This Privacy Policy outlines the rules for storing and accessing data on Users’ Devices using the Service for electronic service provision by the Administrator, as well as the rules for collecting and processing Users’ personal data that have been provided personally and voluntarily via tools available on the Service.

This Privacy Policy is an integral part of the Terms of Service, which defines the rules, rights, and obligations of Users using the Service.

§1 Definitions

• Service – the website “atcracow.com” operating at www.atcracow.com
• External Service – websites of partners, service providers, or service recipients cooperating with the Administrator
• Service/Data Administrator – the Service Administrator and Data Administrator (hereinafter referred to as the “Administrator”) is AT Cracow S.C. Małgorzata Balon, Krzysztof Balon, operating at: Węgrzce Wielkie 495, 32-002 Węgrzce Wielkie, with tax identification number (NIP): 6783181238, providing electronic services through the Service
• User – an individual for whom the Administrator provides electronic services through the Service
• Device – an electronic device and software through which the User accesses the Service
• Cookies – text data collected in the form of files placed on the User’s Device
• GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
• Personal Data – information about an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors defining the physical, physiological, genetic, mental, economic, cultural, or social identity of that person
• Processing – any operation or set of operations performed on personal data or sets of personal data by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction
• Restriction of Processing – marking stored personal data to restrict its future processing
• Profiling – any form of automated processing of personal data that involves the use of personal data to evaluate certain personal aspects of a natural person, especially to analyze or predict aspects concerning that person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements
• Consent – the data subject’s voluntary, specific, informed, and unambiguous indication of their wishes by which they, in a statement or by clear affirmative action, signify agreement to the processing of personal data relating to them
• Data Breach – a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or otherwise processed
• Pseudonymization – processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to prevent its attribution to an identified or identifiable individual
• Anonymization – an irreversible data processing operation that destroys or modifies “personal data,” preventing identification or linking of a record to a specific User or individual.

§2 Data Protection Officer
In accordance with Article 37 of the GDPR, the Administrator has not appointed a Data Protection Officer.
For matters concerning data processing, including personal data, please contact the Administrator directly.

§3 Types of Cookies

• Internal Cookies – files placed and read from the User’s Device by the Service’s telecommunication system
• External Cookies – files placed and read from the User’s Device by the telecommunication systems of External Services. External Service scripts that may place Cookies on User Devices have been deliberately placed on the Service through scripts and services provided and installed on the Service
• Session Cookies – files placed and read from the User’s Device by the Service during a single session of a given Device. The files are deleted from the User’s Device at the end of the session
• Persistent Cookies – files placed and read from the User’s Device by the Service until manually deleted. The files are not automatically deleted after the session ends unless the User’s Device settings are configured to delete Cookies at the end of each session

§4 Data Storage Security

• Mechanisms for Storing and Reading Cookies – The mechanisms for storing, reading, and exchanging data between Cookies saved on the User’s Device and the Service are implemented through built-in web browser mechanisms and do not allow other data to be retrieved from the User’s Device or data from other websites visited by the User, including personal or confidential information. It is virtually impossible to transfer viruses, trojans, or other malware onto the User’s Device.
• Internal Cookies – The Cookies used by the Administrator are secure for User Devices and do not contain scripts, content, or information that could compromise personal data security or the security of the Device used by the User.
• External Cookies – The Administrator makes every effort to verify and select the Service’s partners in terms of User security. The Administrator works with well-known, major partners with global social trust. However, the Administrator does not have full control over the content of Cookies from external partners. To the extent permitted by law, the Administrator is not responsible for the security, content, or license-compliant use of Cookies by External Service scripts installed on the Service. A list of partners is included later in this Privacy Policy.

Cookie Control
The User can independently change the settings for saving, deleting, and accessing data from Cookies for any website at any time.
Information on how to disable Cookies in the most popular web browsers is available at: “how to disable cookies” or from one of the following providers:

• Managing cookies in Chrome
• Managing cookies in Opera
• Managing cookies in Firefox
• Managing cookies in Edge
• Managing cookies in Safari
• Managing cookies in Internet Explorer 11

The User can delete all previously saved Cookies at any time using the tools on their Device, which they use to access the Service’s services.

User Risks
The Administrator takes all possible technical measures to ensure the security of data stored in Cookies. However, it should be noted that the security of this data depends on both parties, including User actions. The Administrator is not responsible for interception, impersonation of User sessions, or deletion of data as a result of deliberate or inadvertent User actions, viruses, trojans, or other spyware that may or may have infected the User’s Device. Users should follow safe internet practices to protect themselves from these risks.

