Privacy Policy

  1. Definitions
    1. Controller – AmRest Sp. z o. o. with its seat in Wrocław, ul. Powstańców Śląskich nr 15-17, 53-332 Wrocław, Poland.
    2. Personal Data – any information about a natural person, identified or identifiable by one or several factors defining his/her physical, physiological, genetic, psychic, economic, cultural or social identity, including the IP of the device, location data, online identifier and information collected through cookie files and other similar technologies.
    3. Policy – this Privacy Policy.
    4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
    5. Website – an online service run by the Controller at the address
    6. User – any natural person visiting the Website or using one or more services or functionalities described in the Policy.
  2. Data processing in connection with the use of the website
    1. In connection with the User’s use of the website, the Controller collects data with the scope necessary to provide its respective services and collects information about the User’s activity on the Website. The detailed rules and purposes of processing the personal data collected during the use of the Website by the User are described below.
  3. Purposes and legal basis of data processing at the website

    1. Personal data of all the persons using the Website (including the IP address or other identifiers and information collected through cookie files and other similar technologies) who are not registered Users (i.e. persons with no profile on the Website) are processed by the Controller:
      1. to provide services electronically to provide Users with an access to the content collected on the Website – in this case, the legal basis for the processing is that processing is necessary for the performance of a contract (Article 6(1)(b) of GDPR);
      2. for analytical and statistical purposes – in this case, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to analyze the activity of Users and their preferences in order to improve the functionalities used and the services provided;
      3. to determine and pursue possible claims or defend against claims – the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR) to protect its rights.
    2. Activity of a User on the Website, including his/her personal data, is recorded in system logs (a special computer program for storing a chronological record of information about events and actions concerning the IT system used for providing services by the Controller). The information collected in logs is processed mainly for purposes related to the provision of services. The Controller also processes the information for technical, administrative purposes and in order to ensure security of the IT system and to manage the system and also for analytical and statistical purposes – in this respect, the legal basis for the processing is the legitimate interest pursued by the Controller (Article 6(1)(f) of GDPR).
  4. Social media
    1. The Controller processes personal data of Users who visit the Controller’s profiles in the social media (Facebook, YouTube, Instagram, Twitter). The data are processed only in connection with maintaining the profile, also in order to inform the Users about the Controller’s activity and promote various events, services and products. The legal basis of the personal data processing by the Controller for the above purpose is the Controller’s legitimate interest (Article 6(1)(f) of GDPR) to promote its own brand.
  5. Cookies and similar technologies
    1. Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information to facilitate using a website, e.g. by remembering the User’s visits at the Website and actions performed by him or her.

      The Controller uses the so called “service” cookies primarily to provide the User with services electronically and improve the quality of these services. Accordingly, the Controller and other entities providing analytical and statistical services on its behalf, storing information or gaining access to information already stored in the User’s terminal telecommunications equipment (a computer, telephone, tablet, etc.). Cookie files used for the above purpose include:
      1. user input cookies (session identifiers) stored for the duration of a session;
      2. authentication cookies used for services that require authentication for the duration of a session;
      3. user-centric security cookies, e.g. used to detect abuses concerning authentication;
      4. multimedia player session cookies (e.g. flash player cookies);
      5. persistent user interface customization cookies for the duration of a session or slightly longer,
    1. The use of cookies files, which allows to collect User’s data, including access to data stored on the User's device, requires the User's consent. This consent can be withdrawn at any time.
    2. User’s consent is not required for use of cookies, which are necessary for the provision of telecommunications services (data transmission to display content).
    3. Withdrawal of User’s consent for the use of cookies is possible by managing your browser settings. Detailed information in this regard may be found at the following websites:
      1. Internet Explorer:
      2. Mozilla Firefox:
      3. Google Chrome:
      4. Opera:
      5. Safari:
    4. The User may, at any time, verify the status of his current privacy settings within the internet browser by using tools available at the following websites:
  7. Period of personal data processing
    1. The period of data processing by the Controller depends on the type of provided service and the purpose of the processing. In principle, data are processed for the entire period of providing the service, until the moment of withdrawing consent or filing an effective objection to the data processing in the cases where the legal basis for the processing is the Controller’s legitimate interest.
    2. The data processing period may be extended if processing is necessary to determine and pursue possible claims or defend against claims and, after that time, only when and to the extent required by law. After the elapse of the processing period, the data are irreversibly deleted and anonymized.
  8. Rights connected with personal data processing

