1. Definitions

Personal Data Controller (“Controller”) – refers to Delizie Italiane LTD located in Warsaw (02-495), ul. Gierdziejewskiego 7, operating the Da Luciano Restaurant located in Warsaw at ul. Herbu Oksza 24. For matters related to personal data processing, please contact the Personal Data Controller directly. If you have questions regarding personal data processing or wish to exercise your rights, you can contact us by mail at the above address or by email at biuro@bottegadelgusto.pl.

Personal Data Processor (“Processor”) – refers to an entity that processes a Client’s data on behalf of the Controller. The processing rules are described in the Data Processing Agreement between the Processor and the Controller.

Website – software created by Up Menu and used by Delizie Italiane LTD, through which the Client can order products and services offered by the da Luciano Restaurant.

Mobile Application – a mobile application available for mobile phones and portable devices is another form of the Online System used to order goods and services from the Da Luciano Restaurant.

Personal Data – all information about an identified or identifiable natural person through one or several specific factors defining the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person, including the IP number of the device, location data, internet identifier, and information collected via cookies and other similar technology.

Recipient – means a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data in the course of a particular inquiry in accordance with Union or Member State law are not considered recipients. The processing of such data by these public authorities must comply with applicable data protection laws according to the purposes of processing.

Policy – this Privacy Policy.

Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular, to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Processing – means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Client: a natural person (including a Consumer) who is at least 18 years old and has full legal capacity, or a legal person or an organizational unit with legal capacity. A Client may be a natural person who is at least 13 years old but not yet 18 years old to the extent that they can acquire rights and incur obligations in accordance with the generally applicable law, i.e., in minor current matters of everyday life.

Order: within the meaning of this document, a legal action performed using the Website, during which the Client expresses the will to purchase the ordered products and services according to their description and price.

Consent of the data subject: means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

2. Purposes for which personal data is processed in connection with the use of the Website and Mobile Application

1. Handling orders placed through the order form on the Website for the purpose of purchasing goods and services.

   Recipients of the data include, among others: entities providing support services to the Controller in the scope of its activities (e.g., email, hosting, etc.) and entities authorized based on legal regulations.

   Using the Website (e.g., placing orders, presenting offers) does not require creating a user account. The Client can place an order without previously creating an account on the Website. The Controller collects user data to the extent necessary to provide the services offered through the Website and Mobile Application, as well as information about their activity on the Website.

   The Controller processes personal data of all persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies) and records Client activity on the Website in system logs (a special computer program used to chronologically store records containing information about events and actions related to the IT System used to provide services by the Controller). The information collected in the logs is primarily processed for service provision purposes. The Controller also processes this data for technical and administrative purposes, to ensure the security of the IT system and its management, as well as for analytical and statistical purposes.

   The Client is obliged to use only their own personal data when using the IT System, under threat of violating applicable law in this regard and the personal rights of third parties.

   Using the Website requires providing personal data. Failure to provide this data makes it impossible to use the Website.

   The processing of this data is necessary for the performance of a contract to which the Client or Da Luciano Restaurant is a party, or to take steps at the request of these persons prior to entering into a contract (Article 6(1)(b) GDPR).

   Your personal data provided during the ordering process will be processed for a period of 14 days from the date of order completion, and then for the period of the limitation of claims, counting from the day of order completion.

2. For the purposes of handling online payments for ordered products through the Website and Mobile Application.

   Personal data of Clients using online payments is transferred to specialized companies handling online payments such as Przelewy24. Clients are informed at the time of placing an order which entity is handling the given payment.

   The Website provides Clients with the service of making online payments for ordered goods and services at Da Luciano Restaurant.

   Using the online payment option is voluntary. Failure to provide the personal data necessary to conduct an online payment results in the inability to perform such a transaction. The processing of this data is necessary for the performance of a contract to which the Client is a party or to take steps at the Client’s request before entering into a contract (Article 6(1)(b) GDPR).

