Privacy Policy

1. Cookies Policy

   1. lucky2go Sp.z.o.o., with its registered office at Katowice, 40-085, Adama Mickiewicza 29, entered into the National Court Register kept by the District Court for the capital city of Warsaw, 14th Commercial Division under KRS no.: 0000729174, and holding NIP no.: 634-29-28-642, with a share capital of PLN 5 000, hereinafter referred to as the “Operator”, grants the users of the websites the right to make choices about sharing information concerning them. The Operator informs users that they use cookies and geolocation technology on the websites.
   2. Cookies are small pieces of text information sent by a web server and stored on the user’s end. Default cookies parameters give access to the information gathered in cookies only to the server that creates them.
   3. Cookies are used to gather information related to the user’s activity on the Website. Cookies allow the operator to:
      1. save the user’s session (after logging in), so that the user does not have to enter their login and password again on each subpage of the Website;
      2. adjust the Website’s content to the user’s preferences and optimise the use of websites; in particular, these files help to recognise the user’s device and display a website appropriately and adapt it to the individual needs of the User and the devices they use.
      3. gather anonymous statistical data that help to learn more about the way the users use the Website.
         It helps to improve the Website, its structure and content, based on the users’ expectations.
   4. The Website uses two basic cookie types: session cookies and persistent cookies. Session cookies are temporary files that are stored on the user’s end device until they log out, leave a website or turn off software (the web browser). Persistent cookies are stored on the user’s end device for a period of time specified in the cookies parameters or until they are removed by the user.
   5. As part of the Website, lucky2go Sp. z.o.o. also uses some mechanisms of internal entities, partners, advertisers, in particular, the social media functions of Facebook and Google which are directly related to the storage of these entities’ cookies on the user’s end device.
   6. If the software used for browsing websites (the web browser) enables the storage of cookies on the end device by default, users may change the cookies settings at any time in their web browser (this applies to all types of cookies) or remove these files from their devices. In the case of geolocation services, the user directly agrees to them by accepting the web browser settings.
   7. Restricting the use of cookies may negatively impact some of the functions available on the Website or disable them.
   8. Cookies never include the user’s personal data.
   9. The information stored in cookies or gaining access to it does not result in configuration changes on the user’s end device or the software installed on that device.

2. Personal Data Protection Policy

   1. The text below (the “Personal Data Protection Policy”, hereinafter referred to as the “PDP Policy”) will help you learn why and how long lucky2go Sp. z.o.o. (hereinafter referred to as the “Data Administrator”) will process your personal data. You will find out which entity categories can have access to your personal data and what rights you can exercise in relation to the processing of your personal data. The Policy is closely related to the necessity to follow new requirements concerning the processing of the data, arising from the EU laws on the protection of personal data, i.e. Regulation (EU) 2016/679, also referred to as the GDPR (hereinafter referred to as the Regulation).
   2. The PDP Policy is a part of the lucky2go Sp. z.o.o. Privacy Policy that also regulates the use of cookies.
   3. The PDP Policy refers to the data gathered on a website or an application, as well as through a Call Center.

      The administrator of your personal data - processed for the purposes specified below - is lucky2go Sp. z.o.o., with its registered office at Katowice, 40-085, Mickiewicza 8 street, entered into the National Court Register kept by the District Court Katowice-West in Katowice, 13th Commercial Division under KRS no.: 0000383663, REGON 380073970 and holding NIP no.: 634-29-28-642, with a share capital of PLN 5.000,0 As a part of the User’s use of hotel booking services and assistance in insurance reservation (acting as an Insurer’s agent), the Administrator of the customer's data is eSky.pl S.A. with its registered office in Radom,26-600, Pl. Jagielloński 8, contact address: Murckowska 14a, 40-265 Katowice, and those personal data are processed according to rules defined in Privacy Policy. Lucky2go Sp.z.o.o. remains the independent administrator of data of the service Users for the purposes related to the use of the website and the services provided through it, regardless of the external Partners, and in this scope, the Administrator may process the personal data also obtained for the Partners.

