Menu

Privacy Policy

  1. Cookies Policy

    1. eSky.pl S.A., with headquarters in Katowice (40-265), at ul. Murckowska 14A, registered in the Register of Entrepreneurs kept by the Katowice-Wschód District Court in Katowice, 8th Commercial Division of the National Court Register under the number KRS no.: 0000383663, and holding NIP no.: 948-19-87-199, with a share capital of PLN 1 019 525.60 hereinafter referred to as the “Operator”, grants the users of the websites the right to make choices about sharing information concerning them. The Operator informs users that they use cookies and geolocation technology on the websites.
    2. Cookies are small pieces of text information sent by a web server and stored on the user’s end. Default cookies parameters give access to the information gathered in cookies only to the server that creates them.
    3. Cookies are used to gather information related to the user’s activity on the Website. Cookies allow the operator to:
      1. save the user’s session (after logging in), so that the user does not have to enter their login and password again on each subpage of the Website;
      2. adjust the Website’s content to the user’s preferences and optimise the use of websites; in particular, these files help to recognise the user’s device and display a website appropriately and adapt it to the individual needs of the User and the devices they use.
      3. gather anonymous statistical data that help to learn more about the way the users use the Website.
        It helps to improve the Website, its structure and content, based on the users’ expectations.
    4. The Website uses two basic cookie types: session cookies and persistent cookies. Session cookies are temporary files that are stored on the user’s end device until they log out, leave a website or turn off software (the web browser). Persistent cookies are stored on the user’s end device for a period of time specified in the cookies parameters or until they are removed by the user.
    5. As part of the Website, eSky.pl S.A. also uses some mechanisms of internal entities, partners, advertisers, in particular, the social media functions of Facebook and Google which are directly related to the storage of these entities’ cookies on the user’s end device.
    6. If the software used for browsing websites (the web browser) enables the storage of cookies on the end device by default, users may change the cookies settings at any time in their web browser (this applies to all types of cookies) or remove these files from their devices. In the case of geolocation services, the user directly agrees to them by accepting the web browser settings.
    7. Restricting the use of cookies may negatively impact some of the functions available on the Website or disable them.
    8. Cookies never include the user’s personal data.
    9. The information stored in cookies or gaining access to it does not result in configuration changes on the user’s end device or the software installed on that device.
  2. Personal Data Protection Policy

    1. The text below (the “Personal Data Protection Policy”, hereinafter referred to as the “PDP Policy”) will help you learn why and how long eSky.pl S.A. (hereinafter referred to as the “Data Administrator”) will process your personal data. You will find out which entity categories can have access to your personal data and what rights you can exercise in relation to the processing of your personal data. The Policy is closely related to the necessity to follow new requirements concerning the processing of the data, arising from the EU laws on the protection of personal data, i.e. Regulation (EU) 2016/679, also referred to as the GDPR (hereinafter referred to as the Regulation).
    2. The PDP Policy is a part of the eSky.pl S.A. Privacy Policy that also regulates the use of cookies.
    3. The PDP Policy refers to the data gathered on a website or an application, as well as through a Call Center.
    4. The administrator of your personal data - processed for the purposes specified below - is eSky.pl S.A., with its registered office in Katowice,

      Murckowska 14a Street,

      e-mail: iod@esky.com

    5. The Data Administrator has appointed the Personal Data Protection Inspector (hereinafter referred to as the “Inspector”). You may contact the Inspector in all matters related to the processing of your personal data, also if you have any doubts about you rights. The Inspector is obliged to keep their responsibilities confidential - according to the EU or the national law.
       

