Polityka prywatnosci i RODO

§1 Definitions
Service – the online service "millionhotels.pl" operating at www.millionhotels.pl
External Service – online services of partners, service providers, or clients cooperating with the Administrator.
Service / Data Administrator – the Service Administrator and Data Administrator (hereinafter referred to as Administrator) is Million Hotels Sp. z o.o., with its registered office at 7 Galopu Street, 02-822 Warsaw.
User – a natural person to whom the Administrator provides electronic services via the Service.
Device – an electronic device with software through which the User gains access to the Service.
Cookies – text data collected in the form of files placed on the User’s Device.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
Personal Data – information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name and surname, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing – an operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Restriction of Processing – the marking of stored personal data with the aim of limiting their future processing.
Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Consent – the freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Pseudonymization – the processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure non-attribution.
Anonymization – an irreversible process of operations on data that destroys/overwrites "personal data," preventing identification or linkage of a given record with a specific User or natural person.

§2 Data Protection Officer
Pursuant to Article 37 of GDPR, the Administrator has not appointed a Data Protection Officer. For matters related to data processing, including personal data, please contact the Administrator directly.

§3 Types of Cookies
Internal Cookies – files placed and read from the User’s Device by the Service’s IT system.
External Cookies – files placed and read from the User’s Device by IT systems of External Services. External Services’ scripts that may place Cookies on the User’s Devices have been deliberately included in the Service via scripts and services provided and installed within the Service.
Session Cookies – files placed and read from the User’s Device by the Service during a single session of the Device. After the session ends, the files are deleted from the User’s Device.
Persistent Cookies – files placed and read from the User’s Device by the Service until manually deleted. These files are not automatically deleted after the Device session ends unless the User’s Device is configured to delete Cookies after the session.

§4 Data Storage Security
Mechanisms for storing and reading Cookies – carried out through built-in web browser mechanisms and do not allow retrieval of other data from the User’s Device or other websites visited by the User, including personal data or confidential information. It is practically impossible to transfer viruses, trojans, or other malware onto the User’s Device via Cookies.
Internal Cookies – applied by the Administrator and are safe for Users’ Devices, containing no scripts or content that may threaten the security of personal data or the Device.
External Cookies – the Administrator makes every effort to verify and select Service partners in terms of User security, cooperating only with well-known, trusted global partners. However, full control over the content of Cookies from external partners is not possible. Users may at any time change Cookie settings, delete them, or block them via their browser settings.

§5 Purposes of Using Cookies
To improve and facilitate access to the Service
To personalize the Service for Users
To generate statistics (visitors, visits, devices, connections, etc.)

§6 Purposes of Processing Personal Data
Personal data voluntarily provided by Users is processed for: Provision of electronic services
Communication between Administrator and Users regarding the Service and data protection
Ensuring the legitimate interest of the Administrator
Anonymized data collected automatically is processed for: Generating statistics
Ensuring the legitimate interest of the Administrator

§7 External Service Cookies
The Administrator uses JavaScript scripts and web components of partners that may place their own Cookies on the User’s Device (e.g., Google Analytics).

§8 Types of Data Collected
Automatically and anonymously: IP address, browser type, screen resolution, approximate location, visited subpages, time spent, OS type, referring page, browser language, internet speed, ISP.
Voluntarily provided: name/surname/nickname, email address, IP (collected automatically).

§9 Access to Data by Third Parties
As a rule, the only recipient of personal data provided by Users is the Administrator. Data is not sold or transferred to third parties, except for service providers maintaining infrastructure necessary for the Service.

§10 Processing Method
Personal data will not be transferred outside the EU unless published by the User (e.g., in a comment).
Personal data will not be used for automated decision-making or sold to third parties.
Anonymous data may be transferred outside the EU.

§11 Legal Basis
Data is processed under GDPR Article 6 (a, b, f), Polish Data Protection Act of 2018, Telecommunications Law of 2004, and Copyright Act of 1994.

§12 Data Retention
Period Personal data is stored only during the provision of the Service and deleted/anonymized within 30 days of termination, unless further processing is legally required (up to 3 years).
Anonymous data may be stored indefinitely.

§13 User Rights
Users have the right to: Access their data
Correct their data
Delete their data
Restrict processing
Data portability
Object to processing
File a complaint with the supervisory authority

§14 Contact with Administrator
Email: kontakt@millionhotels.pl

§15 Service Requirements
Restricting Cookies may affect functionality of the Service.

§16 External Links
The Service may contain links to external sites. The Administrator is not responsible for their content or safety.

§17 Changes to Privacy Policy
The Administrator reserves the right to amend the Privacy Policy. Changes regarding personal data processing will be communicated to registered Users within 7 days. Continued use of the Service implies acceptance of changes.

GDPR

Policy Privacy