Privacy policy

    INFORMATION ON THE PROCESSING OF PERSONAL DATA

    1. Personal Data and the Data Controller

    The Data Controller in respect of personal data is Restaumatic S.A., with its registered office in Zabrze (41-800) at ul. Wolności 345, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court in Gliwice, 10th Commercial Division of the National Court Register under KRS number 0001016935, NIP 6482765571, REGON 242895699, share capital and paid-up capital: PLN 149,400.00, administering the website at www.skubacz.pl and www.restaumatic.com, as well as a dedicated IT system and mobile application named Restaurant Operating System -- Restaumatic.

    Contact regarding the processing of personal data: privacy@restaumatic.com or by post to the administrator's registered office.

    The data controller has appointed Mr Tomasz Banasik as Data Protection Officer; contact: privacy@restaumatic.com.

    2. Purpose of data processing

    The purpose of processing Personal Data is to fulfil contracts between the Data Controller and users of the website and application, to provide technical support for the website, and to carry out marketing activities.

    3. Legal basis for data processing

    Personal Data is processed on the following legal bases:

    a. in relation to the performance of a contract, Article 6(1)(b) and (f) of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "GDPR"), that is, in the context of the performance of the contract and in the context of the Controller's legitimate interest, which is the ability to provide information on all matters relating to the provision of the service;

    b. for the purposes of marketing the Controller's own goods and services and those of cooperating entities, Article 6(1)(a) of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, that is, for the purpose of contacting you regarding the presentation of a commercial offer;

    c. in relation to compliance with legal requirements under Article 6(1)(c) of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, for example for the purposes of complying with tax regulations;

    d. for analytical and statistical purposes -- the legal basis for processing is the Controller's legitimate interest under Article 6(1)(f) of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, consisting of analysing user activity within the IT System, with a view to improving the functionalities used and the operation of the online chat and other forms of automated communication with the customer via the website.

    4. Data recipients

    The following data recipients may have access to Personal Data:

    a. service providers who have been contractually entrusted with the processing of Personal Data for the purposes of providing services to the Controller, in particular to the extent necessary for the proper performance of those services. In the case of a Customer who uses electronic payment methods, the Controller also makes the Customer's collected personal data available to the selected entity handling such payments,

    b. entities authorised to receive Personal Data under the provisions of law,

    c. providers of legal and advisory services and those assisting the Controller in pursuing claims (in particular law firms, tax firms and debt collection agencies),

    d. providers of communication services and technological platforms used to contact users, including providers of instant messaging and notification services, to the extent necessary for marketing or technical communication; where WhatsApp or Messenger is used, the recipient of the data may be Meta Platforms Ireland Limited or other entities within the Meta group providing these services.

    5. Data retention period

    a. in the case of data processing for the purposes referred to in point 3(a) and (c), for the period during which the data subject may pursue any claims arising from non-performance or improper performance of the contract, limited to the expiry of the limitation period for such claims, in accordance with generally applicable law, from the moment the service is performed.

    b. in the case of data processing for the purpose referred to in point 3(b), for a period until consent is withdrawn.

    6. Data collected

    a. Ordering process

    Personal data received by Restaumatic S.A. from partner restaurants when an order is placed on the dedicated website is processed, with Restaumatic S.A. acting as a data processor. The provision of personal data is required to fulfil the order, confirm it and make payment. The legal basis for processing this personal data is that it is necessary for the performance of the contract. To this end, the following personal data is processed as part of the ordering process:

    • First name and surname

    • Telephone number

    • Email address

    • Delivery address

    • Order

    • Payment details

    • Comments (if applicable)

    • IP address

    b. Restaurant reviews

    Personal data provided when submitting a restaurant review is processed. The legal basis for processing this personal data is the fact that consent has been given (by publishing a restaurant review). The following personal data is processed when publishing a restaurant review:

    • First name (if provided)

    • Content of the review

    c. Customer service

    When you contact customer service, the personal data you provide is used to answer your query or deal with your complaint. The legal basis for processing this personal data is that it is necessary for the performance of a contract. The following personal data is processed for customer service purposes:

    • First name and surname

    • Address details (if applicable)

    • Contact details

    • Payment details (if applicable)

    d. Marketing communications

    Personal data is processed for the purpose of sending marketing communications and notifications. Such communications may include, in particular, news, discounts, information about new restaurants, loyalty programmes, the Controller's products and services, and other marketing content.

    Marketing communications may be sent via email, SMS, telephone calls, push notifications and instant messaging apps, including WhatsApp and Messenger --- to the extent that the user has consented to being contacted via these channels.

    The legal basis for processing personal data for this purpose is the consent of the data subject. You may change your preferences regarding the receipt of such messages and notifications at any time, or withdraw your consent.

    The following personal data is processed for marketing purposes:

    • First name and surname

    • Address details

    • Telephone number

    • Email address

    e. Cookies

    The Administrator informs you that it uses cookies. Cookies are harmless to the Customer's computer or other device and their data. The Administrator also informs you that it is possible to configure your web browser or Mobile Application in such a way that cookies are not stored on the Customer's computer or other device.

    Information contained in system logs in connection with the general principles of establishing Internet connections is used by the hosting company operating the IT System solely for technical and statistical purposes.

