Privacy Policy

The controller of the data processed for the purposes indicated in this document (Sections 2 and 3 below) is “Loyalty Point Sp. z o.o.” (hereinafter referred to as the “Controller”).

The Controller can be contacted quickly and effectively at the Controller’s office at ul. Klimczaka 1, 02-797 Warsaw at the indicated telephone number: 22 608 52 70 and by email:

If you contact the Controller, you may be asked for additional information to verify your identity.


What Are Personal Data?

The Personal Data mean any information relating to an identified or identifiable natural person (“data subject”). This will include data such as name, address, date of birth, telephone number or email address (this list is not exhaustive).

The Personal Data are processed in accordance with the GDPR, i.e. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

What Are Your Rights in Relation to the Processing of Your Personal Data?

You have the right to:

  • access your data, including to obtain a copy of the data;
  • transfer the data;
  • rectify and delete the data;
  • restrict data processing;
  • where a decision (based on data) is taken by fully automated means, you have the right to obtain human intervention on the part of the Controller, as well as the right to express your views and to challenge that decision; in this case, the Controller shall provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the conditions set out in the GDPR are fulfilled;
  • file a complaint with the supervisory body (the President of the Office for Personal Data Protection) – ul. Stawki 2, Warsaw 00-193. 


Right to object

Whenever your Personal Data are processed pursuant to Article 6(1)(f) or (e) of the GDPR (see below in Section 2), i.e. based on the so-called legitimate interest or public interest, you may object at any time. You may object using the contact details indicated in the introduction to the Privacy Policy.

(See more about your rights at: We also encourage you to read the leaflet on your rights available at

How Can You Tell Us that You Want to Exercise Your Rights?

You can exercise your rights in person at the Controller’s office, by mail or email (see above for the Controller’s contact details).

In response to your request, you may be asked to provide the data necessary to identify your Personal Data (among others, to find them) or to verify your identity (confirming that you are the person you claim to be). In this case, only the Personal Data will be processed to the extent necessary to document the proper performance of the obligations related to the request (including proper documentation of withdrawal of consent) for the purposes of defence against claims (Article 6(1)(f) of the GDPR, the so-called legitimate interest of the Data Controller) and to fulfil the obligations arising from the GDRP (including ensuring accountability under Article 6(1)(c) of the GDPR). For these purposes, the data will be processed, at the latest, until the end of the period of limitation of potential claims related thereto.

According to the GDPR, the information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

What Does ‘Consent-based Data Processing’ Mean?

If the Personal Data are processed on the basis of consent (e.g. using the image for promotional purposes – see more in Section 2), remember that:

  • the consent is always voluntary;
  • the consent may be revoked at any time in person at the Controller’s office, by mail or email (see above for contact details);
  • The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
  • after the withdrawal of consent, the data will no longer be used, they will be deleted or anonymised, which does not, however, preclude the processing of data to the extent necessary to prove that the statement of withdrawal of consent has been registered and implemented, which is the legitimate interest of the Data Controller in defending against claims and demonstrating compliance with the regulations on the protection of Personal Data (Article 6(1)(f) of the GDPR, the so-called legitimate interest of the Data Controller) – at the latest, until the end of the period of limitation of these claims.

Who Has Access to Personal Data?

Your Personal Data will only be accessed by authorised employees/cooperators acting on the Controller’s instructions. The data may also be disclosed to service providers, e.g. IT service providers supporting the Controller’s purposes listed below (after the conclusion of relevant data processor agreements). The data may also be disclosed to the recipients that are separate Data Controllers, e.g. public administration bodies, at their request.

For the details on the purposes of disclosure, see below in the parts discussing different purposes of data processing (see Sections 2 and 3).

Is the Provision of Data Voluntary?

The provision of data is, in principle, voluntary. Whenever the provision of data is:

  • Voluntary but necessary to achieve specific objectives (e.g. email contact via online form); or
  • mandatory (e.g., it is required by law), you will be informed about it separately and clearly (e.g. on a form through which Personal Data are collected).

Where does the Controller collect data from?

As a rule, the Controller collects data directly from you.