      
      
   4. The Data Administrator has appointed the Personal Data Protection Inspector (hereinafter referred to as the “Inspector”). You may contact the Inspector in all matters related to the processing of your personal data, also if you have any doubts about you rights. The Inspector is obliged to keep their responsibilities confidential - according to the EU or the national law.
       

      Personal Data Protection Inspector: Grzegorz Gawin

      e-mail: dpo@lucky2go.com

   5. The Inspector’s responsibilities:
      1. informing the Data Administrator and the employees who process personal data, about their responsibilities arising from this Regulation and other EU or Member Countries’ laws on the protection of personal data and advise them on this issue;
      2. monitoring adherence to the GDPR, other EU or Member Countries’ laws on the protection of personal data and the policies of the Data Administrator or a processing entity in the field of personal data, including distribution of responsibilities, actions that raise awareness, training the employees that take part in the operations related to data processing or audits connected to that;
      3. offering recommendations on evaluating the effects on data protection upon request and monitoring the protection;
      4. cooperating with a supervising authority;
      5. being a point of contact for the supervising authority in issues related to data processing, including prior consultations, discussed in Article 36, and in relevant cases - leading consultations on all other issues.
   6. The Data Administrator guarantees that they will process your personal data only for precise, clear and justified purposes and they will not process them further contrary to these purposes. The purpose of data processing is the reason why we process your personal data. If the Data Administrator wants to process your personal data for other purposes - not specified below - you will be informed about the new purpose separately. The table below presents the purposes of data processing.