    The Controller uses so-called service cookies and similar technologies (local storage) primarily to provide the Customer with services delivered electronically and to improve the quality of these services. Consequently, the Controller and other entities providing analytical and statistical services on its behalf use cookies, storing information or accessing information already stored on the Customer's telecommunications terminal equipment (computer, telephone, tablet, etc.).

    Cookies used for this purpose include:

    • cookies containing data entered by the Customer (session ID) for the duration of the session (user input cookies);

    • authentication cookies used for services requiring authentication for the duration of the session;

    • cookies used to ensure security, e.g. used to detect authentication fraud (user-centric security cookies);

    • multimedia player session cookies (e.g. Flash player cookies) for the duration of the session;

    • persistent cookies used to personalise the user interface, either for the duration of the session or slightly longer (user interface customisation cookies);

    • cookies used to monitor website traffic, i.e. data analytics;

    • Push technology. The Controller uses so-called push technology, which enables notifications to be sent to the Customer, including in connection with the delivery of advertisements to the Customer. For this purpose, the Controller stores information or accesses information already stored on the Customer's telecommunications terminal equipment (computer, telephone, tablet, etc.).

    f. Social media

    The Controller processes the personal data of Customers visiting the Controller's profiles on social media (Facebook, YouTube, Instagram, LinkedIn, Twitter). This data is processed solely in connection with the maintenance of the profile, including for the purpose of informing Customers about the Controller's activities and promoting various events, services and products. The legal basis for the Controller's processing of personal data for this purpose is its legitimate interest (Article 6(1)(f) of the GDPR), consisting in the promotion of its own brand. Within this framework, personal data such as first name and surname are collected.

    g. Integration with Google Business Profile

    The Controller enables restaurateurs using the Restaumatic system to integrate with the Google Business Profile service in order to manage their restaurant's listing on Google Search and Google Maps.

    Once the integration is activated, the user logs into their Google account and grants the Restaumatic application access to manage the business profile.

    As part of the integration, data relating to the restaurant's listing may be processed, in particular:

    • opening hours,

    • the restaurant menu,

    • photos of products or dishes,

    • links for ordering or booking,

    • the restaurant's address and contact details.

    This data is used solely to enable the restaurant owner to manage their Google Business Profile listing via the Restaumatic system. The Administrator does not use the data obtained through this integration for advertising purposes, nor does it sell it to third parties. Data processing is carried out in accordance with the Google API Services User Data Policy, including the Limited Use principle.

    The user may revoke the application's access to their Google account at any time via their Google account security settings. If the integration is disconnected, authorisation-related data is deleted from the Administrator's system to the extent necessary to terminate the integration and ensure system security.

    h. RePOS App

    When using the Restaurant Operating System -- Restaumatic (RePOS) mobile app, personal data and other information related to the operation of the app and the provision of services via the app may be processed.

    When using features related to delivery services, including the DELIVERY module, data regarding the user's or restaurant's location may be processed, including approximate or precise location data. This data is used to indicate the location of the driver and/or restaurant, to manage the delivery process, and to ensure the proper functioning of the app's location features.

    Location data may be determined using GPS technology, nearby Wi-Fi networks, mobile networks and other location features available in the device's operating system.

    The app may also use system functions and relevant permissions to determine whether the device is in motion or at rest. This information is used solely to limit the transmission of location data during periods of inactivity and to optimise the app's performance.

    Providing data and granting the required permissions is voluntary, but may be necessary for the proper functioning of selected app features. You can manage the app's permissions via your system settings.

    7. Data collection policy

    a. Providing data is voluntary but necessary for the use of the service.

    b. The Controller may transfer personal data outside the European Economic Area in connection with the use of technology and communication service providers, such as Google or Meta. Should it become necessary to transfer personal data to a third country, the Controller shall ensure appropriate safeguards for the data transfer, in particular by using standard contractual clauses adopted by the European Commission.

    c. Users of the portal are also direct customers of partner restaurants, where they provide their personal data to place orders on the restaurants' dedicated websites at . Partner restaurants have their own responsibilities and obligations regarding the processing of personal data. If you have any questions about how a restaurant processes your personal data, please contact the restaurant where you placed your order directly.

    8. Profiling

    Profiling is used as part of the service provided to the user and to improve our platform, www.skubacz.pl and restaumatic.com. Order history is used to prepare marketing campaigns. A marketing campaign may involve, at the discretion of the partner restaurant, offering a discount on the first order, sending a message inviting you to place further orders, etc. The Data Controller does not use automated decision-making. Profiling is carried out exclusively in relation to users who have consented to the processing of their data for marketing purposes.

    9. Rights relating to the processing of Personal Data

    The data subject may exercise the following rights:

    a. the right to request access to their Personal Data and to have it rectified,

    b. the right to restrict the processing of their data in the situations and under the conditions set out in Article 18 of the GDPR, or to have it erased in accordance with Article 17 of the GDPR ('the right to be forgotten'),

    c. the right to data portability in accordance with Article 20 of the GDPR,

    d. the right to object at any time to the processing of their Personal Data on grounds relating to their particular situation, as referred to in Article 21(1) of the GDPR,

    e. the right to withdraw consent to the processing of data in accordance with Article 13(2)(c) of the GDPR, provided that the processing is based on consent.

    f. the right to lodge a complaint with a supervisory authority responsible for the protection of personal data.

    A person who has submitted a request or query regarding the processing of their Personal Data, in the exercise of their rights, may be asked by the Controller to answer a few questions relating to their Personal Data, which enable the verification of their identity.