      Personal Data Protection Inspector: Grzegorz Gawin

      e-mail: iod@esky.com

    6. The Inspector’s responsibilities:
      1. informing the Data Administrator and the employees who process personal data, about their responsibilities arising from this Regulation and other EU or Member Countries’ laws on the protection of personal data and advise them on this issue;
      2. monitoring adherence to the GDPR, other EU or Member Countries’ laws on the protection of personal data and the policies of the Data Administrator or a processing entity in the field of personal data, including distribution of responsibilities, actions that raise awareness, training the employees that take part in the operations related to data processing or audits connected to that;
      3. offering recommendations on evaluating the effects on data protection upon request and monitoring the protection;
      4. cooperating with a supervising authority;
      5. being a point of contact for the supervising authority in issues related to data processing, including prior consultations, discussed in Article 36, and in relevant cases - leading consultations on all other issues.
    7. The Data Administrator guarantees that they will process your personal data only for precise, clear and justified purposes and they will not process them further contrary to these purpose. The purpose of data processing is the reason why we process your personal data. If the Data Administrator wants to process your personal data for other purposes - not specified below - you will be informed about the new purpose separately. The table below presents the purposes of data processing.
      Purpose Explanation Legal basis Processing length (when will your data be removed)
      Creating an account on the Website according to the terms and conditions (hereinafter referred to as the “Terms and Conditions”). This relates to data processing that is necessary to create an account at www.esky.com and use it, for example, to verify the correctness of the data or to review transactions. The process of creating the account is automated. If you experience any problems with creating the account, you can contact the Call Center. Every user is authorised to create the account. No initial verification is required. Article 6 section 1 letter b) of the GDPR
      and Article 22 section 2 letter a) of the GDPR
      Throughout the period of the account service, however if the account is not created or removed, the data is archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      Entering into an agreement on providing service according to the Terms and Conditions. Regardless of whether you create the account at www.esky.com or you are an unregistered user, you can use services according to the Terms and Conditions, e.g. book a ticket or make a hotel reservation. Personal data gathered in the process of ordering a service are processed (e.g. they will be shared with airlines or other service providers) to finalise the service.

      The agreement may also be concluded through the Data Administrator’s Call Center.

      The agreement is executed automatically.

      Every user is authorised to conclude the agreement. No initial verification is required.
      Article 6 section 1 letter b) of the GDPR and Article 22 section 2 letter a) of the GDPR Throughout the period of the service and until the statute of limitations on the counterclaims expires, however if the agreement is not concluded and the service is not provided according to the Terms and Conditions or after the period of provision of the service expires, the data will be archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      Performing the obligations under the agreement on providing service according to the Terms and Conditions. Regardless of whether you create the account at www.esky.com or you are an unregistered user, you can use services according to the Terms and Conditions, e.g. book a ticket or make a hotel reservation. Personal data gathered in the process of ordering a service are processed (e.g. they will be shared with airlines or other service providers) to perform the obligations under the agreement.
      You may also select additional options while ordering a service (according to the Terms and Conditions), if you select these options, your data will also be processed for the purposes of providing this additional service.

      The agreement is concluded automatically, unless the service is operated by Call Center.