    1. The users have the following rights:
      1. right to information on personal data processing – on that basis, the Controller provides the person making the request with information about data processing, including first of all about the purposes and legal grounds for the processing, the scope of the data held, entities to which they are disclosed and the planned date for deleting the data;
      2. right to receive a copy of the data – on that basis, the Controller provides a copy of the data processed to a person making the request;
      3. right to rectification – the Controller is obligated to remove any non-compliance or errors in personal data processed and supplement them if they are incomplete;
      4. right to erasure – on that basis, one may demand deleting the data whose processing is no longer necessary to achieve any of the purposes for which they were collected;
      5. right to restriction of the processing – if such a request is made, the Controller stops performing any operations on the personal data except for those to which the data subject has given consent and except storing them in accordance with the adopted retention rules or until the reasons for restricting the processing disappear (e.g. the supervisory authority issues a decision permitting further data processing);
      6. right to data portability – on this basis, to the extent that the data are processed in connection with an executed contract or given consent, the Controller delivers the data provided by the data subject in a machine-readable format. Is it also allowed to request that the data are transmitted to another entity on condition, though, that both the Controller and the other entity have the technical capabilities to do so;
      7. right to object to personal data processing for marketing purposes – the user has the right to object at any time to personal data processing for marketing purposes without the obligation to justify such an objection;
      8. right to object to data processing for other purposes – the user may object at any time to personal data processing carried out on the basis of the Controller’s legitimate interest (e.g. for analytical or statistical purposes or for reasons connected with protecting property); such an objection should include a justification;
      9. right to withdraw consent – if data are processed on the basis of a given consent, the user may withdraw it at any time, which does not have, however, any effect on the lawfulness of processing based on consent before its withdrawal.
      10. right to complain – if the user believes that the personal data processing breaches the provisions of GDPR or other personal data protection regulations, the data subject has the right to lodge a complaint with the President of the Personal Data Protection Authority.

      A request about exercising the rights of users may be filed:
      1. by letter to the address: ul. Powstańców Śląskich nr 15-17, 53-332 Wrocław, Poland.
      2. by e-mail to the address:
    3. If the Controller is unable to identify the person filing a request on the basis of the notification made, the Controller will ask the petitioner for additional information. Provision of such data is not mandatory, however failure to provide them will result in a request recognition refusal.
    4. The request may be filed in person or through an attorney-in-fact (e.g. a family member). In view of data security, the Controller encourages data subjects to use a power-of-attorney in the form certified by a notary public or an authorized legal counsel or attorney-at-law, which will significantly accelerate verification of the request’s authenticity.
    5. A reply to the request should be provided within one month of its receipt. If it is necessary to extend the deadline, the Controller shall inform the applicant about reasons for the delay.
    6. Where the application is submitted to the Company electronically, the response is given in the same form unless the applicant requests otherwise. In all other cases the response is given in writing. When the deadline for exercising the request makes it impossible to reply in writing and the applicant's data processed by the Controller allow for contact by electronic means, the response should be provided electronically.

      The proceeding concerning filed requests is free of charge. Fees may be charged only if:
      1. making a request to provide the second and each further copy of the data (the first copy is free of charge); in such a case, the Controller may demand that fees are paid in the amount of 30 złotych.
        The above fee includes administrative expenses connected with recognizing the request.
      2. making requests by the same person that are excessive (e.g. extremely frequent ones) or manifestly unfounded; in such a case, the Controller may demand that fees are paid in the amount of 30 złotych
        The above fee includes costs of carrying on communication and costs connected with taking requested actions.
    8. If the data subject challenges the decision to charge fees, the person may lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. In Poland the competent Supervisory Authority is the President of the Personal Data Protection Authority.
  9. Data recipients
    1. In connection with the implementation of services, Personal Data will be disclosed to external entities, including in particular suppliers responsible for the operation of IT systems and entities associated with the Administrator, including companies from its capital group.
    2. The Controller reserves the right to disclose selected information items referring to the User to relevant authorities or third parties which will demand that they are provided such information pursuant to an appropriate legal basis and in compliance with prevailing laws.
  10. Transfer of data outside the EEA
    1. The level of personal data protection outside the European Economic Area (EEA) differs from that guaranteed by the European law. For this reason, the Controller transmits personal data to places outside the EEA only when necessary and ensuring an adequate protection level, mainly by:
      1. cooperating with personal data processors in the states with respect to which a relevant decision of the European Commission has been issued;
      2. application of standard contractual clauses issued by the European Commission;
      3. application of binding corporate principles approved by the relevant supervisory authority;
    2. At the data collection stage, the Controller always informs the User of the intention to transfer personal data outside the EEA.
  11. Personal data security
    1. The Controller conducts an ongoing risk analysis to ensure that personal data are processed in a secure manner, guaranteeing first of all that access to the data is provided only to authorized persons and only to the extent necessary for them to perform their tasks. The Controller makes sure that any operations on personal data are recorded and performed only by authorized employees or collaborators.
    2. The Controller takes any necessary actions so that also its subcontractors and other cooperating entities guaranteed the application of appropriate security measures in each case when they process personal data on the Controller’s behalf.
  12. Contact data
    1. The Controller may be contacted by e-mail by letter sent to the mailing address.
  13. Amendments to the privacy policy
    1. The policy is verified on an ongoing basis and updated when needed.