logo
Customer service
Eng

PRIVACY POLICY
OF WEBSITE BUSFOR.PL AND MOBILE APPLICATION NAMED: BUSFOR – BUS TICKETS


I. GENERAL INFORMATION

This document sets forth the principles related to processing of personal data provided at the website busfor.pl, mobile application named: Busfor – bus tickets and related to the so-called cookies and the so-called local storage within such website and application. Users of website: busfor.pl and mobile application named: Busfor – bus tickets, may provide their personal data during the use of the webiste and the application. The purpose of this document is to inform about the issues regarding, first of all, the processing of the personal data provided in this manner and, secondly, the so-called cookies and the so-called local storage.

II. DEFINITIONS
  1. Operator - a company under business name: Busfor.pl Spółka z ograniczoną odpowiedzialnością with its registered office under the following address: ul. Staromiejska 6/10d, 40-013 Katowice, entered into the Register of Entrepreneurs of the National Court Register under KRS number 0000616444, for which registration files are maintained by the District Court Katowice - Wschód in Katowice, 8th Commercial Division of the National Court Register, NIP (Tax Identification Number): 9542765034, REGON (National Business Registry Number): 364357119, telephone: +48 (22) 307 7104 help@busfor.pl dpofficer@busfor.com, with share capital in the amount of PLN 15,000.00 (fully paid-up);
  2. Website – shall mean jointly: Operator's website available at: busfor.pl (webpages functioning in busfor.pl domain) and Operator's mobile application named Busfor – bus tickets;
  3. Privacy policy – this document;
  4. Customer - each entity using the Website (that is every person that views the Contents provided on the Website, in particular each entity with whom a Contract of Carriage can be concluded, according to the laws and the regulations of the Website) and each entity whose data are provided on the Website to purchase the Ticket;
  5. Carrier – an entity providing carriage services, with whom the Operator has concluded an agency agreement for the sale of tickets through the Website, and thus, with whom the Customer concludes the Contract of Carriage with the Carrier;
  6. Contract of Carriage – a contract for carriage by bus or any other similar means of transport, concluded by the Customer with the Carrier through the Website, where the conclusion confirmation is the ticket;
  7. Contents – contents posted on the Website by the Operator in any form, including in particular graphic, text, sound, audio-visual, photographic forms, which constitute trademarks, irrespective of whether they constitute a work or a subject of related rights, according to the applicable laws;
  8. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L. of 2016 No. 119);
  9. Services – services provided electronically by the Operator, consisting in the provision of Contents at the Website, including a search engine for proposed bus connections offered by Carriers, as well as consisting in making reservations of Tickets for the time specified on the Website, offering the opportunity to purchase Tickets, to download purchased Tickets, to return Tickets, to check the information about the trip, to send an opinion about the trip, or other services provided on the Website;
  10. Ticket – a personal document confirming the conclusion of a Contract of Carriage with a specific Carrier through the Website, authorising to travel by bus or any other similar means of transport of the Carrier, according to the specifications provided on a specific Ticket.
III. PERSONAL DATA
  1. CONTROLLER AND CONTROLLER’S CONTACT DETAILS
    1. The Controller of Customers’ personal details provided in order to purchase the Ticket on the Website on the form for the purchase of the Ticket including: first name, patronymic (if applicable), last name, date of birth, sex, e-mail address, telephone number, nationality, passport number and series, is the Carrier with whom the specific Contract of Carriage is concluded.

      The scope of data required in order to purchase specific Tickets on the Website may differ depending on many factors, such as, in particular: requirements of a specific Carrier with whom the Contract of Carriage is concluded or the direction of the travel (it may also depend on the legislation of the transit countries through which the route goes and the country of destination).

      Carrier's data, including contact data, which can be used to contact the Carrier, are provided every time in the information on the specific route (which appears after entering in the search engine an inquiry concerning a specific route, before the purchase of the Ticket) and on the Ticket. The Operator makes every effort to ensure that the Carrier's data are specified in full in the aforementioned locations, and in case of any deficiencies in this respect, the Operator will provide the Customers with the missing data of the Carrier via e-mail: dpofficer@busfor.com.