      Every user is authorised to receive the service. No initial verification is required.
      Article 6 section 1 letter b) of the GDPR and Article 22 section 2 letter a) of the GDPR Throughout the period of the service and until the statute of limitations on the counterclaims expires, however if the agreement is not concluded and the service is not provided according to the Terms and Conditions or after the period of provision of the service expires, the data will be archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      For the eSky marketing purposes. If marketing is done through emails - you will be asked to give additional permission - see details below. In such a case, the data accessed from the account or during the transaction process and while the service is being provided and for this period. The indicated purpose may be achieved through displaying personalised advertisement based on profiling. According to the GDPR, profiling is any form of automated personal data processing that involves the use of personal data for evaluation of personal aspects of a natural person, in particular for analysis or prognosis of the aspects related to this natural person’s performance at work, their financial situation, health, personal preferences, interests, credibility, behaviour, location and movement; Article 6 section 1 letter f) of the GDPR Until objection is made and after it is made only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of achieving public and legal (e.g. taxes) responsibilities related to the agreement on providing service according to the Terms and Conditions. This refers to performance of obligations assigned to the Data Administrator under Polish law Article 6 section 1 letter c) of the GDPR Until the statute of limitations on the public and legal obligations (e.g. taxes) expires.
      For the purposes of keeping the Website safe. This is about preventing unauthorised access to the electronic communication network and sharing malicious codes, stopping attacks, such as “service denial” and protecting computer systems and electronic communication network from damage. Article 6 section 1 letter f) of the GDPR Until an effective objection is made (see details below) or until the statute of limitations on counterclaims expires, e.g. those related to breach of safety rules on the Website -> whichever event occurs first.
      For the purposes of a statistical analysis, including a financial analysis, and using its results to improve the quality of the services offered by the Data Administrator. The analysis is performed “manually”. The analysis aims to identify transactions that constitute a breach of the agreement (without the intention of payment) for the purpose of pursuing the rights by the Data Administrator. Article 6 section 1 letter f) of the GDPR Until an effective objection is made or until the statute of limitations on counterclaims expires, e.g. those related to breach of safety rules on the Website -> whichever event occurs first.
      For the purposes of sending the newsletter. In such a case, you will be asked for additional permission and to provide your email address. In such a case, the data accessed from the account or during the transaction process and while the service is being provided and for this period. The indicated purpose may be achieved through displaying personalised advertisements based on profiling. According to the GDPR, profiling is any form of automated personal data processing that involves the use of personal data for evaluation of personal aspects of a natural person, in particular for analysis or prognosis of the aspects related to this natural person’s performance at work, their financial situation, health, personal preferences, interests, credibility, behaviour, location and movement; Article 6 section 1 letter a) of the GDPR Until the permission is withdrawn and after it is withdrawn only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of sending “price alerts”. In such a case, you will be asked for additional permission and to provide your email address. In such a case, the data accessed from the account or during the transaction process and while the service is being provided and for this period. The indicated purpose may be achieved through displaying personalised advertisement based on profiling. According to the GDPR, profiling is any form of automated personal data processing that involves the use of personal data for evaluation of personal aspects of a natural person, in particular for analysis or prognosis of the aspects related to this natural person’s performance at work, their financial situation, health, personal preferences, interests, credibility, behaviour, location and movement; Article 6 section 1 letter a) of the GDPR Until the permission is withdrawn and after it is withdrawn only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of displaying the so-called web push. In such a case, you will be asked for additional permission. Web push delivers a question to the User that will appear in the address bar and will ask the User for his permission to receive web push notifications. The User may accept or block the notifications. The content of notifications is created by the browser and interference is not permitted. Article 6 section 1 letter a) of the GDPR Until the permission is withdrawn and after it is withdrawn only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of geolocation that is used to display personalised advertisements. In such a case, you will be asked for additional permission. Article 6 section 1 letter a) of the GDPR Until the permission is withdrawn and after it is withdrawn only for the purposes of defence against claims (throughout the statute of limitations on the claims arising from infringement of personal interests).
      For the purposes of performing the obligations related to the enforcement of the laws specified in the GDPR. In such a case, the data are processed only within the scope that is necessary to identify and verify the identity of the person who makes the request. Article 6 section 1 letter c) of the GDPR For the purposes of defence against claims, throughout the statute of limitations on the claims arising from infringement of personal interests.
      For the purposes of determining, pursuing or defending against counterclaims related to:
      - providing services according to the Terms and Conditions (within this scope, processing complaints);
      - performing obligations arising from the GDPR (to adhere to the regulations).
      In such a case, the data is processed only within the scope necessary for the purposes of investigation, determining the claims or defending against the claims. Article 6 section 1 letter f) of the GDPR Throughout the statute of limitations on the claims, both the claims against the Data Administrator and those assigned to the Data Administrator.
      For a purpose of archiving and handling of queries at eSky Assistant Service The processing of personal data is necessary in order to verify frequently asked questions as well as to provide service enhancements, including updated responses to queries, on the basis of demand. Article 6, section 1, letter b) and Article 6 section, 1 letter f)(with regard to service quality improvement in accordance with information provided by customers). Throughout the period of the service and until the statute of limitations expires. However, if the agreement has not been concluded and the service has not been provided according to the Terms and Conditions, or after the end of service provision, the data will be archived and will not be used for purposes other than those related to determining, pursuing or defending counterclaims.
      Execution of contract with the Administrator If you are an employee/co-worker/member of the board with which the contract has been concluded, your data such as first name, last name, contact details, position, order data shall be processed for the purpose of order realisation, as well as tax purposes and securing claims, while maintaining the rights set out in this Privacy Policy.
      Business conversations with employees may be recorded in order to verify the correctness of information and the quality of services provided.
      art. 6 section 1 b) c) and f) GDPR For the period of service provision and until the limitation of mutual claims, except if the contract is not concluded and the service is not provided in accordance with the Regulations or after the service is completed, the data shall be archived and not used except for the purpose of investigating, defending or establishing mutual claims.
    8. If your personal data is processed on the basis of the permission, you can withdraw it at any moment. You can withdraw the permission in the Data Administrator’s headquarters or by completing the appropriate form at www.esky.com (section: Contact). Withdrawing the permission does not impact the compliance with the law of the processing done until the permission is withdrawn. If the permission is withdrawn, the Data Administrator will determine if they still have the basis for data processing. In such a case, further data processing is possible for the purposes of defence against claims (e.g. through indicating that the right to withdraw the permission has been exercised) and only within the scope necessary for this purpose.
    9. Please remember that each time personal data is processed, pursuant to Article 6 section 1 letter f) of the GDPR (see details above) or in the case of the so-called reasonable interest of the Data Administrator, you can make objection at any time - for reasons related to a specific situation - to the processing of personal data. After making the objection, the Data Administrator will not be able to process personal data any longer, unless they prove the existence of important, legally justified bases for data processing, superior to the interests, laws and freedoms of the person whose data is being processed, or bases for determining, pursuing or defending claims.