We use other sources to collect the data for the purpose of tax verification of business partners, using publicly available sources (e.g. National Court Register (KRS) / Central Registration and Information on Business (CEIDG) / registers of taxpayers published by public administration bodies), at the stage of conclusion and performance of the agreement. When we obtain data from another source, you will be informed about this separately and clearly.

What Categories of Data Are Processed? 

The Controller processes only regular data, including contact details indicated in Section 1.7.

We do not process special categories of data, i.e. the information that could disclose: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Changes to this Privacy Policy

We reserve the right to change the Privacy Policy, which may be affected by the development of Internet technology, possible changes in the law on Personal Data protection. We will inform about any changes in a visible and understandable way through our website at

External Links

The Application may contain links to other websites. Such websites operate independently of the Application and are not in any way supervised by the Controller. These websites may have their own privacy policies and regulations, and we recommend that you read them.

In case of any doubt about any of the provisions of this Privacy Policy we are at your disposal. You will find our contact details in the Contact section.

Specific Purposes, Grounds and Duration of Data Processing



Where deadlines for data processing are indicated below, they shall be considered as maximum time limits. If the purpose of data processing is “dropped” earlier, the Controller is obliged to and will delete the data earlier. In particular, the data will be deleted or anonymised beforehand.

The purposes pursued through

Contact Form


  • to answer the question and continue the correspondence (based on Article 6(1)(f) of the GDRP, i.e. the legitimate interest of the Controller);
  • to conclude and perform an agreement, if this is covered in the correspondence (based on Article 6(1)(b) of the GDRP);
  • to defend against or pursue a claim (based on: Article 6(1)(f) of the GDRP).


The purposes pursued on the fanpages (company accounts on social media):

Data protection rules for social media accounts (administration of fanpages on Facebook and other social media sites)

Purposes of use of Personal Data: 

  • managing social media accounts; 
  • technical administration of accounts (creation, posts);
  • interactions (public or private messages) with Facebook (or other portal) subscribers and other users;
  • usage statistics.

The basis for data processing:

(as regards obtaining information on other users) – Article 6(1)(f) of the GDRP, i.e. the legitimate interest of the Data Controller. 

Categories of collected data:

The data visible by default on Facebook (or another portal, respectively): 

In particular:

Name or alias;

Profile photo or avatar;

Presentation of messages;


Exchanged messages;

Data made public by the user as part of his/her general Facebook settings;

Data on the use of the platform to create anonymous statistics.

Data source

Facebook users (or other social media site users)

Facebook (or other social media site)

The Controller does not configure the data and has no data about you from cookies stored by Facebook (or other social media site). Statistical data resulting from these cookies are made available to the Controller only in an aggregated (anonymous) form and not in an individualised form. Therefore, only websites (e.g. Facebook) can technically respond to your requests relating to the use of cookies.

Voluntary provision of data

The provision of data is voluntary. The user makes his/her own decisions in this respect. You must be a member of a social network to use personalised information, social networking features or online response services.


Access to data between users is governed by the rules of the social media site in question. 

Transfers outside the EU

The publications will be available outside the European Union due to their presence on Facebook. The data necessary to compile the statistics may be processed outside the European Union in accordance with the data management policy implemented by Facebook (or another social media site). 

Duration of data processing

The data are stored for the duration of the existence of the social media account in question, except for the exercise of the data subject’s right to delete or object.

Collection of Data (including Personal Data) through Cookies or Similar Technologies, including the Processing of Personal Data 


The cookies are small text files that are placed on your computer by websites you visit. They are commonly used to improve the functioning of websites or to increase their performance, as well as to provide information to website owners. The table below explains the cookies we use and why.

We use the following categories of cookies: session and permanent cookies.

  • session files remain on your device until you leave the website or shut down the software (web browser);
  • permanent files remain on the device for the time specified in the file parameters or until they are manually deleted by the user.

Why Does the Controller Use Cookies?

Taking into account the purpose of using the files, the Controller uses two categories of cookies: “required” and “optional” cookies for the following purposes:

1. “Required” cookies – in order and to the extent necessary to display the website correctly. It is about providing basic functions such as security, network management and accessibility. You can turn them off by changing your browser settings, but this may affect the functioning of the website.

