Privacy Policy
Effective: 9 February 2026
This Privacy Policy (hereinafter: "Policy") contains information about the processing of your personal data in connection with the use of the AutomateTravel application operating at the internet address https://app.automate.travel (hereinafter: "Application").
All capitalised terms not otherwise defined in this Policy shall have the meanings ascribed to them in the Terms of Service, available at: https://automate.travel/terms-of-service.
Data Controller
The controller of your personal data is ETOURS sp. z o.o. based in Warsaw (registered office address: ul. Hoลผa 86 lok. 410, 00-682 Warsaw), entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0001077138, with NIP (Tax Identification Number): 7011180825, REGON number: 52725820700000, with share capital of PLN 20,000 (twenty thousand zlotys), paid up in full (hereinafter: "Controller").
Contact with the Controller
For all matters related to the processing of personal data, you may contact the Controller via electronic mail at the address: legal@automate.travel.
Personal Data Protection Measures
The Controller applies modern organisational and technical safeguards to ensure the best possible protection of your personal data and guarantees that it processes them in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: "GDPR"), the Act of 10 May 2018 on the Protection of Personal Data and other data protection regulations.
Information About Processed Personal Data
The use of the Application requires the processing of your personal data. Below you will find detailed information about the purposes and legal bases for processing, as well as the processing period and whether the provision of data is mandatory or voluntary.
Conclusion and Performance of the Service Agreement
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Conclusion and performance of the Service Agreement | 1. first and last name, 2. email address, 3. telephone number, 4. NIP (Tax Identification Number), 5. other data provided by the Client | Art. 6(1)(b) GDPR (processing is necessary for the performance of the Application Usage Agreement concluded with the data subject, or for taking steps prior to its conclusion) |
The provision of the above personal data is a condition for the conclusion and performance of the Service Agreement (providing them is voluntary, however the consequence of not providing them will be the inability to conclude and perform the Agreement).
The Controller will process the above personal data until the expiry of the limitation period for claims arising from the Service Agreement.
Conducting Complaint Proceedings
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Conducting complaint proceedings | 1. first and last name, 2. email address | Art. 6(1)(b) GDPR (processing is necessary for the performance of the Agreement and the exercise of the Client's rights granted under the Agreement) |
The provision of the above personal data is a condition for receiving a response to a complaint or exercising the Client's rights under the Agreement (providing them is voluntary, however the consequence of not providing them will be the inability to receive a response to the complaint and to exercise the aforementioned rights).
The Controller will process the above personal data for the duration of the complaint proceedings and, in the case of exercising the Client's aforementioned rights, until their limitation period expires.
Conducting Verification Proceedings and Handling Appeals
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Conducting verification proceedings and handling appeals against decisions regarding impermissible content | 1. first and last name/company name, 2. contact details, including email address | Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case the obligations to: provide a mechanism for reporting impermissible content (Art. 16 DSA), handle complaints (Art. 20 DSA)) |
The provision of the above personal data is a condition for receiving a response to a report or exercising the Client's rights under the DSA provisions (providing them is voluntary, however the consequence of not providing them will be the inability to receive a response to the report and to exercise the aforementioned rights).
The Controller will process the above personal data for the duration of the complaint proceedings and, in the case of exercising the Client's aforementioned rights, until their limitation period expires.
Handling Enquiries Submitted by Clients
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Handling enquiries submitted by Clients | 1. first name, 2. email address, 3. other data contained in the message to the Controller | Art. 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case responding to the enquiry received) |
The provision of the above personal data is voluntary but necessary in order to receive a response to the enquiry (the consequence of not providing them will be the inability to receive a response).
The Controller will process the above personal data until the effective lodging of an objection or the achievement of the processing purpose (whichever occurs first).
Fulfilment of Tax Obligations
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Fulfilment of tax obligations (including issuing VAT invoices, maintaining accounting documentation) | 1. first and last name/company name, 2. home address/registered office address, 3. NIP (Tax Identification Number) | Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case obligations arising from tax law) |
The provision of the above personal data is voluntary but necessary for the Controller to fulfil its tax obligations (the consequence of not providing them will be the inability of the Controller to fulfil the aforementioned obligations).
The Controller will process the above personal data for a period of 5 years from the end of the year in which the tax payment deadline for the previous year expired.
Fulfilment of Data Protection Obligations
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Fulfilment of data protection obligations | 1. first and last name, 2. contact details provided by you (email address; correspondence address; telephone number) | Art. 6(1)(c) GDPR (processing is necessary for compliance with a legal obligation to which the Controller is subject, in this case obligations arising from data protection regulations) |
The provision of the above personal data is voluntary but necessary for the proper performance by the Controller of its obligations under data protection regulations, including the exercise of your rights under the GDPR (the consequence of not providing the data will be the inability to properly exercise the aforementioned rights).