      Purpose	Explanation	Legal basis	Processing length (when will your data be removed)
      Creating an account on the Website according to the terms and conditions (hereinafter referred to as the “Terms and Conditions”).	This relates to data processing that is necessary to create an account at ie.lucky2go.com and use it, for example, to verify the correctness of the data or to review transactions. The process of creating the account is automated. If you experience any problems with creating the account, you can contact the Call Center. Every user is authorized to create the account. No initial verification is required.	Article 6 section 1 letter b) of the GDPR and Article 22 section 2 letter a) of the GDPR	Throughout the period of the account service, however, if the account is not created or removed, the data is archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      Entering into an agreement on providing service according to the Terms and Conditions.	Regardless of whether you create the account at ie.lucky2go.com or you are an unregistered user, you can use services according to the Terms and Conditions, e.g. book a ticket or make a hotel reservation. Personal data gathered in the process of ordering a service are processed (e.g. they will be shared with airlines or other service providers, e.g. eSky.pl SA) to finalize the service. The agreement may also be concluded through the Call Center. The agreement is executed automatically. Every user is authorized to conclude the agreement. No initial verification is required.	Article 6 section 1 letter b) of the GDPR and Article 22 section 2 letter a) of the GDPR	Throughout the period of the service and until the statute of limitations on the counterclaims expires, however if the agreement is not concluded and the service is not provided according to the Terms and Conditions or after the period of provision of the service expires, the data will be archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      Performing the obligations under the agreement on providing service according to the Terms and Conditions.	Regardless of whether you create the account at ie.lucky2go.com or you are an unregistered user, you can use services according to the Terms and Conditions, e.g. book a ticket or make a hotel reservation. Personal data gathered in the process of ordering a service are processed (e.g. they will be shared with airlines or other service providers, e.g. eSky.pl SA) to perform the obligations under the agreement. You may also select additional options while ordering a service (according to the Terms and Conditions), if you select these options, your data will also be processed for the purposes of providing this additional service. The agreement is concluded automatically unless the service is operated by Call Center. Every user is authorized to receive the service. No initial verification is required.	Article 6 section 1 letter b) of the GDPR and Article 22 section 2 letter a) of the GDPR	Throughout the period of the service and until the statute of limitations on the counterclaims expires, however if the agreement is not concluded and the service is not provided according to the Terms and Conditions or after the period of provision of the service expires, the data will be archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      For the eSky marketing purposes.	If marketing is done through emails - you will be asked to give additional permission - see details below. In such a case, the data accessed from the account or during the transaction process and while the service is being provided and for this period. The indicated purpose may be achieved by displaying a personalized advertisement based on profiling. According to the GDPR, profiling is any form of automated personal data processing that involves the use of personal data for evaluation of personal aspects of a natural person, in particular for analysis or prognosis of the aspects related to this natural person’s performance at work, their financial situation, health, personal preferences, interests, credibility, behaviour, location and movement;	Article 6 section 1 letter f) of the GDPR	Until objection is made and after it is made only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of achieving public and legal (e.g. taxes) responsibilities related to the agreement on providing service according to the Terms and Conditions.	This refers to the performance of obligations assigned to the Data Administrator under Polish law	Article 6 section 1 letter c) of the GDPR	Until the statute of limitations on the public and legal obligations (e.g. taxes) expires.
      For the purposes of keeping the Website safe.	This is about preventing unauthorized access to the electronic communication network and sharing malicious codes, stopping attacks, such as “service denial” and protecting computer systems and electronic communication network from damage.	Article 6 section 1 letter f) of the GDPR	Until an effective objection is made (see details below) or until the statute of limitations on counterclaims expires, e.g. those related to breach of safety rules on the Website -> whichever event occurs first.
      For the purposes of a statistical analysis, including a financial analysis, and using its results to improve the quality of the services offered by the Data Administrator.	The analysis is performed “manually”. The analysis aims to identify transactions that constitute a breach of the agreement (without the intention of payment) for the purpose of pursuing the rights by the Data Administrator.	Article 6 section 1 letter f) of the GDPR	Until an effective objection is made or until the statute of limitations on counterclaims expires, e.g. those related to breach of safety rules on the Website -> whichever event occurs first.
      For the purposes of sending the newsletter.	In such a case, you will be asked for additional permission and to provide your email address. In such a case, the data accessed from the account or during the transaction process and while the service is being provided and for this period. The indicated purpose may be achieved by displaying personalized advertisements based on profiling. According to the GDPR, profiling is any form of automated personal data processing that involves the use of personal data for evaluation of personal aspects of a natural person, in particular for analysis or prognosis of the aspects related to this natural person’s performance at work, their financial situation, health, personal preferences, interests, credibility, behaviour, location and movement;	Article 6 section 1 letter a) of the GDPR	Until the permission is withdrawn and after it is withdrawn only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of sending “price alerts”.	In such a case, you will be asked for additional permission and to provide your email address. In such a case, the data accessed from the account or during the transaction process and while the service is being provided and for this period. The indicated purpose may be achieved by displaying a personalized advertisement based on profiling. According to the GDPR, profiling is any form of automated personal data processing that involves the use of personal data for evaluation of personal aspects of a natural person, in particular for analysis or prognosis of the aspects related to this natural person’s performance at work, their financial situation, health, personal preferences, interests, credibility, behaviour, location and movement;	Article 6 section 1 letter a) of the GDPR	Until the permission is withdrawn and after it is withdrawn only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of displaying the so-called web push.	In such a case, you will be asked for additional permission. Web push delivers a question to the User that will appear in the address bar and will ask the User for his permission to receive web push notifications. The User may accept or block the notifications. The content of notifications is created by the browser and interference is not permitted.	Article 6 section 1 letter a) of the GDPR	Until the permission is withdrawn and after it is withdrawn only for the purposes of defense against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of geolocation that is used to display personalized advertisements.	In such a case, you will be asked for additional permission.	Article 6 section 1 letter a) of the GDPR	Until the permission is withdrawn and after it is withdrawn only for the purposes of defense against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of performing the obligations related to the enforcement of the laws specified in the GDPR.	In such a case, the data are processed only within the scope that is necessary to identify and verify the identity of the person who makes the request.	Article 6 section 1 letter c) of the GDPR	For the purposes of defense against claims, throughout the statute of limitations on the claims arising from infringement of personal interests.
      For the purposes of determining, pursuing or defending against counterclaims related to: - providing services according to the Terms and Conditions (within this scope, processing complaints); - performing obligations arising from the GDPR (to adhere to the regulations).	In such a case, the data is processed only within the scope necessary for the purposes of investigation, determining the claims or defending against the claims.	Article 6 section 1 letter f) of the GDPR	Throughout the statute of limitations on the claims, both the claims against the Data Administrator and those assigned to the Data Administrator.

