Privacy Policy

§1. General Information

1. 1.

   This Privacy Policy sets out the rules for the collection, processing, and use of personal data by RALLY TRAVEL SP. Z O. O. with its registered office at ul. Prymasa Stefana Wyszyńskiego 85, 41-940 Piekary Śląskie, Poland; KRS 0001184730, NIP 4980279762, REGON 542268361 (hereinafter: „Rally.travel”, „Controller”) in connection with the user’s (hereinafter: „User”) use of the website https://rally.travel, https://book.rally.travel and the related services, in particular the organization of off-road driving training, preparation of GPX routes, and quad, UTV, and enduro expeditions.

2. 2.

   The purpose of this Policy is to provide clear information regarding how we collect personal data, on what legal basis we do so, how long we store it, to whom we disclose it, and what rights Users have in connection with its processing. Understanding these rules is essential to building trust and ensuring security and transparency in our relationships with customers.

3. 3.

   Rally.travel makes every effort to ensure respect for privacy and full compliance with personal data protection standards, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation – „GDPR”) and with the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000).

4. 4.

   All personal data processed by Rally.travel are protected using appropriate technical and organizational measures aimed at preventing loss, unauthorized access, modification, or destruction. More information on specific security measures and data processing rules can be found in the further sections of this document.

5. 5.

   Some of the personal data obtained by Rally.travel through forms available on the website and during the booking process are collected not only for the purpose of concluding and performing the contract, but also in connection with obligations arising from legal provisions, in particular provisions governing the activities of tourism organizers, accounting and tax obligations, and reporting and settlement obligations related to the operation of financial security mechanisms in tourism, including the Tourist Guarantee Fund (TFG) and the Tourist Assistance Fund (TFP). This means that providing certain data may be necessary for the proper performance of the statutory obligations incumbent on the Controller, including the preparation of the required records, declarations, settlements, and reports. The scope of required data depends on the type of service ordered, the status of the booking, and the currently applicable legal provisions.

§2. Definitions

1. 1.

   Personal data – any information enabling the identification of a natural person, directly or indirectly, in particular by reference to an identifier such as a name and surname, identification number, location data, online identifier (e.g. IP address, cookie identifier) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. 2.

   Processing of data – any operation or set of operations performed on personal data, whether or not by automated means, including, among others, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. 3.

   User – any natural person using the services offered by Rally.travel or visiting the website https://rally.travel, https://book.rally.travel, regardless of whether they have registered or made a purchase.

4. 4.

   Data Controller – the entity determining the purposes and means of processing personal data, responsible for their security and the compliance of processing with applicable legal provisions; in this document: RALLY TRAVEL SP. Z O. O., owner of the Rally.travel brand.

5. 5.

   Processor – an entity that processes personal data on behalf of the Controller on the basis of a concluded data processing agreement.

6. 6.

   Consent of the data subject – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

7. 7.

   GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data.

§3. Scope of Processed Data

1. 1.

   Some data are required for the conclusion and performance of the contract, as well as for the fulfillment of legal obligations incumbent on the Controller as a tourism organizer. Failure to provide the required data may result in the inability to make a booking, conclude a contract, or perform statutory obligations.

2. 2.

   The Controller may process the following categories of personal data:

   • A.Name and surname.
   • B.E-mail address.
   • C.Telephone number.
   • D.Residential address.
   • E.Date of birth.
   • F.PESEL number or other identifier – only in cases where it is necessary for the performance of a specific service, the fulfillment of a legal obligation incumbent on the Controller, or where required by applicable legal provisions.
   • G.Travel preferences, e.g. type of training, type of expedition, preferred destinations, level of experience.
   • H.Information on bookings and payments made.
   • I.IP address.
   • J.Technical information, e.g. browser type, operating system, access time.
   • K.Opinions and references.
   • L.History of contact with customer service.
   • M.Marketing and communication consents.
   • N.Data concerning participation in contests and promotional campaigns.
   • O.Data concerning activity on the website, including clicks and visited subpages.
   • P.Data from event registration forms.
   • Q.Cookies and data from analytical tools, e.g. Google Analytics.
   • R.Data related to the exercise of the User’s rights, e.g. GDPR requests.
   • S.Data concerning bookings and contracts, including the booking or contract number, contract conclusion date, service performance date, number of participants, price, information on prepayments, refunds, destination, route, and means of transport.

§4. Purposes and Legal Bases for Data Processing

§5. Recipients of Personal Data

1. 1.

   The personal data of Users may be disclosed to the following categories of recipients:

   • A.IT service providers – entities operating servers, booking systems, CRM tools, mailing and analytical systems, e.g. Google, Meta, Hotjar, MailerLite, Cookiebot.
   • B.Payment operators – providers enabling online payments, e.g. Stripe, PayU, Przelewy24.
   • C.Tourism partners – local guides, off-road agencies, transport and accommodation companies cooperating in the performance of expeditions.
   • D.Marketing and advertising companies – providers of remarketing tools and advertising campaigns, e.g. Facebook Ads, Google Ads.
   • E.Entities supporting customer service – helplines and external companies providing customer contact services.
   • F.Legal and accounting service providers – to the extent necessary to fulfill legal obligations and pursue claims.
2. 2.

