Listonic Services, Kupony Żbik
- AdID – unique identification numbers of mobile devices and the User using the mobile device, fixed for this User during the use of the Internet and mobile applications, allowing to track the User’s online activity; the AdID number of a given User is visible to all entities and can be used to track the User’s online activity, preferences and behavior by various entities, and then this information may be exchanged by various entities and supplemented; AdID can be disabled by the User, in which case it is no longer possible to track the User’s online activity; after reactivation, a new AdID will be assigned, different to the previously used;
- Accounts – Listonic Account and Kupony Żbik Account
- Kupony Żbik App – Kupony Żbik service available as a mobile application for smartphones, tablets and other mobile devices running iOS or Android operating system
- Kupony Żbik Web – Kupony Żbik service available at kupony.pl
- Listonic App – Listonic Service available as a mobile application for smartphones, tablets and other mobile devices running the iOS, Android or Windows operating system
- Listonic Web – Listonic Service available at listonic.com
- localStorage – a tool for storing information in the Internet browser on the User’s side, also after closing the browser, used to store information about this User and to provide Services offline. Files placed in localStorage are stored indefinitely and can be deleted from the browser by the User. Only the entity (domain) that has placed localStorage in User’s browser can access the data stored in the localStorage;
- Cookies – small text files sent by a web server and saved on the User’s side (usually on a hard disk). The default parameters of cookies are set so only the Server that created them can read the information they contain. Cookies are most commonly used for counters, polls, online shops, webpages that require login, advertising and visitor activity monitoring.
- Cookies or other similar technologies – Cookies or other tools used in web browsers and applications, such as localStorage, AdID, for similar purposes, i.e. collecting, recording, storing information about Users’ activity. For the sake of clarity, all such tools are collectively referred to as “Cookies or similar technologies”.
- Terms and Conditions – Terms and Conditions for the provision of Listonic services and Terms and Conditions for the provision of the Kupony Żbik service
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- Website – all tools used to provide Services referred to in Terms and Conditions, including software: Listonic.pl webpage, Listonic Web, Listonic App, Listonic Buttons, Kupony Żbik webpage, Kupony Żbik Web, Kupony Żbik App, or any other tools or places of providing the Services
- Retailers – distribution chains that signed an agreement with the Service Provider on the provision of the Listonic Gazetki Promocyjne service, i.e. with respect to informing about the current promotional offer of these chains presented in promotional leaflets, including Lidl, Biedronka, Tesco, Makro, Intermarche, Lewiatan, Delikatesy Centrum, Rossmann, Hebe
- Webpages – the Service Provider’s webpages available at listonic.pl and kuponyzbik.pl
- Services – all services provided pursuant to the Terms and Conditions
- Service Provider – “Listonic” Sp. z o.o. with its registered office in Łódź, ul. Żeromskiego 46/4/21, entered by the District Court for Łódź Śródmieście in Łódź into the National Court Register under the number 0000326899
- Authentication – entering the correct login and password to sign in to the Listonic Account or the Kupony Żbik Account; authentication is both the use of the login data provided upon registering with the Services via e-mail address and password setup, as well as signing in using the Facebook or Google+ login.
- User – a natural person using the Services
- user – a natural person using services provided online by entities other than the Service Provider.
The Service Provider protects all information about Users in accordance with the GDPR, in particular their e-mail address, other data included in the Accounts, Shopping Lists, e-mail addresses and other data of Users with whom the User shares Shopping Lists, the use of the Listonic Button, coupon scans, age, bank account number, information on cash bonuses obtained, the use of “Like ” button, the content of correspondence exchanged with Users, information on the methods of using the Services, and so on.
The Service Provider also protects other information about the User obtained as a result of visiting Webpages, Facebook Fan Page and other webpages, i.e. information about Users’ online activity and mobile applications use, collected based on:
- information on the use of listonic.pl Website, Listonic Web, kuponyzbik.pl and Kupony Żbik Web, including Cookies or similar technologies installed in connection with the use of the abovementioned webpages;
- information on the use of the Listonic App Website and Kupony Żbik App, including information on Users’ AdIDs.
