Privacy Policy Moje Sklepy

DEFINITIONS
1. Controller – Innowacyjna Platforma Handlu sp. z o.o. with its registered office in Komorniki, ul. Wiśniowa 11, 62-052 Komorniki.
2. Personal data – information about a natural person who is identified or identifiable by one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity, including device ID, location data, online identifier, and information collected through cookies. genetic, mental, economic, cultural or social identity, including device IP, location data, internet identifier and information collected through cookies and other similar technologies.
3. Policy – this Privacy Policy.
4. Terms and Conditions – the terms and conditions of the Application Program and the IPH Loyalty Program.
5. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
6. User – a natural person who meets the conditions for using the Application specified in the Terms and Conditions and has registered an Account in the Application.
7. Other terms written in capital letters in the Policy that are not defined in sections 1.1. to 1.6. above shall have the meaning given to them in the Terms of Use.
DATA PROCESSING IN CONNECTION WITH HAVING AN ACCOUNT IN THE APPLICATION AND PARTICIPATION IN THE LOYALTY PROGRAM

REGISTRATION OF AN ACCOUNT IN THE APPLICATION AND PARTICIPATION IN THE LOYALTY PROGRAM AND USE OF THE ACCOUNT

In accordance with the Terms and Conditions, in order to use the features available in the Application, including participation in the Loyalty Program available in the Application, it is necessary to register an Account in the Application and create an Account. To register in the Application, the person registering must provide a phone number. In order to facilitate service and enable the Controller to present the User with Offers tailored to the User’s needs and preferences, the User may provide additional data, thereby consenting to its processing. Such data may be deleted at any time. Providing data marked as mandatory is required to create and maintain an Account, and failure to provide such data will result in the inability to register an Account in the Application. Providing other data is voluntary.
If the User places any personal data of other persons in the Application (including their name, address, telephone number or e-mail address), they may do so only on condition that they do not violate applicable law and the personal rights of those persons.
The User’s personal data is processed for the following purposes:
1. enabling the registration of an account in the Application – the legal basis for data processing is the necessity of processing for the performance of a contract for the provision of electronic services via the Application (Article 6(1)(b) of the GDPR),
2. enabling participation in the Controller’s Loyalty Program, maintenance of the Application Account, use of the Application’s functionality, including sharing shopping lists with other Users, as well as preparing and presenting personalized Offers – the legal basis for data processing is the necessity of processing for the performance of a contract for the provision of electronic services via the Application (Article 6(1)(b) of the GDPR), and in the scope of data provided voluntarily – the legal basis for processing is consent (Article 6(1)(a) of the GDPR),
3. handling the complaint process and considering the complaint if a complaint is submitted by the User – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in the possibility of considering complaints addressed to it in connection with the provision of the Application and Loyalty Program services,
4. analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in conducting analyses of Users’ activity and preferences in order to improve the functionalities and quality of the services provided, ensure the competitiveness of the Application, and develop a promotional strategy by the Controller,
5. fulfilling the legal obligations incumbent on the Controller under generally applicable law, primarily in the scope of documenting the transfer to the User of benefits related to participation in the Loyalty Program, which obligations are referred to in particular in the provisions of accounting and tax law (Article 6(1)(c) of the GDPR);
6. preventing abuse in the Application – the legal basis for data processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in detecting and eliminating abuse in the Application,
7. possible establishment and pursuit of claims or defense against them – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in the defense of its economic interests,
8. for marketing purposes – the rules for the processing of Personal Data for marketing purposes are described in the MARKETING section.

SHARING DATA FROM THE “GROSZEK” OR “EURO SKLEP” APPLICATIONS TO THE MOJE SKLEPY APPLICATION

The Controller provides in the Application the possibility to use the Application’s functionality enabling a simplified registration path to the Application. This functionality is dedicated to existing users of the “Groszek” and “Euro Sklep” applications, which were owned by the Controller’s partner, i.e. Eurocash Sieci Partnerskie Sp. z o. o.
In order to enable the use of this functionality, the Controller collects from Users, in the first step of registration in the Application, statements about their previous use of the Groszek or Euro Sklep applications. If the User declares that they have an account in the Groszek or Euro Sklep application, the Controller verifies this fact. In order to carry out this verification, the Controller provides the User’s telephone number to Eurocash Sieci Partnerskie Sp. z o. o. The legal basis for the processing of data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in verifying whether the User previously had an account in the “Groszek” application or in the “Euro Sklep” application.
If a User who previously had an account in the “Groszek” mobile application or in the “Euro Sklep” application consents to the disclosure of their data from the “Groszek” mobile application or the “Euro Sklep” application to the Moje Sklepy application operated by the Controller, the data from these applications will be added to the User’s Account in the Moje Sklepy application. The basis for the processing of the User’s personal data for this purpose is their consent (Article 6(1)(a) of the GDPR).