   7. If your personal data is processed on the basis of the permission, you can withdraw it at any moment. You can withdraw the permission in the Data Administrator’s headquarters or by completing the appropriate form at ie.lucky2go.com (section: Contact). Withdrawing the permission does not impact the compliance with the law of the processing done until the permission is withdrawn. If the permission is withdrawn, the Data Administrator will determine if they still have the basis for data processing. In such a case, further data processing is possible for the purposes of defense against claims (e.g. through indicating that the right to withdraw the permission has been exercised) and only within the scope necessary for this purpose.
   8. Please remember that each time personal data is processed, pursuant to Article 6 section 1 letter f) of the GDPR (see details above) or in the case of the so-called reasonable interest of the Data Administrator, you can make objection at any time - for reasons related to a specific situation - to the processing of personal data. After making the objection, the Data Administrator will not be able to process personal data any longer, unless they prove the existence of important, legally justified bases for data processing, superior to the interests, laws, and freedoms of the person whose data is being processed, or bases for determining, pursuing or defending claims.
      
      Most importantly, in cases of personal data processing, pursuant to Article 6 section 1 letter f) of the GDPR (see details above), for lucky2go marketing purposes, the objection does not have to be justified with a specific situation and the Data Administrator will not be able to process personal data, pursuant to Article 6 section 1 letter f) of the GDPR, after the objection is made, for lucky2go marketing purposes, within the scope the data were processed before.
      
      You can withdraw the permission in the Data Administrator’s headquarters or by completing the appropriate form at ie.lucky2go.com (section: Contact).
   9. Apart from the right to withdraw the permission and make objection, you have the right to access, copy, transfer, correct and remove the data and limit their processing, as well as the right to refuse to be subject to a decision that is based only on the automated processing, including profiling, and that has legal consequences or affects it significantly in any other way.
      You can exercise the above laws in the Data Administrator’s headquarters or by completing the appropriate form at ie.lucky2go.com (section Contact).
      You can also correct the data by accessing your account.
      You can also delete your account at any time after logging in to the User’s Zone, according to the Terms and Conditions or by submitting a request at the Data Administrator’s headquarters or by completing the appropriate form at ie.lucky2go.com (section: Contact).
   10. We will collect personal data directly from you (through the account, during the transaction process etc.). The data may be gathered from other sources only for the purposes of operating the service. This refers to the information gathered from the entities that operate the service that you ordered (airlines, hotels etc.). The scope of the data covers only the information that is necessary to confirm the order payment.
   11. Providing personal data is always voluntary, however, it is necessary to fulfill the above purposes.
   12. Personal data processed for the purposes of operating the service according to the Terms and Conditions are shared with the entities that provide a service selected by the User, including their subcontractors, e.g. airlines, hotels, insurance providers, payment intermediaries, GDS (Global Distribution System), eSky.pl SA (handling complaints and Call Center), providing tools for handling the transaction process related to the ordering services and marketing infrastructure, etc. Regardless of the purpose of data processing, the only persons that can access your personal data will be the authorized employees and the Data Administrator’s subcontractors who signed the appropriate data transfer agreements with the Data Administrator (please contact the Personal Data Protection Inspector for more details).