Some of this information may not contain any data that discloses the identity of Users, but since it relates to the Users’ activity clearly defined by Cookies or other similar technologies, the Service Provider protects all information about Users, regardless of the information about their identity, ensuring that the right to privacy of all Users is respected.
The Administrator of Users’ personal data is the Service Provider, i.e. “Listonic” Sp. z o.o. with its registered office in Łódź, at ul. Żeromskiego 46/4/21, entered by the District Court for Łódź Śródmieście in Łódź into the National Court Register under the number 0000326899.
Users may contact the Service Provider:
- by mail to the above address of the registered office;
- regarding Listonic Services: via the contact form at http://www.listonic.com/content/pl/kontakt/; by phone: +48 422353636; +48 505842438 (mobile); by e-mail: email@example.com
- concerning the Kupony Żbik Services: via the chat at https://kuponyzbik.pl/home/; by e-mail: firstname.lastname@example.org.
Data Protection Officer
In order to ensure adequate protection of personal data of Users, the Service Provider has appointed a Data Protection Officer. Users can contact the Data Protection Officer directly on all matters related to the processing of personal data and the implementation of the GDPR at the following e-mail address: email@example.com; firstname.lastname@example.org.
Purposes, legal basis and duration of data processing
The Service Provider processes personal data of Users for the following purposes:
Providing Services without login
In order to provide Services in the version without login, the Service Provider processes:
- information concerning the User’s device in order to ensure the correct operation of the Services: computer IP address, information contained in Cookies or other similar technologies, session data, data of the Internet browser, data concerning the device, data concerning the use of the Listonic App and Kupony Żbik App;
- information contained in Listonic: Shopping lists, Listonic Service settings, information on User activity on the Website, other information;
- information about the products listed in the Shopping List in order to provide prompts on predefined products;
- information about products listed in the Shopping List in order to display customized tips and promotions. As part of the Services provided, the Service Provider adjusts the displayed promotional offers and tips to the products listed in the User’s Shopping List;
- information on geolocation, if the User has granted the Service Provider access to geolocation. Geolocation information is used to provide more customized product and service offers.
These data shall be processed pursuant to Article 6 paragraph 1(b) of the GDPR for the purpose of the provision of Services, i.e. the agreement for the provision of digital services, in accordance with the Terms and Conditions, and shall be processed until the User terminates the use of the Services.
Provision of Services with login
In order to provide Services in the version with the User’s login, the Service Provider processes the following data in addition to the information indicated for the purpose of providing Services without login:
- information required to register the Account: e-mail address and Password;
- information required to sign in to another website: Facebook or Google+: email address, Password, and first and last name;
- additional information provided in the Listonic Account, such as age, first and last name;
- additional information provided in the Kupony Żbik Account: e.g. scans of receipts, information on cash bonuses obtained, bank account number, information on the User’s activity on the Website;
- in the case of Listonic App Premium – information about the payment made.
In order to use the Account it is only necessary to provide authentication data: e-mail address and Password. Providing other data is voluntary and the Users may add them themselves in their Accounts.
In order to receive a cash bonus from the Kupony Żbik Service, it is also necessary to provide other information in order to fulfill the requirements of the Service and to receive a bonus, in accordance with the Terms and Conditions of the Kupony Żbik Service.
These data shall be processed pursuant to Article 6 paragraph 1(b) of the GDPR for the purpose of the provision of Services, i.e. the agreement for the provision of digital services, in accordance with the Terms and Conditions, and shall be processed until the User terminates the use of the Services.
In order to consider a complaint, the Service Provider processes personal data of Users who file the complaint, in particular e-mail address, name, content of the complaint, circumstances of the event that caused the complaint, information obtained in the course of complaint processing, including the explanation of the event that caused the complaint. In the course of processing the complaint, the Service Provider may process a range of other information, including the User’s name, information about the User’s use of the Services, Cookies or other similar technologies, information about devices.
