Back

Legal document

BonusUP Privacy Policy

BonusUP Privacy Policy

1. Data controller

  1. The controller of personal data processed in connection with BonusUP is `Jacek Wójcik`, tax ID: `879-199-42-01`, contact e-mail: `kontakt@bonusUP.eu`, hereinafter the `Controller`.
  2. Matters concerning personal data protection may be sent to `kontakt@bonusUP.eu`.

2. Scope

  1. This Policy describes the processing of personal data of BonusUP users, especially Clients, Venue Owners, Staff members whose accounts are created by Owners, and people contacting the Controller.
  2. It covers data processed in the BonusUP website and related system functions, including login, bonuses, marketing campaigns, payments, promotional materials and e-mail or SMS communication.

3. Categories of data

  1. The Controller may process identification and contact data, such as e-mail address, phone number, username and other account data.
  2. The Controller may process account and security data, including encrypted passwords, verification tokens, password reset tokens, account deletion tokens, session version data and account activation or deletion dates.
  3. The Controller may process service data, including transaction history, cashback balance, bonus usage history, marketing communication settings and phone or e-mail verification status.
  4. The Controller may process bonus programme data, marketing campaign and group data, payment and settlement status data, technical logs, session identifiers, device and browser data, abuse-prevention data and anti-bot form protection data.

4. Purposes and legal bases

  1. Data may be processed to create and maintain an account, verify phone numbers and e-mail addresses, secure accounts, operate the bonus programme, record transactions, show cashback balance and history, handle marketing campaigns, process payments, send system e-mails and SMS messages, handle complaints, pursue or defend claims, comply with law, ensure security, prevent abuse and develop services.
  2. The legal basis may be performance of a contract or pre-contractual steps, a legal obligation, the Controller's legitimate interest or user consent where required by law.

5. Role of Venue Owners

  1. Venue Owners using BonusUP may process Client data when handling the bonus programme, transactions and marketing campaigns.
  2. Depending on the purpose and method of processing, the Venue Owner may be a separate controller, joint controller or processor.
  3. The final legal model of cooperation should be defined in separate documentation between the Controller and the Venue Owner where required.

6. Data recipients

  1. Data may be disclosed to IT, hosting and infrastructure providers, e-mail providers, SMS providers, payment operators, security and anti-abuse providers, including anti-bot tools when active, legal, accounting, technical or organisational support providers, and authorised public authorities where required by law.
  2. Data is not sold to third parties.

7. Retention period

  1. Data is kept for the period necessary to achieve the purpose for which it was collected.
  2. Account data may be kept while the account exists and later as needed for claims or legal obligations.
  3. Transaction, payment and subscription data may be kept for the period required by law or justified by settlements and complaints.
  4. Marketing data is kept until effective withdrawal of consent or objection where such basis applies.
  5. Technical and security data is kept for a period justified by security, diagnostics and abuse prevention.

8. Rights of data subjects

  1. A data subject has the right of access, rectification, erasure, restriction of processing, data portability where applicable, objection to processing based on legitimate interest, withdrawal of consent at any time where processing is based on consent, and complaint to the President of the Personal Data Protection Office.
  2. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

9. Marketing and communication

  1. BonusUP sends system messages necessary for account operation, especially account activation, phone verification, password reset, e-mail confirmation, account deletion confirmation, security notices and subscription payment reminders.
  2. Venue Owner marketing campaigns are carried out according to user settings and system limits.
  3. A Client may disable SMS marketing from a selected Venue or globally for all Venues using the system.
  4. The app does not provide a setting to disable advertising e-mails sent by Venues through BonusUP.

10. Security

  1. The Controller uses technical and organisational measures appropriate to the risk to rights and freedoms of data subjects.
  2. These measures include access control, password hashing, data access limitation, accountability of system actions, anti-abuse limits, registration form protection and infrastructure and transmission security.
  3. Long-term login sessions may be used for selected roles together with session invalidation after password changes or other security events.

11. Transfers outside the EEA

  1. If the Controller uses providers based outside the European Economic Area or processing data outside the EEA, transfers take place only in accordance with legal requirements and appropriate safeguards.
  2. Information about such transfers may be specified in documentation of external providers.

12. Contact and changes

  1. Questions about this Privacy Policy should be sent to `kontakt@bonusUP.eu`.
  2. The Controller may change this Policy due to changes in law, service model, providers or scope of data processing.
  3. The current version is made available in BonusUP.