained from Application Users, in particular Personal Data, is our top priority. For this purpose, we make every effort to provide Personal Data with an appropriately high level of security.
This Policy sets out the rules for the collection and use of Application Users' data collected directly from them or via cookies and similar technologies.
Personal Data – any information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity, including in particular name and surname, identification number, device IP, location data, internet identifier and information collected via cookies and other similar technology.
Policy – this Privacy Policy made available in the Service Provider's Application as part of the services rendered, setting out the principles of privacy and protection of Users' Personal Data.
Regulations – a document constituting the regulations for the provision of electronic services by the Service Provider, the principles of operation of the Application as well as the rights and obligations of the entities mentioned therein, available at https://restbil.pl/regulamin-aplikacji-en.pdf
Application – an application belonging to the Service Provider called "RestBill", available for Android and iOS operating systems, which has been prepared and made available by the Service Provider, enabling Users, including the Service User, to use IT mechanisms and information developed by the Service Provider through the Application, including setting up accounts, placing orders by the Customer for given products offered by the Service User, organising payments (payment systems are carried out by external entities in relation to the Service Provider). The Application provides IT tools for Customers or Users to make payments for goods and/or services to the Service User, which takes place through the provision of payment and other services, by the Provider directly to these Service Users, including the use of third-party payment systems provided by entities other than the Service Provider.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
User – a Service User, Restaurant Customer, Waiter and Manager, i.e. a natural person, legal person or an organisational unit without legal personality, who uses the functionalities offered by the Application through the Application installed on their mobile device.
Service Provider – RestBill Sp. z o. o. [LLC] with its seat in Wrocław (50-078 Wrocław), at ul. Leszczyńskiego 4/78, Tax Identification No. [NIP]: 8971892330, and National Business Registry No. [REGON]: 389021839
Provider – payment service providers within the meaning of the Act on Payment Services, that perform payment services for Users on their own behalf, which services are referred to, among others, in Art. 3 sec. 1 of the Act on Payment Services. The list of Providers is available at: https://restbil.pl/lista-dostawcow-uslug.pdf
Service User – a User who is an entrepreneur within the meaning of the Law of Entrepreneurs (Journal of Laws of 2021, item 162, as amended) running a restaurant/food outlet, which enables the Customers of the Restaurant to use the Application.
Restaurant Customer – an adult natural person with full legal capacity, a legal person or an organisational unit without legal personality, but having legal capacity to perform acts in law, placing orders with the Service User for given products via the Application.
Waiter – an employee, associate and/or contractor of the Service User, working under an employment contract, mandate contract or any other civil law contract.
Manager – an employee, associate and/or contractor of the Service User, working under an employment contract, mandate contract or any other civil law contract.
The Personal Data processed in the Application is administered by the Service Provider, i.e. RestBill sp. z o.o. in organisation, based in Wrocław, at Leszczyńskiego 4/78 street, 50-078 Wrocław.
The Service Provider has appointed a Data Protection Officer, who can be contacted via the email address lko@restbill.pl or in writing via the address of the Data Controller's seat, i.e. 50-046 Wrocław, at Leszczyńskiego 4/78 street, on any matter regarding the processing of Personal Data, in particular on the exercise of rights related to the processing of Personal Data.
1. In connection with the use of the Application by Users, the Service Provider shall collect data, including Personal Data, to the extent necessary to provide various services offered in the Application. The detailed principles and purposes of processing personal data collected during the use of the Application by the User are described below.
2. The Service Provider shall collect and process Personal Data in accordance with the relevant legal provisions, in particular the GDPR, specific provisions enabling the application of the GDPR and the data processing rules provided for therein.
3. The Service Provider ensures that in situations where the legal basis for the processing of Personal Data is the legitimate interest of the Data Controller, a test has been carried out to weigh the interest of the Data Controller and the data subjects, as a result of which the purpose of the processing will prevail over the rights and liberties of the Users.