For this purpose, permanent cookies may be used on

2. “Optional” cookies:

a) analytical -> to study the preferences of the people using our website for the purpose of improving our website performance;

b) social media plug-ins -> for marketing purposes to display personalised ads on social media pages

For this purpose, session cookies may be used on

The use of this category of cookies is based on your consent.

The data indicated are not combined with information such as your name, email address and other data that makes it possible to easily identify you as a visitor to the website. 

 Analytical cookies (of third parties):

Designation of cookiesFile name

Google Analytics / Provider: Google inc._ga
These cookies are used to collect information about how visitors use our website. We use this information to create reports and help us improve the website. The cookies collect information in a way that does not directly identify anyone, including the number of visitors to the website and blog from which the visitors accessed the website and the pages visited.
Read Google's overview of privacy and data protection at

The data processing is entrusted to the data processor. The data processor agreement is available at:
The service may involve data transfers outside the EEA and Switzerland, mainly to the United States. To this end, Google ensures the security of the data flow through:
- participation in the Privacy Shield program:
Google TagManager
Provider: Google inc.
_gatThis tool is used to manage tags in order to obtain detailed statistics on the use of the Website and to optimise the Website.

You can withdraw your consent at any time and stop the installation and collection of data through cookies. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Controlling and Deleting Cookies

Most browsers offer the option of accepting or rejecting all cookies. You can also easily change cookie settings in your browser settings. Remember that blocking all cookies on the Website may cause difficulties in its functioning or make it completely impossible to use certain functionalities of our Website.

The management and deletion of cookies varies depending on the browser you are using. For more detailed information, please use the Browser Help function or visit, which explains step-by-step how to control and delete cookies in most browsers.

You can see information about individual browsers on the following websites:

To opt out of Google Analytics on all websites, visit:

Usage Data

Even if the cookies are not installed, the website administrator may access the following data characterising the use of the website (hereinafter referred to as: other usage data):

  1. the ID number assigned to the visitor’s device,
  2. markings identifying the telecommunications network termination point,
  3. the ICT system (device type, operating system, web browser) used by an internet user,
  4. information about the start, end and scope of each use of the website.

In order to ensure the highest quality of the website, we occasionally analyse log files to determine: which pages are most often visited, which web browsers are used, whether the website structure is error-free, etc.

The usage data are not combined with information such as your name, email address and other data that makes it possible to easily identify you as a visitor to the website. 

Personal Data Protection

The information collected through cookie mechanism and usage data may constitute Personal Data within the meaning of the GDPR in certain exceptional situations. If the information indicated above is qualified as Personal Data, the Controller is the Personal Data Controller. Even if there are doubts whether a certain category of information belongs to Personal Data, the Controller introduces mechanisms to protect this information in the same way as Personal Data.

The processing of these categories of data to the extent that it is necessary for the correct performance of the website (“required” cookies) is based on the so-called legitimate interest of the Controller (Article 6(1)(f) of the GDPR. In order to do this:

  • log files may be occasionally analysed to determine: which web browsers are used by the visitors to the website; which sections, pages or subpages are the most or the least frequently visited or browsed; whether the website structure is error-free;
  • it may be required to prevent unauthorised access to the website and distribution of malicious codes, interrupt “denial of service” attacks, and prevent damage to computer and electronic communication systems.

In the above cases, you have the right to object (when data are processed under Article 6(1)(f) of the GDRP).

By agreeing to install “optional” cookies (e.g., analytical cookies provided by Google Analytics / marketing cookies), you acknowledge that the information collected in this way will be used to study the preferences of people using our website for the purpose of improving our website performance. In this case, the basis for data processing is Article 173(2) of the Telecommunications Law (Journal of Laws of 2004, No. 171, item 1800) in connection with Article 6(1)(a) of the GDRP. As indicated in Article 174 of the Telecommunications Law, the provisions on the protection of Personal Data apply to obtaining the consent of the subscriber or end user.

You can withdraw your consent and delete cookies from your device at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Data recipients: IT companies providing services to the Controller.

Deletion of Data Collected through Cookie and Usage Data Mechanism

Personal Data will be deleted or anonymised at the latest after the expiration of the period of limitation of potential claims related to the use of the website (no later than 1 year from the date of fixation), or earlier if you make an effective objection. The provision of data is voluntary, but necessary to achieve the above mentioned purposes.