PUSH NOTIFICATIONS

If you consent to receiving service push notifications, you will receive messages in the form of notifications displayed on your device containing information related to the use of the Application. You may also consent to receiving marketing push notifications containing marketing content about the Controller’s offer and available Offers. For this purpose, the Controller will process the User’s data in the form of the User’s ID and device number. The content of marketing push notifications is tailored to the User’s preferences, determined on the basis of their activity in the Application, including in the Loyalty Program, and the purchase history associated with the Application Card. The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in conducting promotional activities in connection with the User’s consent to receive such communication.

GEOLOCATION

The Controller has provided a feature in the Application that enables the geolocation of the User’s device. The use of this feature is optional and not required for the proper use of the Application. Location data is processed solely for the purpose of selecting the nearest store on the map when setting a favorite store within the “Twój Sklep” functionality. The basis for the processing of this data is the User’s consent (Article 6(1)(a) of the GDPR). The above data is processed once, i.e., the Controller does not process it on an ongoing basis.

CONTACT FORM

The Controller provides the possibility to contact him using the contact form available in the Application. Using the form requires providing an email address as data necessary to contact the User and respond to the inquiry. The User may also provide other data to facilitate contact or handling of the inquiry (in the message), and the User may voluntarily attach a photo, e.g. of the application screen or a receipt, via the form. Providing an email address is required in order to accept and handle the inquiry, and failure to provide it will result in the inability to handle the request. Providing other data is voluntary and constitutes consent to the processing of such Personal Data by the Controller. The Controller will process the User’s Personal Data for the purpose of maintaining contact and handling the request. The legal basis for the processing of data is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) consisting in conducting correspondence, and in the scope of data provided voluntarily via the form (including photos attached by the User to the request), the legal basis for processing is the User’s consent (Article 6(1)(a) of the GDPR).
MARKETING
1. The Controller processes Users’ personal data for the purpose of marketing activities, which may consist of:
  1. displaying marketing content to the User that is not tailored to their preferences (contextual advertising);
  2. displaying marketing content to the User that corresponds to their interests (behavioral advertising);
  3. conducting other types of activities related to the direct marketing of the Controller’s own goods and services and the goods and services of the Controller’s partners (sending commercial information by electronic means and telemarketing activities).
2. CONTEXTUAL ADVERTISING
  1. The Controller processes Users’ personal data for marketing purposes in connection with directing contextual advertising to Users (i.e., advertising that is not tailored to the User’s preferences). The processing of personal data is then carried out in connection with the pursuit of the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the Controller directing direct marketing to Users.
3. BEHAVIORAL ADVERTISING
  1. The Controller processes Users’ personal data for marketing purposes in connection with directing behavioral advertising (i.e., advertising that is tailored to the User’s preferences) to Users. The processing of personal data then also includes profiling of Users. The use of personal data collected through this technology for marketing purposes, in particular for the promotion of third-party services and goods, requires the User’s consent. The basis for the processing of this data is the User’s consent (Article 6(1)(a) of the GDPR).
4. DIRECT MARKETING
  1. The User’s personal data may also be used by the Controller to send marketing content to the User through various channels, i.e. via e-mail, MMS/SMS or push notifications. The legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in conducting marketing activities in connection with the User’s consent to receive such communication.
ANALYTICAL TOOLS USED BY THE CONTROLLER’S PARTNERS
1. The Controller and its partners use various solutions and tools for analytical purposes. Below you will find basic information about these tools. Detailed information in this regard can be found in the privacy policy of the respective partner.
  1. GOOGLE ANALYTICS: Google Analytics cookies are files used by Google to analyze how the User uses the Application, to create statistics and reports on the functioning of the Application. Google does not use the collected data to identify the User and does not combine this information to enable identification. Detailed information on the scope and rules of data collection in connection with this service can be found at: https://www.google.com/intl/pl/policies/privacy/partners.wyświetlaniu Marketing content tailored to the User’s interests (behavioral advertising);
  2. GOOGLE TAG MANAGER: This tool allows website and application owners to add, modify, and manage tracking codes and other analytics tools on their websites or in their applications. Google Tag Manager works using containers that are placed on a website or in an application and contain all the tags that the website owner wants to implement, making it easier to manage tags on the website or in the application. Google Tag Manager also offers advanced features such as event tracking (e.g., button clicks), content personalization on the website, and the creation of so-called triggers, i.e., conditions that must be met for a tag to be activated. Detailed information on Google’s data processing for the above service is available at: https://www.google.com/analytics/terms/tag-manager/.
  3. CUX.IO: Cux.io is a tool that allows you to learn about and collect information about user behavior in the Application. Personal data is processed to improve the quality of services and functionality of the Moje Sklepy application based on the analysis of user behavior in the Application. When using the cux.io tool, the following data is collected: metadata describing the user’s path, device data, browser language settings, usage interactions, session time in the Application. Detailed information about the above service is available at: https://cux.io/legal/privacy-policy/
OFFERS
1. In order to provide Users with Offers within the Application, the Controller may prepare and provide Users with information about Offers that correspond to the potential needs or expectations of Users. For this purpose, the User’s personal data, including data on their activity and preferences (including purchase history), are processed to create a User profile (profiling). This allows for better matching of the content displayed to the individual preferences and interests of the User.
2. Personalized Offers are prepared in particular on the basis of an analysis of:
  1. the manner of use of the Application, including the Loyalty Program, in particular indicating the goods covered by the Offer preferred by the User,
  2. data on the User’s purchase history using the Application Card,
  3. additional personal data provided by the User (e.g. regarding age), if the User provides such data to the Controller,
  4. other data obtained by the Controller in accordance with the Privacy Policy.
3. The preparation and presentation of personalized Offers to Users in the Application is an integral part of the Application and is one of its basic functionalities – the legal basis for data processing is the necessity of processing for the performance of the contract for the provision of electronic services via the Application (Article 6(1)(b) of the GDPR). A person who does not wish to receive personalized Offers should not create an Account in the Application – in such a case, the consumer has the option of purchasing goods in stores outside the promotions provided in the Application, including outside the Loyalty Program – at regular prices or as part of publicly available promotional campaigns. The User may also opt out of the Application at any time by deleting their Account. For more information on the User’s rights, please refer to the section “RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA” below.
PERIOD OF PERSONAL DATA PROCESSING
1. The period of data processing by the Controller depends on the type of service provided and the purpose of processing. As a rule, data is processed for the duration of the service, until the consent is withdrawn or an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Controller.
2. The period of data processing may be extended if processing is necessary to establish and pursue possible claims or defend against them. After this time, only if and to the extent required by law. After the processing period has expired, the data is irrevocably deleted or anonymized.
RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