      The aforementioned data are processed by the Operator for the purposes of conclusion and execution of the Contract of Carriage under an agreement for data processing concluded by the Operator with the specific Carrier.
    2. The Controller of personal data of Customers provided on the Website and including: first name, patronymic (if applicable), last name, date of birth, sex, e-mail address, telephone number, nationality, passport number and series, country of residence (only for the application), IP address, for the purposes of Service provision and in case of granting such express consent by the Customer - for the purposes of receiving commercial information from the Operator - shall be the Operator (full data of the Operator are specified in sec. II(1) hereof).
      Customers may contact the Operator in matters concerning personal data:
      1. electronically to the Operator’s e-mail address: dpofficer@busfor.com;
      2. in writing to the address of the Operator’s registered office: www.busfor.pl Sp. z o.o., ul. Staromiejska 6/10d, 40-013 Katowice.
  2. PURPOSES OF PERSONAL DATA PROCESSING AND LEGAL BASES FOR PROCESSING

    Personal data of Customers are processed for the following purposes and based on the legal bases mentioned hereinbelow:

    1. in case when the Carrier is a controller - personal data are processed for the purposes related to the conclusion and execution of the Contract of Carriage, and in such case the legal basis for processing is the necessity of processing for the contract execution or to take actions at the request of the data subject before the conclusion of the contract (Art. 6(1)(b) of GDPR);
    2. in case when the Operator is a controller - personal data are processed for the purposes of the provision of services electronically within the scope of provision of Contents to the Customers and the provision of Services, and in such case the legal basis for processing is the legitimate interest of the Operator (Art. 6(1)(f) of GDPR) consisting in the provision of Contents for the purposes of the operated business activity, or necessity of processing for the contract execution or to take actions at the request of the data subject before the conclusion of the contract (Art. 6(1)(b) of GDPR);
    3. in case when the Operator and the Carrier are controllers - in case of contacting the Operator or the Carrier via their e-mail addresses (in case of the Operator - provided on the Website) or contacting the Operator or the Carrier to the telephone numbers provided by them (in case of the Operator - to the telephone number provided on the Website), in matters not related to Services and Contracts of Carriage - personal data are processed for the purpose of communication and settlement of the case that such contact concerns, and in such situation the legal basis for processing is the legitimate interest of the Operator or the Carrier (Art. (6)(1)(f) of GDPR), consisting in conducting correspondence and settling the case in connection with the operated business activity;
    4. in case when the Operator and the Carrier are controllers - in case of contacting the Operator or the Carrier via their e-mail addresses (in case of the Operator - provided on the Website) or contacting the Operator or the Carrier to the telephone numbers provided by them (in case of the Operator - to the telephone number provided on the Website), in matters related to Services or Contracts of Carriage - personal data are processed for the purposes related to the performance of Services or the Contract of Carriage, and in such situation the legal basis for processing is the necessity of processing for the contract execution or to take actions at the request of the data subject before the conclusion of the contract (Art. 6(1)(b) of GDPR);
    5. in case of the Operator as a controller - in case when the Customer subscribes to a newsletter - personal data are processed in order to send commercial information electronically by the Operator, and in this case the legal basis for processing is the consent of the data subject (Art. 6(1)(a) of GDPR);
    6. in case of the Operator as a controller - personal data are processed for analytical and statistical purposes, and in this case the legal basis for processing is the legitimate interest of the Operator (Art. 6(1)(f) of GDPR) consisting in conducting analyses of activity of Customers, as well as their preferences, in order to improve the used functionalities and to improve the use of the Website, as well as to create an offer for Customers that fits them best;
    7. in case of the Carrier as a controller - personal data are processed for analytical and statistical purposes, and in this case the legal basis for processing is the legitimate interest of the Carrier (Art. 6(1)(f) of GDPR) consisting in conducting analyses of activity of Customers, as well as their preferences, in order to improve the provided services and to create an offer for Customers that fits them best;
    8. in case of the Operator and the Carrier as controllers - personal data are processed in order to possibly establish and enforce claims or to defend against them on the part of the Carrier or the Operator, and in this case the basis for processing is the legitimate interest of the Carrier or the Operator (Art. 6(1)(f) of GDPR) consisting on the protection of the rights of the Carrier or the Operator;
    9. in case of the Operator and the Carrier as controllers - personal data are processed for the purposes of direct marketing related to own products and services of the Carrier or the Operator, in this case the Operator - selecting them in terms of the preferences or location of the Customer with the assistance of profiling, and in this case the basis for processing is the legitimate interest of the Carrier or the Operator (Art. 6(1)(f) of GDPR) consisting in the marketing of own services and products of the Carrier or the Operator, or the consent of the data subject (Art. 6(1)(a) of GDPR), in this case specified in sec. 5) hereinabove;
    10. in case of the Operator and the Carrier as controllers - compliance with their legal obligations (Art. 6(1)(c) of GDPR), including providing answers to inquiries in situations resulting from applicable laws and performance of the activities provided for in laws.
  3. OBLIGATION TO PROVIDE DATA AND CONSEQUENCES OF FAILURE TO PROVIDE PERSONAL DATA