      Most importantly, in cases of personal data processing, pursuant to Article 6 section 1 letter f) of the GDPR (see details above), for eSky marketing purposes, the objection does not have to be justified with a specific situation and the Data Administrator will not be able to process personal data, pursuant to Article 6 section 1 letter f) of the GDPR, after the objection is made, for eSky marketing purposes, within the scope the data were processed before.

      You can withdraw the permission in the Data Administrator’s headquarters or by completing the appropriate form at www.esky.com (section: Contact).
    10. Apart from the right to withdraw the permission and make objection, you have the right to access, copy, transfer, correct and remove the data and limit their processing, as well as the right to refuse to be subject to a decision that is based only on the automated processing, including profiling, and that has legal consequences or affects it significantly in any other way.
      You can exercise the above laws in the Data Administrator’s headquarters or by completing the appropriate form at www.esky.com (section Contact).
      You can also correct the data by accessing your account.
      You can also delete your account at any time after logging in to the Your account, according to the Terms and Conditions or by submitting a request at the Data Administrator’s headquarters or by completing the appropriate form at www.esky.com (section: Contact).
    11. We will collect personal data directly from you (through the account, during the transaction process etc.). The data may be gathered from other sources only for the purposes of operating the service. This refers to the information gathered from the entities that operate the service that you ordered (airlines, hotels etc.). The scope of the data covers only the information that is necessary to confirm the order payment.
    12. Providing personal data is always voluntary, however it is necessary to fulfil the above purposes.
    13. Personal data processed for the purposes of operating the service according to the Terms and Conditions are shared with the entities that provide a service selected by the User, including their subcontractors, e.g. airlines, hotels, insurance providers, payment intermediaries, GDS (Global Distribution System) etc. Regardless of the purpose of data processing, the only persons that can access your personal data will be the authorised employees and the Data Administrator’s subcontractors who signed the appropriate data transfer agreements with the Data Administrator (please contact the Personal Data Protection Inspector for more details).
  3. PRIVACY POLICY - PRINCIPLES OF PROCESSING DATA BY OTHER SERVICE PROVIDERS