These data shall be processed pursuant to Article 6 paragraph 1(b) of the GDPR for the purpose of providing Service, i.e. the agreement for the provision of digital services, in accordance with the Terms and Conditions, and are processed for the time necessary to consider the complaint and not longer than for 3 months after the end of the complaint procedure, for archiving purposes in the event of the need to defend against possible claims against the Service Provider.
Contact with Users, Contact Form, Chat
In order to ensure contact between the Users and the Service Provider, the Service Provider processes information concerning persons contacting the Service Provider, in particular telephone number, first name, e-mail address, content of calls and messages. Conversations with users are not recorded.
These data shall be processed pursuant to Article 6 paragraph 1 (f) of the GDPR in the legally justified interest of the Service Provider and Users consisting in the necessity to ensure contact between Users and the Service Provider, and the processing of these data shall not violate the rights and freedoms of Users.
The content of correspondence and contact information are processed for the time necessary to settle the User’s case and not longer than 3 months after the case is settled for archiving purposes in the event of the need to defend against possible claims against the Service Provider.
Investigation and claims procedure
In the case of undertaking an investigation concerning a possible breach of the provisions of the Terms and Conditions or legal regulations, principles of social coexistence or good practice, proceedings to pursue claims by the Service Provider or by other Users or entities, defense against claims made by Users or other entities, the Service Provider may process personal data of specific Users until the end of the ongoing proceedings and until the expiry of the limitation period of the Service Provider’s claims against the User, which usually is 3 years, but in special cases provided by law, it may be longer.
If personal data is processed in order to pursue claims of other Users, such data may be made available for this purpose to another User or an entity or a public body authorized under the provisions of law, e.g. courts, the police, the public prosecutor’s office.
These data shall then be processed and made available pursuant to Article 6 paragraph 1(c) of the GDPR, i.e. for the purpose of fulfilling an obligation arising from the provisions of law or pursuant to Article 6 paragraph 1(f) of the GDPR, i.e. in the legally justified interest of the Service Provider to pursue any claims against the User. The legally justified interest of the Service Provider shall then prevail over the rights and freedoms of the Service Provider.
Statistics on the use of Services
In order to improve the quality of Services, the Service Provider processes statistical information on the use of the Services, including information on session, IP number, amount of time spent on particular pages and subpages, use of particular functionalities of the Services, information on the device and the Internet browser, Cookies or other similar technologies.
These data shall be processed pursuant to Article 6 paragraph 1(f) of the GDPR in the legally justified interest of the Service Provider consisting in facilitating the use of the Services, improving the quality and functionality of the Services provided, and the processing of these data shall not violate the rights and freedoms of Users. The data is processed as part of the current activities of the Service Provider, but not longer than for 60 days from the receipt of the information. After this time, the Service Provider may further process general statistical data, from which all information concerning individual Users shall be removed.
Listonic button on other webpages
The Service Provider uses third party providers to provide the Listonic Button Service. The Listonic button is displayed to users of webpages other than those of the Service Provider, in particular to users of webpages devoted to cuisine and food-related matters; for this purpose, an external provider, pursuant to an agreement with the Service Provider, places the Listonic button on those other webpages.
The Service Provider shall, to the extent possible, ensure that third parties with whom it concludes cooperation agreements on the use of the Listonic Button, meet the requirements of the law and good practice regarding protection of privacy of its users and have a valid basis for their users to make the functionalities of other entities available on their webpage. However, the Service Provider shall not be liable for the proper functioning of such third parties.
Upon pressing the Listonic Button, the User is redirected directly to the Listonic Services. Further Services are provided by the Service Provider in accordance with the Listonic Terms and Conditions.