Personal Data Storage
The Administrator ensures that all reasonable efforts are made to protect the personal data provided voluntarily by Users, ensuring limited access to such data, and that data is processed according to its intended purpose and processing objectives. The Administrator also strives to secure stored data against loss by using appropriate physical and organizational security measures.

§5 Purposes for Using Cookies
Cookies are used for the following purposes:

• Streamlining and facilitating access to the Service
• Personalizing the Service for Users
• Enabling Login to the Service
• Marketing, Remarketing on external services
• Advertising services
• Affiliate services
• Gathering statistics (users, visit count, device types, connection, etc.)
• Serving multimedia services
• Providing social media services

§6 Purposes of Personal Data Processing
Personal data voluntarily provided by Users is processed for one of the following purposes:

• Provision of electronic services:
  • Registration and maintenance of a User account on the Service and related functionalities
  • Newsletter service (including sending advertising content with consent)
  • Sharing information about content posted on the Service on social media or other websites
• Communication between the Administrator and Users regarding the Service and data protection
• Ensuring the legitimate interests of the Administrator
• Conducting regular and private tours purchased via www.atcracow.com

Anonymously and automatically collected User data is processed for one of the following purposes:

• Generating statistics
• Remarketing
• Serving ads tailored to User preferences
• Managing affiliate programs
• Ensuring the legitimate interests of the Administrator

§7 Cookies from External Services
The Administrator uses JavaScript scripts and web components from partners in the Service, who may place their own cookies on the User’s Device. Remember that you can decide which cookies are allowed in your browser settings for each website. Below is a list of partners or their services implemented on the Service that may place cookies:

• Multimedia Services: YouTube
• Social/Combined Services (Registration, Login, content sharing, communication, etc.): Twitter, Facebook, Google+
• Newsletter Services: MailChimp
• Advertising and Affiliate Networks: Google Adsense
• Statistics Services: Google Analytics, Facebook Analytics for Apps
• Other Services: Hotjar, Google Maps

Services provided by third parties are beyond the control of the Administrator. These entities may change their terms of service, privacy policies, data processing purposes, and cookie usage practices at any time.

§8 Types of Data Collected
The Service collects data about Users. Some data is collected automatically and anonymously, while other data consists of personal information provided voluntarily by Users when signing up for specific services offered by the Service.

• Anonymously collected data:
  • IP Address
  • Browser type
  • Screen resolution
  • Approximate location
  • Service subpages accessed
  • Time spent on specific subpages
  • Operating system type
  • Previous subpage address
  • Referring site address
  • Browser language
  • Internet connection speed
  • Internet service provider
  • Demographic data (age, gender)
• Data collected during registration:
  • First/Last Name or Pseudonym
  • Email address
  • Date of birth/age
  • Phone number
  • IP Address (automatically collected)
  • VAT ID (NIP) Number
  • KRS Number
• Data collected when subscribing to the Newsletter:
  • First/Last Name or Pseudonym
  • Email address
  • IP Address (automatically collected)
• Data collected when adding a comment:
  • First/Last Name or Pseudonym
  • Email address
  • Website address
  • IP Address (automatically collected)

Some data (excluding identifying information) may be stored in cookies. Some data (excluding identifying information) may be shared with statistical service providers.

§9 Access to Personal Data by Third Parties

• As a rule, the sole recipient of personal data provided by Users is the Administrator. Data collected as part of the provided services is not transferred or sold to third parties. Access to the data (most often based on a Data Processing Agreement) may be granted to entities responsible for maintaining the infrastructure and services necessary to operate the website, such as:
  • Hosting companies providing hosting or related services to the Administrator
  • Companies through which the Newsletter service is provided
  • Companies facilitating online payments for goods or services offered on the Website (in case of purchase transactions within the Website)

Delegation of Personal Data Processing – Newsletter The Administrator, in order to provide the Newsletter service, uses a third-party provider – the MailChimp platform. Data entered into the subscription form for the newsletter is transmitted, stored, and processed in the external service provider’s system. We inform you that the aforementioned partner may modify its privacy policy without the Administrator’s consent. Delegation of Personal Data Processing – Hosting, VPS, or Dedicated Server Services The Administrator, to operate the Website, uses the services of an external provider for hosting, VPS, or Dedicated Servers – OVH sp. z o.o. All data collected and processed within the Website is stored and processed in the service provider’s infrastructure located in Poland. Access to the data may occur as a result of maintenance work carried out by the service provider’s personnel. Access to such data is governed by an agreement between the Administrator and the Service Provider. Data Processing in Case of Online Payments In the case of online payments, all payment-related data is directly provided by the User to the payment processing entity. Selected data necessary for completing the transaction is then transferred by this entity to the Administrator. The transfer of data is governed by an agreement between the Administrator and the Service Provider. §10 Method of Personal Data Processing
Personal data voluntarily provided by Users:

• Personal data will not be transferred outside the European Union unless it has been published as a result of the User’s individual actions (e.g., entering a comment or post), making the data accessible to any visitor of the Website.
• Personal data is used for automated decision-making (profiling). Profiling of personal data does not produce legal effects or similarly significantly affect the individual whose data is subject to automated decision-making.
• Personal data will not be sold to third parties.