RIGHTS OF DATA SUBJECTS

Data subjects have the following rights:
1. the right to information about the processing of personal data – on this basis, the Controller provides the natural person making the request with information about the processing of data, including, in particular, the purposes and legal grounds for the processing, the scope of the data held, the entities to which they are disclosed, and the planned date of deletion of the data;
2. the right to obtain a copy of the data – on this basis, the Controller provides a copy of the processed data concerning the natural person making the request;
3. the right to rectification – the Controller is obliged to remove any inconsistencies or errors in the Personal Data being processed and to supplement it if it is incomplete;
4. the right to erasure – on this basis, you may request the erasure of data whose processing is no longer necessary for the purposes for which it was collected;
5. right to restriction of processing – upon such request, the Controller shall cease processing Personal Data – except for processing operations for which the data subject has given consent – and storing it, in accordance with the retention rules or until the reasons for restricting the processing cease to exist (e.g. a decision of a supervisory authority authorizing further processing of the data is issued);
6. the right to data portability – on this basis – to the extent that the data are processed by automated means in connection with a contract or consent – the Controller shall provide the data provided by the data subject in a format that allows the data to be read by a computer. It is also possible to request that this data be transferred to another entity, provided that this is technically possible for both the Controller and the designated entity;
7. the right to object to the processing of data for marketing purposes – where applicable, the data subject may object at any time to the processing of Personal Data for marketing purposes without having to justify such objection;
8. the right to object to other purposes of data processing – the User may at any time object – on grounds relating to his or her particular situation – to the processing of Personal Data based on the legitimate interest of the Controller (e.g. reasons related to the protection of property); an objection in this regard should include a justification;
9. right to withdraw consent – if the data is processed on the basis of consent, the User has the right to withdraw it at any time, which, however, does not affect the lawfulness of the processing carried out before its withdrawal;
10. right to lodge a complaint – if the User considers that the processing of Personal Data violates the provisions of the GDPR or other provisions relating to the protection of Personal Data, the User may lodge a complaint with the supervisory authority responsible for the processing of Personal Data, competent for the place of the Data Subject’s habitual residence, place of work or place of the alleged infringement. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
SUBMITTING REQUESTS RELATED TO THE EXERCISE OF RIGHTS
1. Requests concerning the exercise of your rights as a data subject may be submitted:
  1. in writing to the Controller’s address;
  2. by email to: aplikacja@mojpos.pl
2. The request should, as far as possible, specify the subject of the request, i.e. in particular:
  1. which right the person submitting the request wishes to exercise (e.g. the right to receive a copy of the data, the right to delete the data, etc.);
  2. which processing operation the request relates to (e.g. use of a specific service, activity on a specific website, etc.);
  3. which processing purposes the request relates to (e.g. purposes related to the provision of services, etc.).
3. If the Controller is unable to identify the natural person on the basis of the request, it will ask the applicant for additional information. Providing such data is not mandatory, but failure to do so will result in the request being refused.
4. The request may be submitted in person or through a representative (e.g., a family member). For data security reasons, the Controller encourages the use of a power of attorney certified by a notary public or an authorized legal advisor or attorney, which will significantly speed up the verification of the authenticity of the request.
5. A response to the request should be provided within one month of receipt. If it is necessary to extend this period, the Controller shall inform the applicant of the reasons for doing so.