4. Personal Data is stored in a form that enables identification of the person to whom this data relates, for the period of time of using the Application services by the User (i.e. having an account/profile), subject to the provisions of section 5 below.
5. After the end of the User's use of the services offered in the Application, the Data Controller may process the User's data to the extent that it is necessary for the settlement of services and pursuing payment claims for the use of services available in the Application.
Use of the Application
1. Personal data of all persons using the Application (including IP address or other identifiers and information collected through cookies or other similar technologies) shall be processed by the Service Provider:
a) in order to provide electronic services with respect to making the content collected in the Application available to Users – in this case the legal basis for the processing is the necessity to perform the contract within the scope of the service provided by the Service Provider by electronic means [Art. 6 sec. 1(b) of the GDPR];
b) for analytical and statistical purposes – in this case the legal basis for processing is the legitimate interest of the Service Provider [Art. 6 sec. 1(f) of the GDPR] involving the analysis of Users' activity, as well as their preferences in order to improve the functionalities and services provided;
c) for marketing purposes – the rules for the processing of Personal Data for marketing purposes are set out in the "Marketing" section.
Contact form
1. The Service Provider provides a means of contact using an electronic contact form. Using the form requires providing Personal Data necessary to contact the User and reply to the inquiry. The User may also provide other data to facilitate contact or service the inquiry. Providing data marked as mandatory is required in order to receive and service the inquiry, and failure to do so shall result in a lack of service. Providing other data is voluntary.
2. Personal data provided via the contact form is processed:
a) in order to identify the sender and service their inquiry – the legal basis for the processing is the necessity of processing to perform the service contract [Art. 6 sec. 1(b) of the GDPR]; in the scope of data provided optionally and voluntarily (form fields marked as optional) – the legal basis for the processing is the User's consent expressed by explicit affirmative actions [Art. 6 sec. 1(a) of the GDPR in connection with Art. 4 item 11 of the GDPR];
b) in order to possibly establish and pursue claims or defend against claims that may arise in connection with a cooperation contract or contract for the provision of electronic services – the legal basis for the processing is the legitimate interest of the Service Provider [Art. 6 sec. 1(f) of the GDPR];
c) for analytical and statistical purposes – the legal basis for the processing is the legitimate interest of the Service Provider [Art. 6 sec. 1(f) of the GDPR], consisting in keeping statistics of inquiries submitted by Users via the Website in order to improve its functionality.
Application account maintenance
a) Users setting up an account in the Application are requested to provide the data necessary to render the services provided. Provision of the data marked as mandatory is required for the purposes of proper registration and operation of the Account, including its handling in the Application, and failure to do so will result in the inability to use the Application [Art. 6 sec. 1(b) of the GDPR].
b) The User is requested to provide the following data:
(i) In the case of a Restaurant Customer – Personal Data, the provision of which is necessary to register in the Application:
- email (required);
- password (required);
- name (optional);
- home address with the postal code (required);
- company name (optional);
- Tax Identification No. [NIP] (optional);
(ii) In the case of the Service User – Personal Data the provision of which is necessary to register in the Application:
- name of the restaurant/food outlet;
- address;
- Tax Identification No. [NIP];
- email;
- password.
(iii) In the case of a Waiter – Personal Data the provision of which is necessary to register in the Application:
- email address;
- name and surname;
(iv) in the case of a Manager – Personal Data the provision of which is necessary to register in the Application:
- email address;
- name and surname.
c) Detailed information on setting up an account and services provided can be found in the Regulations available here.
Complaints
Personal data will be processed in order to consider a complaint [Art. 6 sec. 1(f) of the GDPR].