These data shall be processed in accordance with Article 6 paragraph 1(f) of the GDPR, in the legally justified interest of the Service Provider consisting in facilitating the use of Listonic Services, improving the quality and functionality of the provided Listonic Services, and the processing of such data shall not violate the rights and freedoms of Users, since in order to be redirected to the Listonic Service Provider’s Website, the User must press the button him/herself. However, the mere display of the button does not interfere with the rights and freedoms of the User, as the Service Provider assumes that a third party providing the service enabling the display of the button has taken care of proper legal basis for its users to perform such actions.
Marketing of other products and services as part of the provision of the Services
An integral part of the Services provided free of charge by the Service Provider is the placement of marketing content:
- in the Listonic Shopping List, the Service Provider displays suggestions about products of particular brands that could be included in the Shopping List;
- in the functionality Promotional leaflets in Listonic Web, the Service Provider provides Users with marketing content about the Retailers and their promotional offer;
- Listonic App displays advertising banners containing
- suggestions of products from specific brands along with the button “Add” enabling the addition of the advertised product to the Shopping List selected by the User;
- marketing information on products or services offered by other entities. Advertising banners are an indispensable part of the Service provided free of charge. The user can also use the paid version, without banners – Listonic App Premium;
- in coupons offered under the Kupony Żbik Service, the Service Provider includes information on specific products to which the coupon relates together with their detailed description and an indication of Retailers where the product to which the coupon relates can be purchased;
- Webpages display marketing content of other entities. Their prominence depends on the Users’ individual preferences of web browsers or tools blocking the display of advertisements.
Processing of User data for the above marketing purposes is necessary to provide Services available free of charge pursuant to the Terms and Conditions as an indispensable part thereof, pursuant to Article 6 paragraph 1(b) of the GDPR.
Marketing and remarketing outside the provision of Services
E-mail addresses and other data concerning the identity of Users are not used by the Service Provider for marketing purposes. The Service Provider protects the aforementioned personal data of Users against sending marketing content of other entities. However, the Service Provider may occasionally send information about its own promotional activities.
Other User data, in particular information about activities on the Website and on other webpages, information about sessions, visited pages and subpages, including IP numbers, Cookies or other similar technologies are processed by the Service Provider for marketing purposes of products or services of other entities. This information is not linked to any information that identifies Users, and in the case of non-logged users and users of other webpages, this information will not normally constitute personal information. However, it cannot be excluded that in connection with other data held by the Service Provider they may constitute personal data. The Service Provider conducts the following marketing activities outside the scope of the Services:
- information on the use of the Services obtained from Cookies or other similar technologies is used by the Service Provider to create information about Users’ interests and to display personalized advertisements of other entities customized to Users’ interests; for this purpose, the Service Provider uses information about products searched for, viewed on the Website or entered on the Shopping Lists by Users;
- The service provider shall use external providers to obtain information from other webpages, in particular about food and cooking (e.g. thematic blogs or webpages featuring recipes), about the activity of users of those websites in displaying specific content. The information thus obtained is processed by the Service Provider to create information about the interests of Users and to display customized advertisements of other entities tailored to the interests of users of these other webpages. The Service Provider shall only obtain information about the products or information searched for and viewed, in particular about the culinary recipes viewed; for this purpose, the Service Provider shall share the relevant code or script on other webpages on the basis of a cooperation agreement with other entities managing such webpages. The code or script is invisible to the users of these webpages and serves the purpose of recording user information and passing it on to the Service Provider. The Service Provider shall ensure, to the extent possible, that third parties with whom it concludes cooperation agreements on the use of codes / scripts concerning the activity of users of other webpages, comply with the provisions of law and good practice in the field of protection of privacy of their users and have a valid basis for their users to provide space for the functionalities of other entities on their webpages. However, the Service Provider shall not be liable for the correct operation of such third parties.
Then, the information about users’ interests obtained in this way is used by the Service Provider to display personalized advertisements of other entities on the Service Provider’s Webpages, in the Services and on other webpages where the Service Provider rents advertising space.
To this end, the Service Provider profiles Users’ online activity consisting in the verification of webpages and displayed content on those webpages by individual users, including linking information obtained from the Service Provider’s Websites and from webpages of other entities and sorting such information against third parties whose advertisements will be displayed to Users.