    The provision of personal data by the Customer is voluntary, however, it is necessary (required), as failure to provide personal data by the Customer:
    1. in the process of concluding the Contract of Carriage - prevents the conclusion of the Contract of Carriage with the Carrier;
    2. during the execution of the Contract of Carriage - prevents the fulfilment of the Customer's requests in the course of the execution of the Contract of Carriage;
    3. in case of will to read the Contents on the Website - prevents or limits the possibility of viewing such Contents;
    4. in case of contacting via e-mail address or to telephone numbers of the Carrier or the Operator - may prevent providing an answer to an inquiry or the performance of the activities expected by the Customer in response to the contact, and thus, it is a requirement for the purposes of full execution of the response and the contact;
    5. in case of the Customer's will to use the Services provided on the Website - prevents the performance of a given Service according to the request of the Customer, and thus, provision of such data constitutes a requirement for the purposes of the performance of a specific Service for the Customer;
    6. in case of the Customer's will to receive commercial information electronically - prevents the receipt of such information by the Customer, and thus, constitutes a requirement for the purposes of receiving such information.
  4. RIGHTS OF CUSTOMERS RELATED TO PERSONAL DATA

    In connection with personal data processing by the Carrier and the Operator as controllers, the Customer shall have the right, under the principles described in detail in GDPR, to:

    1. request access to personal data

      (i.e. to obtain information on the personal data processing, including in particular on the purposes and legal bases of processing, the scope of the possessed data, entities to which personal data are disclosed and the planned date of their deletion and to receive a copy of such data);

    2. have personal data rectified

      (i.e. to correct the incorrect personal data, including when the data are outdated, erroneous or incomplete);

    3. delete personal data (“right to be forgotten”)

      (i.e. to request the deletion of data in cases specified in GDPR, i.e. in particular: when the data are no longer necessary for the purposes for which they were collected or processed otherwise, to withdraw the Customer's consent for data processing (providing that the Carrier or the Operator does not have the right to process data under any other legal basis); when the data are processed against the law; the necessity of deleting the data results from the legal obligation of the Carrier or the Operator);

    4. limit personal data processing

      (i.e. to request the limitation to data processing in cases stipulated in GDPR; in case of making such a request to the Carrier or the Operator - the Carrier or the Operator, respectively, shall be obliged to limit operations on personal data within the scope and under the principles set forth in GDPR, generally to their storage);

    5. object to personal data processing

      (i.e. to object personal data processing based on the legitimate interest of the Carrier or the Operator, in the manner binding for the Carrier or the Operator, providing that there are no other prevailing legally legitimate bases for data processing by the Carrier or the Operator.
      In particular, the Customer shall have the right to object to data processing for the purposes of direct marketing);

    6. transfer personal data

      (i.e. to obtain from the Carrier or the Operator of the Customer's personal data provided to the Carrier or the Operator or to identify a different controller to which the Carrier or the Operator should transfer such data, providing that it is technically feasible);

    7. withdraw the consent for data processing at any time, however without impact on the legality of processing performed based on the consent before its withdrawal;
    8. lodge a complaint with a supervisory authority

      (i.e. with the President of the Personal Data Protection Office in case when the Customer decides that personal data processing violates applicable regulations concerning personal data protection).

  5. RETENTION PERIOD FOR THE PERSONAL DATA

    The period of data retention by the Carrier and the Operator depends on the type of the service provided and the processing purpose. As a rule, personal data shall be retained for the period of the Service provision by the Operator or the execution of the Contract of Carriage and for the period resulting from the limitation of claims, consumer rights, accounting practices or other rights or obligations under applicable laws.