Marketing
1. Sending marketing information and offers
a) sending marketing information and offers within the meaning of the Civil Code on the products or services selected by you and provided by the Personal Data Controller, including the latter's external partners [Art. 6 sec. 1(a) of the GDPR]
b) sending marketing information and offers within the meaning of the Civil Code on the products or services selected by you.
c) providing information and commercial offers and in order to conclude a contract for the provision of Services [Art. 6 sec. 1(b) of the GDPR]. With regard to the sending of commercial information by electronic means or direct marketing via telephone end devices, the data shall be processed on the basis of consent expressed by explicit affirmative action [Art. 6 sec. 1(a) of the GDPR in connection with Art. 4 item 11 of the GDPR], consisting in completing the appropriate field to enter an email address or telephone number.
Automatically collected data
1. By using the Application on their mobile device, the User, in accordance with Art. 22 sec. 1 of the GDPR, expressly consents and authorises the Data Controller to gain access to the following data stored on the mobile device, i.e .: location [Art. 6 sec. 1(a) of the GDPR in connection with Art. 4 item 11 of the GDPR].
2. Providing the data referred to in sec. 1 above is necessary for the full use of the services in the Application. Refusal to authorise the Data Controller to the data indicated above, may in particular restrict or prevent the use of the Application.
3. The Data Controller collects the User's information while the latter is using a mobile device when using the Application. Information collected includes: (1) IP address; (2) device type; (3) operating system; (4) device identifier; (5) browser language; (6) access time; (7) geographic location.
Cookies and similar technologies
1. The "RestBill" Application uses Cookies, i.e. text files saved by the browser on the hard drive of the User's computer using the Application, which contain specific information enabling, in particular, the identification of the connection. Cookies are a legally permissible and useful tool, for example, in analysing the effectiveness of the design of a mobile application and advertising, and in checking the identity of users who conduct transactions in the online system.
2. When the User uses the Application, cookies are used to identify their device – cookies collect various types of information that, as a rule, do not constitute personal data (they do not allow for the identification of the User). In some cases, this information, depending on its content and method of use, may, however, be associated with a specific person – assigning certain behaviours to a specific User, e.g. by linking them with data obtained when registering an Account in the Application – and thus be considered as personal data.
3. The Application uses internal Cookies to implement the processes necessary to ensure the functionality of the Application, for statistical and advertising purposes, and to maintain the logged User session, including to the extent necessary to retain in memory the choices made by the User regarding the order, correct configuration of selected functions of the Application, as well as efforts aimed at increasing the usability and personalisation of the content of the Application websites, including presenting, creating, granting and implementing advertisements, offers and discounts dedicated to a given User in accordance with their interest.
4. The Application uses external Cookies posted by third parties for analytical purposes, including analysis and monitoring of traffic in the Application.
5. Cookies may be placed on Users' end devices also by entities cooperating with the "Restbill" Application.
6. Obtaining and storing information with the use of cookies is possible on the basis of a consent expressed by the User. By default, the software installed on a computer or other device connected to the network allows cookies to be placed on such devices by default, and thus to collect information about Users.
7. The User may at any time restrict or disable the possibility of processing Cookies by their ICT system by changing the settings in the Application used by the User. Failure to disable or restrict the storage and access to the content of cookies means the User consents to such actions. Detailed information on managing cookies on a mobile phone or other mobile device can be found in the user manual/instructions of your phone or mobile device.
8. Storing cookies or accessing Cookies does not change the configuration of the User's telecommunications end device nor the software installed on this device.
1. The period of processing and storing data depends on the type of service provided and the purpose of the processing. As a rule, data is processed for the duration of the provision of services or the handling of an inquiry, until the consent is withdrawn (if consent is the legal basis for the processing of Personal Data) or until the submission of an effective objection to the processing of Personal Data in cases where the necessity to legally implement the legitimate interest of the Service Provider constitutes the legal basis for data processing.
2. The data processing period may be extended if the processing is necessary for the establishment and pursuit of any claims or defense against them, and thereafter only if and to the extent required by law. After the processing period ends, the data shall be permanently destroyed or anonymised.