    1. Social networks. This site uses plug-ins for social networks of the following suppliers:
      • These plug-ins usually collect data from the User by default and send them to the server of the respective provider, clicking the symbol will turn on the plug-in and means consent to the transfer of data to the appropriate provider. Legal basis for using plug-ins: art. 6.1. a) and f) of GDPR
      • Indicated plugins also collect personal data, such as the User's IP address, and send them to the server of the respective provider, where the data is saved. When the User visits the relevant website, the enabled plugin configures a cookie with a unique identifier. This allows the provider to generate user behavior profiles. If the User belongs to a social network of a given provider and during the visit to the website logs in to it, data and information about the visits to the site may be associated with the profile in the appropriate social network website. More information on the scope, specifics and purpose of data processing as well as rights and options for protection settings are available in the Service Provider Policies identified above.
      • In addition, the service provider may send messages to persons who agreed on that and/or when it is necessary to provide services by using the mailing tools provided by iPresso (Encja.com SA, Ceglana 4, 40-514 Katowice, Poland) on the terms set out in: https://www.ipresso.com/privacy-policy.
    2. The Website may provide the User with the opportunity to register and log in via a Facebook account. If the User registers via Facebook, Facebook will ask for permission to share certain data from the User's account on Facebook. This data may include the name and e-mail address of the User to enable verification of the identity and sex of the User. They may also contain general information about the location of the User, a link to Facebook profile, time zone data, date of birth, profile photo, data about likes and a list of friends of the User.
      These data will be collected by Facebook and sent in accordance with the rules set out in the Facebook data regulations. These data will be used to create, share and personalize the User's account. Legal basis: art. 6.1.a), b) and f) GDPR. The user can control the data that is transferred from Facebook using the Facebook privacy settings.
      If the User registers via Facebook, the User's account will be automatically linked to his Facebook account.
    3. In the case of logging in via social media, the following data will be used: name, surname, e-mail address, publicly available information - these data will be used to access / log in to the service (Article 6 (1) (b) of the GDPR). These data can be deleted by: deleting the account, using an alternative login method or direct contact with the DPO: e-mail: iod@esky.com.
    4. Analysis of user's website behavior
      • Google Analytics

        This website uses the Google Analytics service for analysis of websites offered by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, United States. It enables assigning data from various devices to the User's identifier and allows analysis of actions taken by this User from the level of observed devices (also Firebase and Optimize services are in use).

        Google will use this information at the request of the website operator to evaluate your use of the website so that can compile reports on website activity of users and provide other website and internet services to website operator. Data processing for these purposes also lies in the legitimate interest of the Website operator. Legal basis for using Google Analytics: art. 6.1.f) GDPR. More information about the terms and conditions of using this service and data protection can be found at https://www.google.com/analytics/terms/ and https://policies.google.com/?hl=en.

        The user can prevent the saving of cookies by selecting the appropriate settings in his browser. In this case, the User will not be able to take full advantage of all functions of the website. You may also prevent Google from collecting and processing data generated by cookies and data related to your use of the website (including its IP address) by downloading and installing the add-on available at https://tools.google.com/dlpage/gaoptout?hl=en. To set a resignation cookie, please click here.

        In the case of mobile devices, the functions described above are implemented by Firebase: on the terms set out in: https://firebase.google.com/support/privacy.

      • Google Ads and conversion tracking

        In order to propose the services most tailored to the expectations of the Users, the website uses the Google Ads display system and uses Google's conversion tracking functionality to personalize online ads based on interests and location. The IP anonymization option is controlled by Google Tag Manager using the internal setting. This setting is configured in such a way that the anonymisation required by law for privacy protection includes IP addresses. Ads are displayed based on search requests on sites that are part of the Google Display Network. The user can also choose the type of Google ads displayed to them, or disable Google ads based on interests by using the ad settings page. It can also disable third-party cookies by using the opt-out tool provided by the Network Advertising Initiative.

        If you do not want to receive any personalized ads, you may opt out of the option to display these ads using the Google ad settings page

        For more information on how Google uses cookies, please see Google's privacy policy.

      • Hotjar

        Data collected and stored on this site are used for purposes related to the optimization of its operation. This is done using technologies provided by Hotjar Ltd. (https://www.hotjar.com). These data may be used to generate profiles of Users using a pseudonym. Cookies can also be used for this purpose. Data collected using the Hotjar technology is not used to identify the identity of the User visiting this site and will not be combined with the personal data of the User using a pseudonym, unless he agrees to do so. The User may at any time withdraw the consent for Hotjar to collect User's data from sites that support this technology. To do this, go to https://www.hotjar.com/legal/compliance/opt-out and click "Disable Hotjar" or turn on "Do not Track" in your browser .