The Service Provider shall not undertake any more complex profiling activities, in particular shall not analyze the obtained information about users and shall not create their behavioral profiles.
This information shall be processed within 60 days of its collection, but no longer than until an objection has been lodged by the data subject.
The Service Provider may also install or enable the installation of Cookies or other similar technologies on the Website to third parties with whom it has concluded appropriate cooperation agreements regarding the display of marketing content. Files and scripts of other entities can be installed on listonic.pl, Listonic Web, kuponyzbik.pl and Kupony Żbik Web and are used to display customized advertisements of these entities. Third parties do not have access to Shopping Lists, receipt scans or Account information.
Processing by the Service Provider of information on Users and information on users of other webpages takes place on the basis of the legally justified interest of the Service Provider (Article 6 paragraph 1(f) of the GDPR) consisting in undertaking marketing activities in order to present marketing information customized to the needs and interests of specific users.
The Service Provider has analyzed the impact on users’ rights and freedoms, taking into account the following circumstances:
- displayed marketing messages are tailored to the interests previously revealed by the users, based on their search history and viewed content on the Service Provider’s Webpages and on the webpages of other entities, which means that instead of receiving the content in any way unrelated to their interests, users receive a marketing message customized to suit them;
- the use of advertising customized based on search history meets the expectations of the average Internet user and average users are aware of the use of customized advertising, including the use of files and tools which record users’ online activity for this purpose; they shall also be informed of this fact when they start using the services in the cookie policies of the relevant webpages;
- the information used to provide customized marketing communications is basic user information and relates only to the online search and display history of content on the Internet and mobile applications and is not subject to more complex profiling, including the creation of user behavioral profiles, and consequently the use of user information to such an extent does not interfere with the privacy of users in a way that would be inconsistent with the reasonable expectations of a standard Internet user or mobile application user;
- in view of the obtained information about users of other webpages, the Service Provider assumes that the third party providing the service of using the functionality related to the code or script installation has ensured proper legal basis for its users to perform such actions;
- The Service Provider shall reliably inform about the rights of users in connection with the processing of information about them, including granting full rights resulting from the GDPR to all whose information it processes, regardless of whether such information constitutes personal data or not – in order to ensure the utmost respect for the rights and freedoms of natural persons, the Service Provider assumes that each user has the full rights provided for in the GDPR, without going into the formal definition of personal data;
and on this basis, the Service Provider has assessed that the processing of such data in such a way shall not constitute an infringement of the rights and freedoms of data subjects.
Disclosure of Users’ data
Provision of Services
User Data may be disclosed as part of the provision of the Service to share the Shopping List with other Users. The use of the sharing Shopping Lists feature is a voluntary choice of the User. By making his/her Shopping List available or by sharing the Shopping List of another User, the User makes his/her own data available in this respect, and the Service Provider is not responsible for such disclosures. In addition, certain data may also be made available or disclosed to other Users or entities in the event that the User uses additional functionalities:
- logging in via another website: Facebook or Google+ – for authentication purposes, information about the use of Listonic and about login time may be disclosed;
- Recommend to friends, Invite to use Listonic: to do so, the User sends an e-mail to the recipients indicated by him/her, thus informing about his/her e-mail address and about using Listonic or recommending Listonic;
- Like Listonic, Like Retailer: using these features, the User discloses information about his or her having liked Listonic or the selected Retailer;
- Other additional functionalities provided by the Service.
The Service Provider uses external service providers (e.g. outsourcing, contract, service order) to perform the Services. Disclosure of data to service providers shall take place only after the conclusion of appropriate cooperation agreements, which also regulate the issues related to the disclosure of data, their legal basis under the GDPR and the relevant provisions regarding the conditions of such disclosure (entrustment of data processing, sharing data).
The Users’ data which does not contain any data disclosing their identity, concerning the use of the Website or other webpages may also be obtained and processed by other entities by means of tools used to record the activity of users, which these entities publish on the Website. Details of these activities are included in the part concerning marketing and remarketing in addition to the provision of Services, which can be found herein above.
