I. Administrator of personal data

  1. The administrator of personal data within the meaning of Article 4 point 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (CODO) is FeelFree Kayak EU Sp. z o.o. with its registered office in Żuków at ul. Armii Krajowej 1, 83-330 Żukowo, entered into the Register of Entrepreneurs of the National Court Register by the District Court Gdańsk-Północ in Gdańsk, 8th Commercial Division of the National Court Register under KRS number 0000478113, NIP: 5892012362, REGON: 221971497, share capital PLN 100,000. 
  2. Administrator's e-mail address:
  3. Administrator pursuant to Article 32(1) of the FAMILY observes the principle of personal data protection and applies appropriate technical and organisational measures to prevent accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data processed in connection with the conducted activity.
  4. The provision of personal data by the customer is voluntary, but necessary in order to conclude an agreement with the administrator.
  5. Personal data is processed by the administrator to the extent necessary to perform a contract or provide services to the data subject.

II. Purposes and basis of the personal data processing

Administrator processes personal data for the following purposes:

  1. preparation of a commercial offer in response to a customer's interest, which is a legitimate interest of the administrator (art. 6 (1) (f) GDPR);
  2. conclusion and performance of sales contracts with customers, on the basis of a concluded contract (Article 6(1)(b) GDPR);
  3. provision of services by electronic means through the Online Shop on the basis of a contract (Article 6(1)(b) GDPR);
  4. handling the complaint process, on the basis of the obligation imposed on the controller in relation to the applicable legal regulations (Article 6 (1)(c) GDPR);
  5. accounting documents related to the issuance and receipt of settlement documents, on the basis of tax legislation (Article 6(1)(c) of the GDPR);
  6. the archiving of data for the possible establishment, investigation or defence of claims or the need to prove facts, which is a legitimate interest of the administrator (Article 6(1)(f) of the GDPR);
  7. contact by telephone or e-mail, in particular in response to enquiries addressed to the administrator, which is a legitimate interest of the controller (Article 6(1)(f) GDPR);
  8. sending technical information on the functioning of the Online Shop and the services used by the customer,  which is a legitimate interest of the administrator (Article 6(1)(f) GDPR);
  9. marketing of personal products of the administrator, which is a legitimate interest of the administrator (Article 6(1)(f) GDPR) or on the basis of prior consent (Article 6(1)(a) GDPR).

III. Data recipients Transfer of data to third countries

  1. The recipients of personal data processed by the administrator may be the co-operators with the administrator when it is necessary for the realization of the agreement concluded with the data subject.
  2. The recipients of personal data processed by the administrator may also be subcontractors - entities whose services are used by the administrator for data processing, e.g. accountancy offices, law firms, entities providing IT services (including hosting services).
  3. The administrator may be obliged to make personal data available on the basis of the applicable law, in particular to make personal data available to authorized state bodies or institutions. 
  4. Personal data will not be transferred to an entity established outside the European Economic Area.

IV. Duration of the storage of personal data

  1. The administrator shall store personal data for the duration of the contract concluded with the data subject and after its termination for the purposes of pursuing claims related to the contract, fulfilling the obligations arising from the applicable laws, but not longer than the period of limitation according to the provisions of the Civil Code.
  2. The administrator shall keep the personal data contained in the billing documents for the period of time indicated in the VAT Act and in the Accounting Act.
  3. The administrator shall keep the personal data processed for marketing purposes for a period of 10 years, however, not longer than until the withdrawal of consent to the processing of the data or until the opposition to the processing is raised.
  4. The administrator shall store personal data for purposes other than those indicated in paragraphs 1 to 3 for a period of 3 years, unless consent to the processing of the data has been previously withdrawn and the processing of the data may not be continued on any other basis than the consent of the data subject.

V. Rights of the data subject

  1. Every data subject has a right:
    a) access - obtain confirmation from the administrator whether her personal data are being processed. Where data about a person is processed, he or she is entitled to have access to it and to obtain the following information: the purposes of the processing, the categories of personal data, information about the recipients or categories of recipients to whom the data have been or will be disclosed, the period of storage of the data or the criteria for determining them, the right to request the rectification, erasure or restriction of the processing of personal data to which the data subject is entitled and to object to such processing (Article 15 GDPR);
    b) to obtain a copy of the data - to obtain a copy of the data subject to processing, the first copy is free of charge, and for subsequent copies the controller may charge a reasonable fee resulting from the administrative costs (Article 15(3) GDPR);
    c) to rectify – to request rectification of personal data concerning it that are incorrect or to supplement incomplete data (Article 16 GDPR);
    d) to delete the data - to request the deletion of his/her personal data if the administrator no longer has a legal basis for their processing or if the data are no longer necessary for the purposes of processing (Article 17 GDPR);
    - customers may request deletion of data by sending such a request to the e-mail address:
    e) to restrict processing – to request restriction of the processing of personal data (Article 18 GDPR) where:
    - the data subject questions the accuracy of the personal data - for a period of time allowing the administrator to check the accuracy of the data,
    - the processing is unlawful and the data subject opposes their deletion by requesting that their use be restricted,
    - The administrator no longer needs these data, but they are needed by the data subject to establish, pursue or defend claims,
    - the data subject has lodged an objection to the processing, until it has been established whether the legitimate grounds of the administartor take precedence over those of the data subject;
    f) to transfer data - to receive, in a structured, commonly used machine-readable format, personal data concerning him/her which he/she has provided to the administrator, and to request that the data be sent to another controller, if the data are processed on the basis of the data subject's consent or an agreement concluded with him/her and if the data are processed by automated means (Article 20 GDPR);
    g) to object - to object to the processing of his/her personal data for the legitimate purposes of the administrator, for reasons related to his/her particular situation, including profiling. The administrator shall then assess whether there are compelling legitimate grounds for processing overriding the interests, rights and freedoms of the data subject or grounds for establishing, pursuing or defending claims. Where it is assessed that the interests of the data subject will take precedence over the interests of the administrator, the administrator will be obliged to cease processing the data for these purposes (Article 21 GDPR).
  2. In order to exercise the aforementioned rights, the data subject should contact the administrator using the contact details provided and inform him/her which right he/she wishes to exercise and to what extent.
  3. The data subject has the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection in Warsaw.

VI. Profiling

Personal data obtained by the data administrator will not be processed automatically, including through profiling.