    Personal data processed for the purposes of direct marketing are generally processed until an objection is raised with respect to their processing for such purpose, or until the consent is withdrawn (if the processing of such data is performed under the consent granted).

  6. RECIPIENTS OF PERSONAL DATA

    The recipients of personal data may be external entities, including in particular providers of IT services, entities serving payments (PayU S.A. with its registered office at the following address: ul. Grunwaldzka 18, 60-166 Poznań), entities providing accounting and legal services, entities providing marketing services, as well as entities to which the Carrier or the Operator is obliged to provide the personal data under mandatory rules of the law.

  7. TRANSFER OF DATA TO A THIRD PARTY OR AN INTERNATIONAL ORGANISATION

    For the purposes of the performance of Services or the Contract of Carriage, personal data may be transferred, under Art. 46(2)(c) of GDPR or Art. 49(1)(b) of GDPR, to third countries within the meaning of GDPR (other than members of the EEA).

    The aforementioned transfer to a third country within the meaning of GDPR may result in particular from the fact of cooperation of the Operator with related entities and service providers based outside the EEA, and it may also result from the fact that Carriers executing specific Contracts of Carriage on the territory (in full or in part) of such countries are based in third countries within the meaning of GDPR.

    Personal data may be transferred to third countries within the meaning of GDPR, which the European Commission considered as not providing an adequate level of protection (under the principles described in GDPR), such as Belarus, Russia, Ukraine, the USA, Moldavia, Armenia, Serbia, Georgia, Montenegro, Kazakhstan. The list of third countries within the meaning of GDPR specified in the previous sentence may be ultimately extended together with the extension of the scope of cooperation of the Operator with the aforementioned entities, as well as with the extension of the list of Carriers, and in such case the Operator will update the privacy policy.

    A trip to a specific third country within the meaning of GDPR is generally linked to the processing of personal data of the Customer in such third country within the meaning of GDPR.

    In principle, the transfer to the aforementioned countries will take place if it is necessary for the execution of the contract between the Customer and the Carrier or the Operator or if it is necessary for the implementation of pre-contractual measures taken at the Customer's request (Art. 49(1)(b) of GDPR).

    In addition, in order to ensure an adequate level of protection of the personal data transferred to the countries which the European Commission considered as not providing an adequate level of protection, standard contractual clauses will be applied concerning data protection adopted by the European Commission, as referred to in Art. 46(2)(c) of GDPR. The clauses are available at the website of the European Commission (ec.europa.eu) or at the Operator's (in the manner described in sec. III(1.2)). The aforementioned provision applies in particular to the entity operating under business name: Google LLC based in the United States of America.

  8. AUTOMATED DECISION-MAKING, INCLUDING PROFILING

    In order to execute some marketing operations of the Operator, including the behavioural advertisement, the Operator may use the so-called profiling, and thus, through automatic data processing, perform the assessment of selected factors concerning Customers in order to analyse their behaviour or create a forecast for the future. Behavioural advertising consists in displaying advertisement contents for the Customer, which correspond to his/her interests or location, i.e. it consists in displaying a personalised advertisement that suits the preferences or the location of the Customer. 

    In case of a behavioural advertisement, data processing (in particular data collected through Cookies/Local storage) may also include profiling of Customers, and the prerequisite for such processing is the consent for using Cookies/Local storage, which may be withdrawn at any time (more information on Cookies/local storage and the mentioned consent is provided in sec. IV hereof). Withdrawal of the consent concerning Cookies/Local storage will result in the cessation of the aforementioned profiling.

    Processing data in an automated manner (including in the form of profiling) will not have any legal effect for Customers and will not have any significant impact on the situation of Customers.

  9. CATEGORIES OF PERSONAL DATA

    In case when the Customer provides personal data of another Customer in order to purchase a Ticket for such another Customer, within the functionalities available on the Website and in accordance with the regulations of the Website, personal data of such another Customer are processed in accordance with the principles set forth in the Privacy Policy with respect to: first name, patronymic (if applicable), last name, date of birth, sex, e-mail address, telephone number, nationality, passport number and series.