      • Criteo

        With the help of Criteo technology (provided by Criteo GmbH, Unterer Anger 3, 80331 Munich and/or in Criteo Group, Address: 32 Rue Blanche, 75009 Paris, France), information about User behavior related to browsing websites and online content of the Service Provider is collected for marketing purposes, as well as cookies are created on these sites and content (in the form only anonymized). This allows Criteo to analyze the User's behavior related to the websites viewed and display them at the time he visits other websites with targeted product recommendations in the form of an advertising banner. The data collected by Criteo will only be used to improve advertising content. The letter "i" (information) can be found on each banner displayed. If the user activates the mouse pointer with this letter and clicks it, a page will appear explaining the system and opt-out options. Clicking the "opt-out" option will result in setting a cookie with information about the cancellation, which will prevent the display of this banner in the future. These data will not be used in any other way or transferred to third parties. For more information about Criteo and the opportunity to object to anonymous analysis of User behavior related to site browsing, please visit https://www.criteo.com/privacy/.

      • RTB House

        Using RTB House technology (provided by RTB House SA, Złota 61/101, 00-819 Warsaw, Poland), information about the User's behavior related to browsing websites and online content is collected for marketing purposes. This allows RTB House to analyze the User's behavior related to the websites viewed and display product recommendations in the form of an advertising banner when visiting the website. Clicking the "opt-out" option will result in setting a cookie with information about the cancellation, which will prevent the display of this banner in the future. These data will not be used in any other way or transferred to third parties. For more information about RTB House and the possibility to object to anonymous analysis of User's behavior related to website browsing, please visit https://www.rtbhouse.com/privacy-center/.

      • Adara

        Using Adara technology (provided by Adara, Inc. (“Adara”), a California corporation, with offices at 2625 Middlefield Road #827, Palo Alto, CA 94306, USA,), information about the User's behavior related to browsing websites and online content is collected for marketing purposes. This allows to analyze the User's behavior related to the websites viewed and display product recommendations in the form of an advertising banner when visiting the websites. Clicking the "opt-out" option will result in setting a cookie with information about the cancellation, which will prevent the display of this banner in the future. These data could be used or transferred to third parties. For more information about and the possibility to object to anonymous analysis of User's behavior related to website browsing, please visit https://adara.com/privacy-promise/.

    5. Payment Processing
      • In order to make payments by payment card, the data will be transferred to:
      • ADYEN BV, Simon Carmiggeltstraat 6-50, 1011 Amsterdam, P.O. Box 10095, 1001 EB, AMSTERDAM, The Netherlands.
      • https://www.adyen.com/policies-and-disclaimer/privacy-policy
      • Or
      • CHECKOUT LTD, with office address at 54 Portland Place, London W1B 1DY, United Kingdom, authorised by the Financial Conduct Authority (“FCA”) as an electronic money institution under number 900816;
      • And
      • CHECKOUT TECHNOLOGY LTD, with its registered office address at Trident chambers, PO Box 146, Road Town, Tortola, British Virgin Islands.
      • https://www.checkout.com/legal/privacy-policy
      • The indicated entities will use the data to perform the transaction concluded via our website to Enabling of transactions to be routed to one or several acquiring payment networks e.g:
        • Technical reception of the information regarding the status of transactions,
        • Information reporting including information related to transactions, service fees, chargebacks, sefunds, disputes, etc.,
        • Tokenisation Service,
        • Fraud verification and risk management,
        • Technical integration support.
      • The transfer of data related to transactions and cards is necessary in order to provide services paid for by a payment card.
    6. External transaction service and Contact Centre
      • In the case of the necessity of conducting conversations in languages other than those available at the time necessary for efficient transaction service (such as in particular: EN) it is possible to redirect the call to an external Contact Centre service provider, i.e.: IGT Solutions Private Limiteda company incorporated under the laws of India having its principal place of business at Unit No. 1,Ground Floor, A Wing, Business @ Mantri Survey No. 197/2+4 to 7B, LohegaonNagar Road, Pune, Maharashtra – 411014, India. The Contact Centre Operator processes data outside the EEA, i.e. in India. Both the processing and the transfer of data are carried out in compliance with the security rules, i.e. after signing the entrustment agreement with model contractual clauses and in accordance with this Privacy Policy and the Operator;s Policy available at: https://www.igtsolutions.com/policies/. The provision of data is voluntary, but necessary for the performance of the contract.