Anonymous data (without personal data) collected automatically:

• Anonymous data (without personal data) may be transferred outside the European Union.
• Anonymous data (without personal data) may be used for automated decision-making (profiling). Profiling of anonymous data (without personal data) does not produce legal effects or similarly significantly affect the individual whose data is subject to automated decision-making.
• Anonymous data (without personal data) will not be sold to third parties.

§11 Legal Basis for Personal Data Processing
The Website collects and processes User data based on:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)
  • Article 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes
  • Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract
  • Article 6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the Administrator or by a third party
• Act of May 10, 2018, on the Protection of Personal Data (Journal of Laws 2018, item 1000)
• Act of July 16, 2004, Telecommunications Law (Journal of Laws 2004, No. 171, item 1800)
• Act of February 4, 1994, on Copyright and Related Rights (Journal of Laws 1994, No. 24, item 83)

§12 Duration of Personal Data Processing
Personal data voluntarily provided by Users:

As a rule, the specified personal data is stored only for the duration of the service provided within the Website by the Administrator. It is deleted or anonymized within 30 days of the termination of service (e.g., deletion of a registered user account, unsubscribing from the Newsletter, etc.)

An exception is a situation that requires the protection of legitimate legal interests that necessitate further processing of such data by the Administrator. In such cases, the Administrator will retain the specified data, from the time of the User’s request for deletion, for no longer than 3 years in case of violation or suspected violation of the Website’s Terms by the User.

Anonymous data (without personal data) collected automatically:

Anonymous statistical data, not constituting personal data, is retained by the Administrator indefinitely for the purpose of website statistics.

§13 Users’ Rights Related to Personal Data Processing

Users are entitled to:

• Right of access to personal data Users have the right to access their personal data, exercised upon request to the Administrator.
• Right to rectify personal data Users have the right to request the Administrator to promptly correct inaccurate personal data or complete incomplete personal data, exercised upon request to the Administrator.
• Right to delete personal data Users have the right to request the Administrator to delete personal data promptly, exercised upon request to the Administrator. For user accounts, data deletion involves anonymizing data that enables user identification. The Administrator reserves the right to delay the execution of a deletion request to protect its legitimate interests (e.g., when the User has violated the Terms or data was obtained through correspondence). For the Newsletter service, Users can delete their personal data themselves using the link provided in every email message.
• Right to restrict personal data processing Users have the right to restrict the processing of personal data in cases specified in Article 18 of the GDPR, e.g., disputing the accuracy of personal data, exercised upon request to the Administrator.
• Right to data portability Users have the right to obtain from the Administrator their personal data in a structured, commonly used, machine-readable format, exercised upon request to the Administrator.
• Right to object to personal data processing Users have the right to object to the processing of their personal data in cases specified in Article 21 of the GDPR, exercised upon request to the Administrator.
• Right to file a complaint Users have the right to file a complaint with the supervisory authority responsible for personal data protection.

§14 Contact with the Administrator
You can contact the Administrator using one of the following methods:

• Postal address – AT Cracow S.C., Węgrzce Wielkie 495, 32-002 Węgrzce Wielkie
• Email address – support@atcracow.pl

§15 Website Requirements

• Restricting the storage and access of Cookies on the User’s device may cause some Website features to function improperly.
• The Administrator is not responsible for improperly functioning Website features if the User restricts Cookies in any way.

§16 External Links
The Website may contain links to external websites within articles, posts, entries, or User comments, which are not affiliated with the Website Owner. These links and the pages or files they lead to may pose risks to your Device or data security. The Administrator is not responsible for the content found outside the Website.

§17 Changes to the Privacy Policy

• The Administrator reserves the right to amend this Privacy Policy at any time without informing Users regarding the use and processing of anonymous data or the use of Cookies.
• The Administrator reserves the right to amend this Privacy Policy regarding the processing of Personal Data, of which Users with user accounts or subscribed to the newsletter will be informed via email within 7 days of the changes. Continued use of services signifies acknowledgment and acceptance of the amended Privacy Policy. If the User disagrees with the changes, they are obligated to delete their account or unsubscribe from the Newsletter.
• Changes to the Privacy Policy will be published on this Website page.
• Changes take effect upon publication.