    The scope of data required in order to purchase specific Tickets on the Website may differ depending on many factors, such as in particular: requirements of a specific Carrier with whom the Contract of Carriage is concluded or the direction of the travel (it may also depend on the legislation of the transit countries through which the route goes and the country of destination).

IV. COOKIES AND THE SO-CALLED LOCAL STORAGE
  1. Cookies are IT data, in particular small text files, saved and kept on electronic devices (so-called terminal devices), through which the Customer uses the Website. Cookies files usually include the name of the website which they come from, duration of its existence and its unique number.

    Within the Website, apart from Cookies, the so-called Local Storage technology is also used. It is technology similar to Cookies, used for the storage of data saved during the use of the Website, in a separate part of the memory of a browser. Access to the aforementioned data can be obtained only by the website from which the data were saved in the browser. Such data are stored for a long term by the browser and they are not deleted after it is closed and they do not have limited duration of validity.

    Whenever in this part IV hereof a reference is made to Cookies, it shall be understood also as Local Storage.
  2. During the use of the Website, the information is stored in the browser in the form of Cookies. Cookies store data concerning the method of using the Website (identifier, date of visit, etc.). Cookies facilitate the use of the Website by means of different functions (for instance recognition of the visitor). In addition, they enable better customisation of the offer to the needs of Customers. The function of saving Cookies and removing the already existing ones can be disabled by selecting relevant options in the settings of the browser. In the help section of majority of browsers it is described how to introduce changes in the browser's settings from the point of view of Cookies. The Operator indicates that if the Customer does not accept Cookies, it may have a negative impact on the operation of the Website on the device with which the Customer uses the Website.
  3. The Operator uses Cookies of other service providers for the use of retargeting and remarketing technologies, which make it possible for the Operator to customise the offer to the Customer's needs.
  4. By means of Cookies, the Operator may collect data on the devices that the Customer uses, as well as on the networks that the Customer is connected to during the stay on the Website. Such data include, inter alia: IP address; data provided during login to My Account tab; Internet browser; operating system; processor speed; identifier for advertisement display; webpages visited on the Website, time spent on individual webpages of the Website; URL clickstream on webpages of the Website; errors in the Website. The Operator may collect such data and adapt the Website to the needs of Customers. During such operations data are encrypted, and anonymity of Customers is retained.
  5. Google AdWords. The Operator uses the technology of Google Inc. (based at 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, hereinafter - Google) to create usage profiles in a pseudomised form in order to optimise marketing and the offer of products, with the information on the manner in which Customers view pages. For this purpose Cookies are used, which allow for the identification of the browser during the next visit. The saved browsing behaviours are analysed with the use of an algorithm so that external webpages could display offers of products in the form of banners or advertisements, depending on the interests of Customers. Profiles of Customers in a pseudomised form are not stored together with the personal data of the pseudonym without separate and express consent of the data subject. The Customer may withdraw his/her consent for the creation of pseudomised usable profiles in order to provide advertisements adjusted to the interests of the Customer at any time by visiting https://adssettings.google.pl/authenticated. More information on the advertisements customised to the interests of Customers can be found at http://www.google.com/policies/technologies/ads/.
  6. Facebook, Groups of non-standard recipients. The Operator uses pixel technology to redirect groups of non-standard users of Facebook based at 1601 South California Avenue, Palo Alto, CA 94304, in the USA. Using the pixel, Facebook may assign visitors to the Website to target groups for advertisements on Facebook. For this purpose, Facebook Cookies file is saved on the Customer's device. More information on the scope and purpose of collecting data and further processing and using of data by Facebook, as well as the possibilities of setting privacy protection settings can be found in the Guidelines on the personal data protection at https://facebook.com/policy.php and https://www.facebook.com/ads/settings. Users with accounts on Facebook may block the option of nonstandard groups of addressee for their profiles at http://www.youronlinechoices.com.
  7. Google Analytics. The Operator uses Google Analytics, an internet tools for statistics analysis of Google. Google Analytics use Cookies in the form of text files stored on the Customer's device, which allow for the analysis of the method of using the Website. In addition, this webpage uses API interface of the Customer of Google AMP Client ID to combine the activity of users on webpages of AMP with their activity on webpages other than pages of AMP through Google Analytics. Google tracking codes on this webpage use "_anon” function.