The Controller will process the above personal data until the expiry of the limitation period for claims related to data protection violations.
Establishing, Pursuing or Defending Against Claims
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Establishing, pursuing or defending against claims | 1. first and last name/company name, 2. email address, 3. home address/registered office address, 4. PESEL number, 5. NIP (Tax Identification Number) | Art. 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case establishing, pursuing or defending against claims that may arise in connection with the performance of Agreements concluded with the Controller) |
The provision of the above personal data is voluntary but necessary for the purposes of establishing, pursuing or defending against claims that may arise in connection with the performance of Agreements concluded with the Controller (the consequence of not providing the data will be the inability of the Controller to take the aforementioned actions).
The Controller will process the above personal data until the expiry of the limitation period for claims that may arise in connection with the performance of Agreements concluded with the Controller.
Analysis of Activity Within the Application
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Analysis of your activity within the Application | 1. date and time of visits, 2. device IP address, 3. device operating system type, 4. approximate location, 5. internet browser type, 6. time spent within the Application, 7. visited subpages and other actions taken within the Application | Art. 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case obtaining information about your activity within the Application) |
The provision of the above personal data is voluntary but necessary for the Controller to obtain information about your activity within the Application (the consequence of not providing them will be the inability of the Controller to obtain the aforementioned information).
The Controller will process the above personal data until the effective lodging of an objection or the achievement of the processing purpose.
Application Administration
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Application administration | 1. IP address, 2. server date and time, 3. internet browser information, 4. operating system information. The above data is automatically recorded in so-called server logs each time the Application is used (administering it without the use of server logs and automatic recording would not be possible). | Art. 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case ensuring the proper operation of the Application) |
The provision of the above personal data is voluntary but necessary to ensure the proper operation of the Application (the consequence of not providing them will be the inability to ensure the proper operation of the Application).
The Controller will process the above personal data until the effective lodging of an objection or the achievement of the processing purpose.
Contact Form Handling
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Contact form handling | 1. first and last name, 2. email address, 3. company name, 4. telephone number, 5. other data contained in the message to the Controller | Art. 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case responding to the message received) |
The provision of the above personal data is voluntary but necessary in order to receive a response to the submitted message (the consequence of not providing them will be the inability to receive a response).
The Controller will process the above personal data until the effective lodging of an objection or the achievement of the processing purpose.
Sharing Reviews About Services
| Purpose of processing | Processed personal data | Legal basis |
|---|---|---|
| Sharing Reviews about Services | 1. first name, 2. optionally โ other data contained in the Review | Art. 6(1)(f) GDPR (processing is necessary for the purposes of the legitimate interests pursued by the Controller, in this case sharing Reviews for informational and promotional purposes) |
The provision of the above personal data is voluntary but necessary for adding a Review (the consequence of not providing them will be the inability to add a Review).
The Controller will process the above personal data until the effective lodging of an objection or the achievement of the processing purpose (whichever occurs first).
Profiling
For the purpose of creating your profile for marketing purposes and directing personalised direct marketing to you, the Controller will process your personal data in an automated manner, including profiling โ however, this will not produce any legal effects concerning you, nor will it similarly significantly affect your situation.
The scope of profiled personal data corresponds to the scope indicated above in relation to the analysis of your activity in the Application and data that you store in your Account.
The legal basis for processing personal data for the above purpose is Art. 6(1)(f) GDPR, according to which the Controller may process personal data for the purposes of its legitimate interests, in this case conducting marketing activities tailored to the preferences of recipients. The provision of the above personal data is voluntary but necessary for the realisation of the aforementioned purpose (the consequence of not providing them will be the inability of the Controller to conduct marketing activities tailored to the preferences of recipients).
The Controller will process personal data for profiling purposes until the effective lodging of an objection or the achievement of the processing purpose.
Recipients of Personal Data
The recipients of personal data will be the following external entities cooperating with the Controller:
- hosting company;
- online payment system providers;
- companies providing tools for analysing activity in the Application and directing direct marketing to its users (including Google Analytics);
- accounting services provider;
- Microsoft Corporation (Microsoft Clarity โ a tool for analysing user behaviour in the Application);
- Supabase Inc. (provider of backend infrastructure, database and authentication services);
- Lovable (hosting services provider).
Furthermore, personal data may also be transferred to public or private entities if such an obligation arises from generally applicable laws, a final court judgment or a final administrative decision.