6. If the request was sent to the Controller electronically, the response shall be provided in the same form, unless the applicant has requested a response in another form. In other cases, the response shall be provided in writing. If the deadline for fulfilling the request makes it impossible to provide a written response, and the scope of the applicant’s data processed by the Controller allows for electronic contact, the response shall be provided electronically.
RULES FOR CHARGING FEES
1. The processing of requests is free of charge. Fees may only be charged in the following cases:
  1. a request for a second and each subsequent copy of the data (the first copy of the data is free of charge); in such a case, the Controller may request a fee of PLN 250. This fee covers the administrative costs associated with processing the request;
  2. excessive (e.g. unusually frequent) or clearly unjustified requests are submitted by the same person; in such a case, the Controller may request a fee of PLN 250. The above fee includes the costs of communication and the costs associated with taking the requested actions;
2. If the decision to impose a fee is contested, the data subject may lodge a complaint with the supervisory authority responsible for the processing of personal data, competent for the place of habitual residence of the data subject, his or her place of work or the place where the alleged infringement was committed. In Poland, the supervisory authority is the President of the Personal Data Protection Office.
DATA RECIPIENTS
1. In connection with the provision of services available in the Application, personal data will be disclosed to external entities acting on behalf of the Controller, including in particular suppliers responsible for the operation of IT systems, supporting the application service process or the preparation of marketing offers and promotions. In connection with the use of certain features of the Application, e.g. sharing the User’s shopping lists, some personal data may be disclosed to other users of the Application indicated by that User.
2. The Controller reserves the right to disclose selected information about the User to competent authorities or third parties who request such information, based on an appropriate legal basis and in accordance with applicable law.
OBTAINING DATA FROM EXTERNAL SOURCES
1. If the User declares that they have an account in the “Groszek” mobile application or in the “Euro Sklep” mobile application, the Controller may process the User’s data obtained from Eurocash Sieci Partnerskie Sp. z o. o. regarding information about having an account in the “Groszek” application or in the “Euro Sklep” application in order to verify whether the User actually had an account in the “Groszek” application or in the “Euro Sklep” application.
2. If the User consents to the disclosure of data by Eurocash Sieci Partnerskie Sp. z o. o. to the Controller, the Controller may process the User’s data, including personal data registered in the User’s account in the “Groszek” mobile application or the “Euro Sklep” mobile application operated by Eurocash Sieci Partnerskie Sp. z o. o. The Controller will process them in order to enable the User to use the functionality of the Application enabling a simplified registration path to the Application on the terms described in the Terms and Conditions and in this Privacy Policy.
TRANSFER OF DATA OUTSIDE THE EEA
1. The level of personal data protection outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate level of protection, primarily through:
  1. cooperation with personal data processors in countries for which an appropriate decision has been issued by the European Commission;
  2. the use of standard contractual clauses issued by the European Commission;
  3. the use of binding corporate rules approved by the competent supervisory authority.
2. The Controller will inform you of its intention to transfer personal data outside the EEA at the time of collection.
CONTACT
1. You can contact the Controller via the Customer Service Office by phone at 539 147 028 or by email at aplikacja@mojpos.pl
2. The Controller has appointed a Data Protection Officer who can be contacted in any matter relating to the processing of personal data via the email address: iod_iph@eurocash.pl or the postal address: Innowacyjna Platforma Handlu sp. z o.o. with its registered office in Komorniki, ul. Wiśniowa 11, 62-052 Komorniki.
CHANGES TO THE PRIVACY POLICY
1. The policy is reviewed on an ongoing basis and updated as necessary.
2. The current version of the Policy was adopted and is effective as of July 1, 2023.