3. Web traffic analysis data collected through cookies and similar technologies may be stored until the cookie expires. Some cookies never expire, therefore the duration of data storage will be equivalent to the time necessary for the Data Controller to fulfill the purposes related to data collection, such as ensuring security and analysing historical data related to traffic in the Application.
4. The inquiries and information entered in the forms are archived on the internal mail server. The archive is kept for no longer than 1 year.
5. If the Data Controller needs to pursue or defend against claims, the Data Controller may process the personal data of specific Users expressed during account registration until the end of the pending proceedings and until the expiry of the limitation period for the Data Controller's claims against the User, which is usually 2 years pursuant to Art. 751 item 1 of the Civil Code, however, in special cases provided for by law it may be longer – e.g. in the case of most claims it will be 6 years, determined in accordance with the wording of Art. 118 of the Civil Code.
The User has the right to access their Personal Data and request their rectification, deletion, restriction of processing, as well as the right to transfer data and to object to the processing thereof, alongside the right to lodge a complaint to the supervisory authority dealing with the protection of Personal Data, at Stawki 2 street, 00-193 Warsaw.
2. To the extent that the User's data is processed on the basis of consent, this consent may be withdrawn at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal.
3. The User has the right to object to the processing of data for direct marketing purposes if the processing is carried out in connection with the pursuit of the Service Provider's legitimate interest, and – for reasons related to the User's specific situation – in other cases where the legal basis for data processing is the pursuit of the Service Provider's the legitimate interest (e.g. in connection with the implementation of analytical and statistical purposes).
4. In the event of a request to cease processing Personal Data, the Service Provider may not be able to properly perform its services, in particular in the form of making the Application available to Users.
1. In connection with the provision of services, Personal Data shall be transferred or made available to other entities. Said recipients of Users' Personal Data are employees and associates of the Data Controller, entities to whom the Data Controller entrusted the processing of Personal Data and concluded relevant contracts on entrusting the processing of Personal Data, entities cooperating with the Data Controller. These entities can be categorised as follows: providing commercial, payment, intermediary, invoicing, hosting, accounting, IT, correspondence and parcel delivery, legal, debt-collection, website maintenance, marketing, PR and archiving services.
2. The Service Provider reserves the right to disclose selected information concerning the User to the competent authorities or third parties who request such information on an appropriate legal basis and in accordance with applicable law.
1. The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Data Controller transfers Personal Data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
a) cooperating with entities processing Personal Data in countries for which an adequate level of protection of Personal Data has been affirmed by a European Commission decision;
b) using standard contractual clauses issued by the European Commission;
c) using binding corporate rules approved by a proper supervisory body;
1. The Service Provider conducts a risk analysis on an ongoing basis in order to ensure that Personal Data is processed in a secure manner that ensures, above all, that only authorised persons have access to the data and only to the extent necessary for the performance of their tasks. The Service Provider makes sure that all operations on Personal Data are recorded and made only by authorised employees and associates.
2. The Service Provider undertakes all necessary actions so that its subcontractors and other cooperating entities guarantee that appropriate security measures are applied whenever they process Personal Data at the Data Controller's request.
3. When processing Personal Data, the Data Controller shall ensure their security and confidentiality, as well as access to information about the processing to data subjects. If, despite the security measures in place, a breach of Personal Data protection (e.g. data "leakage" or loss) were to occur, the Data Controller shall take appropriate action in accordance with applicable law.
1. The Application may use data concerning the location of the User's device (computer, mobile phone, tablet, etc.).
2. The Data Controller shall process location data, in particular in order to provide the User with a map indicating the nearest restaurants/food outlets.
3. Consent to access your device's location services is required for the Application to offer you location-based features such as displaying offers available near you. If you do not allow access, only limited location-dependent content can be displayed.
1. The policy is verified on an ongoing basis and, in justified cases, updated by the Data Controller.
2. The current version of the Policy has been adopted and in force since 9 August 2021.