Transfer of Personal Data to Third Countries
In connection with the Controller's use of services provided by, among others, Google LLC, your personal data may be transferred to the following third countries: United Kingdom, Canada, USA, Chile, Brazil, Israel, Saudi Arabia, Qatar, India, China, South Korea, Japan, Singapore, Taiwan (Republic of China), Indonesia and Australia. The basis for the transfer of data to the aforementioned third countries is:
- in the case of the United Kingdom, Canada, Israel and Japan โ European Commission adequacy decisions establishing an adequate level of personal data protection in each of the aforementioned third countries;
- in the case of the USA, Chile, Brazil, Saudi Arabia, Qatar, India, China, South Korea, Singapore, Taiwan (Republic of China), Indonesia and Australia โ contractual clauses ensuring an adequate level of protection, in accordance with standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
You may obtain from the Controller a copy of the data transferred to a third country.
Your Rights
In connection with the processing of personal data, you are entitled to the following rights:
- the right to information about what personal data concerning you is processed by the Controller and to receive a copy of such data (the so-called right of access). The first copy of the data is provided free of charge; for subsequent copies, the Controller may charge a fee;
- if the processed data becomes outdated or incomplete (or otherwise incorrect), you have the right to request its rectification;
- in certain situations, you may request the Controller to delete your personal data, for example when:
- the data is no longer needed by the Controller for the purposes for which it was informed;
- you have effectively withdrawn your consent to data processing โ provided that the Controller has no right to process the data on another legal basis;
- the processing is unlawful;
- the need to delete the data arises from a legal obligation incumbent on the Controller;
- where personal data is processed by the Controller on the basis of consent given for processing or for the purpose of performing an Agreement concluded with the Controller, you have the right to transfer your data to another controller;
- where personal data is processed by the Controller on the basis of your consent to processing, you have the right to withdraw such consent at any time (withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal);
- if you consider that the processed personal data is incorrect, that the processing is unlawful, or that the Controller no longer needs certain data, you may request that, for a specified period necessary (e.g. for verifying the correctness of data or pursuing claims), the Controller refrains from performing any operations on the data and only stores it;
- you have the right to object to the processing of personal data where the basis for processing is the legitimate interest of the Controller. In the event of an effective objection, the Controller will cease processing personal data for the aforementioned purpose;
- you have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if you consider that the processing of personal data violates the provisions of the GDPR.
If you are concerned about the possibility of losing control over your information, tracking of your activities or your privacy, we would like to point out that there are a number of tools and solutions available that allow such activities to be blocked โ these may include browser extensions, their privacy settings, as well as more advanced solutions such as VPNs or browsers that provide greater privacy by redirecting traffic. We deliberately do not specify particular solutions, as the variety is very large; however, we encourage you to search for and select those that best suit your needs. You can find such compilations and suggestions at Privacy Guides: https://privacyguides.org.
Cookies
- The Controller informs you that the Application uses "cookies" (small text files) installed on your end device. These are small text files that can be read by the Controller's system, as well as by systems belonging to other entities whose services the Controller uses (e.g. Facebook, Google).
- The Controller uses cookies for the following purposes:
- ensuring the proper operation of the Application โ thanks to cookies, the smooth operation of the Application, the use of its features and convenient navigation between individual subpages is possible;
- enhancing the comfort of using the Application โ thanks to cookies, it is possible to detect errors on certain subpages and continuously improve them;
- creating statistics โ cookies are used to analyse how users use the Application. This makes it possible to continuously improve the Application and adapt its operation to user preferences;
- conducting marketing activities โ thanks to cookies, the Controller can target users with advertisements tailored to their preferences.
- The Controller may place both persistent and temporary (session) files on your device. Session files are usually deleted when the browser is closed, while closing the browser does not delete persistent files.
- Information about cookies used by the Controller is displayed in a panel located at the top of the Application website. Depending on your decision, you can enable or disable cookies of individual categories (with the exception of essential cookies) and change these settings at any time.
- Detailed information about the types of cookies used by the Controller can be found in the panel located at the top of the Application website.
- Data collected through cookies does not allow the Controller to identify you.
- Through most commonly used browsers, you can check whether cookies have been installed on your end device, delete installed cookies and block the installation of cookies by the Application in the future. However, disabling or restricting cookie handling may cause quite serious difficulties in using the Application, e.g. the need to log in on every subpage, longer loading times of the Application, restrictions in the use of certain functionalities.
Final Provisions
To the extent not regulated by this Policy, generally applicable data protection regulations shall apply.
This Policy is effective as of 9 February 2026.