   The Client may also use other forms of payment for ordered goods and services, including cash payments and, depending on the offer of Da Luciano Restaurant, through the Da Luciano Restaurant payment terminal.

   Personal data processed for the purpose of handling online payments may also be processed for other legitimate purposes of the controller (Article 6(1)(f) GDPR).
   These legitimate purposes include:
   · conducting analyses of Client activity and preferences to improve the functionalities and services provided,
   · potential establishment, exercise, or defense of claims.
   Handling online payments requires providing personal data and payment information. Failure to provide this data makes it impossible to make an online payment but does not exclude the possibility of using the Website.

   Your personal data provided during the ordering process and payment processing will be processed for the period of the limitation of claims, counting from the day of order completion and payment.

3. For the purposes of marketing Da Luciano Restaurant’s products and services.

   The Client must give separate, explicit consent for the processing of their personal data for marketing purposes. This consent is voluntary and does not affect the execution of the order or the use of the IT System.

   The Controller processes the personal data of IT System Clients to conduct marketing activities, which may include:
   · displaying marketing content to the Client that is not tailored to their preferences (contextual advertising), including in the form of online banners, advertising texts, or “Push” notifications;
   · displaying marketing content to the Client that is tailored to their preferences (behavioral advertising), including in the form of online banners, advertising texts, or “Push” notifications;
   · sending email notifications about interesting offers or content, which in some cases contain commercial information (newsletter service);
   · sending SMS notifications about interesting offers or content, which in some cases contain commercial information (newsletter service).
   To conduct marketing activities, the Controller sometimes uses profiling. This means that through the automatic processing of data, the Controller evaluates selected factors related to natural persons to analyze their behavior, create future forecasts, or invite them to reuse the products and services.

   Your personal data held for the purposes of marketing Da Luciano Restaurant’s products and services will be processed until consent is withdrawn.

4. For the purpose of managing social media platforms.

   The Controller processes personal data of Clients visiting the Controller’s profiles on social media platforms (Facebook, YouTube, Instagram, LinkedIn, Twitter). This data is processed solely in connection with managing the profile, including informing Clients about the Controller’s activities and promoting various events, services, and products. The legal basis for processing personal data by the Controller for this purpose is its legitimate interest (Article 6(1)(f) GDPR), which involves promoting its own brand and maintaining contact with Clients.

   Your personal data provided on social media will be processed until the post is deleted or you request its deletion.

5. For statistical purposes (Article 6(1)(f) GDPR).

   Cookies are small text files installed on the Client’s device while browsing the Website. Cookies collect information that facilitates the use of the Website, such as remembering the Client’s visits to the Website and the actions they have taken.

   The Controller informs that cookies are harmless to the Client’s computer or other devices and their data. The Controller also informs that it is possible to configure the web browser or Mobile Application in a way that does not allow cookies to be stored on the Client’s computer or other device.

   However, before the Client decides to change the default browser settings, they should remember that many cookies enhance the convenience of using the Website. Disabling cookies may affect the appearance and functionality of the Website.

   The Controller informs that it is also possible to delete cookies after the end of a session while using the Website.

   Information contained in system logs related to the general rules of internet connections is used by the hosting company managing the IT System only for technical and statistical purposes.

3. “Service” cookies and similar technologies

Cookies used for this purpose include:
· user input cookies (session identifier) for the duration of the session;
· authentication cookies used for services requiring authentication for the duration of the session;
· user-centric security cookies, e.g., used to detect authentication abuses;
· multimedia player session cookies (e.g., Flash player cookies) for the duration of the session;
· persistent cookies used to personalize the Client’s interface for the duration of the session or slightly longer;
· cookies used to monitor website traffic, i.e., data analytics.
2. “Marketing” cookies. Processors (entities from the marketing industry) also use cookies for marketing purposes, including directing behavioral advertising to Clients.
3. Push Technology.
The Controller uses so-called Push technology, which allows notifications to be sent to the Client, including in connection with directing advertising to the Client. For this purpose, the Controller stores information or gains access to information already stored in the Client’s end telecommunication device (computer, phone, tablet, etc.).