Other Users, other entities
As a rule, we do not disclose User data to other Users or entities, except in the cases described above. However, it may happen that the Service Provider will be obliged to disclose certain information on the basis of the applicable Polish law, e.g. to law enforcement agencies, state authorities, other Users in order to pursue their claims. In such a case, only the data that the Service Provider is obliged to disclose will be subject to disclosure.
Rights of data subjects
The data subject shall have the right to:
- demand from the Service Provider information on the processing of his/her personal data, i.e. confirmation whether the personal data of the data subject are being processed. If a person’s data are processed, he or she shall be entitled to access them, to obtain a copy thereof and to obtain the following information: the purposes of the processing, categories of personal data, information on the recipients or categories of recipients to whom the data have been or will be disclosed, on the duration of the storage of the data or on the criteria for determining it, on the rights of the person with regard to the processing of his/her personal data, on the possibility of lodging a complaint with the supervisory authority, on the source of the personal data if they were not obtained directly from the data subject and on profiling and automated decision processing (so-called right of access, Article 15 of the GDPR);
- Correct the personal data relating to him/her. If a person obtains information about the fact that his/her personal data processed by the Service Provider are incorrect, outdated or incomplete, he/she has the right to demand their immediate rectification or supplementation (the so-called right to rectification, Article 16 of the GDPR);
- Demand the deletion of their personal data, and if the person has given consent to the processing of personal data, the request for deletion shall have the same effect as the withdrawal of consent (the so-called right to erasure [“the right to be forgotten”], Article 17 of the GDPR);
- Demand restrictions on the processing of personal data (the so-called right to restriction of processing, Article 18 of the GDPR), i.e. demand the cessation of data processing, except for their storage, in situations where:
- The data subject disputes the correctness of the personal data – for the period during which the Service Provider will verify their accuracy;
- The data subject disputes the lawfulness of the processing of personal data by the Service Provider;
- The service provider no longer needs these data, but they are necessary for the data subject to establish, pursue or defend his or her claims;
- the data subject objects to the processing – until the Service Provider decides whether the objection is valid;
- Raise an objection to the processing of personal data for legally justified purposes of the Service Provider;
- Transfer his/her personal data, i.e. obtain personal data in a structured, universally used, machine-readable format he or she supplied to the Service Provider, if their processing is based on consent, or request that the data be sent to another data administrator indicated by the data subject (the so-called data portability, Article 20 of the GDPR).
The data is collected and stored by the Service Provider on the Service Provider’s servers located in the European Union.
The Service uses encrypted data transmission during registration, logging and throughout the entire session of logged in Users in order to protect the data in the Accounts and the functionality, which the User can individually use.
The servers on which User data is stored, as well as the data itself, are adequately protected from the technical and organizational point of view. Data security is supervised by specialists in information security, communication security, business continuity management and the Data Protection Officer (DPO) in the field of GDPR.
When using features that allow Users to send emails, such as Recommend to a Friend, Invite to Use the Service, the emails are sent directly from User’s email account. The Service Provider’s functionality is limited only to calling up an appropriate tool on the User’s device in order to facilitate and place a predefined message content. The Service Provider is not responsible for sending this message, and in particular for securing its transmission.
The supervisory authority for the protection of personal data in Poland is the President of the Office for the Protection of Personal Data (Prezes Urzędu Ochrony Danych Osobowych, PUODO) with its registered office in Warsaw, ul. Stawki 2, telephone: 22 531 03 00, e-mail: email@example.com. A person has the right to lodge a complaint with the PUODO against the Service Provider in any case, in particular if he/she believes that the Service Provider processes his/her personal data incorrectly or unjustifiably refuses to exercise his/her rights.
However, the Service Provider encourages Users to approach the Service Provider or the Data Protection Officer in the first place with any questions, doubts or objections concerning the processing of personal data by the Service Provider.