4. Rights related to the processing of personal data

Individuals whose data is processed have the following rights:
· right to information about the processing of personal data – on this basis, the individual making the request is provided with information about the processing of their data by the Controller, including the purposes and legal grounds for processing, the scope of data held, the entities to whom it is disclosed, and the planned date of data deletion;
· right to obtain a copy of the data – on this basis, the Controller provides a copy of the personal data being processed concerning the individual making the request;
· right to rectification – the Controller is obliged to remove any inconsistencies or errors in the personal data being processed and to complete it if it is incomplete;
· right to erasure – on this basis, one can request the deletion of data whose processing is no longer necessary to achieve any of the purposes for which it was collected;
· right to restrict processing – if such a request is made, the Controller ceases to perform operations on personal data, except for operations to which the data subject has consented, and their storage, in accordance with adopted retention principles or until the reasons for the restriction of data processing cease to exist (e.g., a supervisory authority decision is issued allowing further processing);
· right to data portability – on this basis, to the extent that the data is processed in connection with a contract or consent, the Controller provides the data supplied by the individual it concerns in a format that allows it to be read by a computer. It is also possible to request that this data be sent to another entity, provided that there are technical capabilities for this both on the part of the Controller and the other entity;
· right to object to data processing for marketing purposes – the data subject can object to the processing of personal data for marketing purposes at any time, without the need to justify such an objection;
· right to object to other purposes of data processing – the data subject can object to the processing of personal data at any time, which is carried out based on the Controller’s legitimate interest (e.g., for analytical or statistical purposes or for property protection reasons); the objection in this regard should be justified;
· right to withdraw consent – if data is processed based on consent, the data subject has the right to withdraw it at any time, which does not affect the lawfulness of processing carried out before the withdrawal of consent.
· right to lodge a complaint – if an individual believes that the processing of their personal data violates applicable data protection regulations, they can lodge a complaint with the President of the Office for Personal Data Protection.

5. Submitting requests related to the exercise of rights

A request regarding the exercise of data subject rights can be submitted in any form to the relevant Data Controller based on the purpose of the processing. They will be considered within 30 days.

Requests should be directed to the email address: biuro@bottegadelgusto.pl or by traditional mail to the address of the Personal Data Controller.

If the Controller cannot identify the person submitting the request based on the submission, they will ask the requester for additional information.

The request can be submitted in person or through a representative.

A response to the submission should be provided within one month of receipt. If it is necessary to extend this period by a maximum of an additional two months, the Controller will inform the requester of the reasons for the delay.

The response is provided via traditional mail unless the request was submitted by email or an electronic response was requested. If the data subject requests it, information can be provided orally, provided that the identity of the data subject is confirmed by other means.

6. Transfer of data outside the European Economic Area

The level of personal data protection outside the European Economic Area (EEA) differs from that ensured by European law. For this reason, the Controller transfers personal data outside the EEA only when it is necessary and with an adequate level of protection, primarily through:
· cooperation with entities processing personal data in countries with a relevant decision issued by the European Commission;
· use of standard contractual clauses issued by the European Commission;
· application of binding corporate rules approved by the relevant supervisory authority;
· in the case of data transfers to the USA, cooperation with entities participating in the Privacy Shield program, approved by a decision of the European Commission.

7. Personal data security

The Controller continuously conducts risk analysis to ensure that personal data is processed securely, ensuring primarily that only authorized persons have access to the data and only to the extent necessary for their tasks. The Controller ensures that all operations on personal data are recorded and carried out only by authorized employees and collaborators.

The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities also provide adequate security measures whenever they process personal data on behalf of the Controller.

8. Changes to the privacy policy

The policy is continuously reviewed and updated as necessary. The current version of the Policy was adopted and has been in effect since October 12, 2023.