   In the event of transferring data to third countries, i.e. outside the European Economic Area, Rally.travel ensures the application of appropriate safeguards, such as:

   • A.Standard contractual clauses approved by the European Commission or transfer of data to entities covered by an adequacy decision, where applicable.

§6. Methods of Data Collection

1. 1.

   Personal data are collected both directly from the User and indirectly through the use of the website, by means of analytical and marketing tools. The main channels for obtaining data include:

   • A.Contact forms, e.g. offer inquiries and registration forms.
   • B.Expedition booking forms, including data necessary for the performance of services.
   • C.Newsletter subscriptions and other forms of marketing communication.
   • D.User activity on the website.
   • E.Data collected automatically through cookies, tracking pixels, tags, and tools such as Google Analytics, Facebook Pixel, and similar solutions.
   • F.Telephone or e-mail contact, including data contained in messages or call notes.
   • G.Data provided as part of participation in contests, promotions, and special campaigns.
   • H.Data provided during participation in events organized by Rally.travel, both online and in person.
   • I.Data from social media, if the User uses login functions or contacts us through these channels, e.g. Messenger, Instagram, comments, or messages.
2. 2.

   In some cases, data may also be collected from partners or external services, e.g. payment platforms or booking systems, provided that the User has previously consented to such transfer.

§7. Data Storage and Retention Periods

1. 1.

   The personal data of Users are stored for the period necessary to achieve the purposes for which they were collected, in accordance with the following rules:

   • A.Data related to the performance of the contract – for the duration of the contract and for 5 years after its termination, for tax and accounting purposes.
   • B.Marketing data – until consent is withdrawn or an objection is raised.
   • C.Technical and analytical data, including cookies – in accordance with browser settings and the cookie policy.
   • D.Data from correspondence and complaints – up to 3 years after the end of contact.
   • E.Data needed to protect against claims – until the limitation period for any claims expires.
2. 2.

   Data may be stored for a longer period if required by applicable legal provisions.

§8. Users’ Rights

1. 1.

   The User has the following rights:

   • A.The right to lodge a complaint – with the President of the Personal Data Protection Office (UODO).
   • B.The right of access to data – to obtain information about what data we process.
   • C.The right to rectification of data – to correct or supplement incomplete data.
   • D.The right to erasure of data – the so-called „right to be forgotten”, if the data are no longer necessary.
   • E.The right to restriction of processing – e.g. in the event of contesting the accuracy of the data.
   • F.The right to data portability – to receive the data in a format enabling transmission to another controller.
   • G.The right to object – to processing based on legitimate interest or for marketing purposes.
   • H.The right to withdraw consent – at any time, without affecting the lawfulness of prior processing.

§9. Cookies and Tracking Technologies

1. 1.

   Our website uses:

   • A.Necessary cookies – enabling the basic functioning of the website.
   • B.Functional cookies – remembering the User’s preferences.
   • C.Analytical cookies – collecting statistical information, e.g. Google Analytics and Hotjar.
   • D.Marketing cookies – enabling advertising and remarketing campaigns, e.g. Facebook Pixel.
   • E.Performance cookies – used to measure the effectiveness of the website and optimize its performance.
2. 2.

   The User may change cookie settings in their web browser at any time. Most web browsers accept cookies by default. However, the User may change browser settings so that all cookies are rejected or so that they are reported when sent. Instructions on how to change cookie settings can be found in the documentation of the web browser. Disabling cookies may, however, affect the functionality of the website.

3. 3.

   Detailed information can be found in the document: Cookie Policy

4. 4.

   In addition to cookies, Rally.travel may use other tracking technologies, such as:

   • A.Web beacons – small graphic files placed on websites that enable tracking of User behavior.
   • B.Tracking pixels – similar to web beacons, used to collect information about User behavior.
   • C.Local Storage Objects – enable data to be stored in the User’s web browser.
   • D.Tags – fragments of HTML code that enable tracking of User behavior and collection of information about Users.
   • E.SDK (Software Development Kits) – sets of tools and software components that enable tracking of User behavior in mobile applications.

§10. Security Measures

1. 1.

   Rally.travel applies appropriate technical and organizational measures to ensure the security of Users’ personal data, including:

   • A.Implementation of procedures for responding to security incidents.
   • B.Encryption of the connection using the SSL protocol.
   • C.Protection of servers against unauthorized access, including the use of firewalls and intrusion detection systems (IDS).
   • D.Regular creation of data backups.
   • E.Restriction of access to personal data solely to authorized employees.
   • F.Employee training in the protection of personal data.
   • G.Use of strong passwords and multi-factor authentication.
   • H.Regular scanning for security vulnerabilities.

§11. Automated Decision-Making

1. 1.

   The Controller does not make decisions based solely on automated processing that would produce legal effects concerning the User or similarly significantly affect them. Rally.travel does not use profiling within the meaning of Art. 22 GDPR.

§12. External Links

1. 1.

   The Rally.travel website may contain links to other websites. Rally.travel is not responsible for the content or privacy policies of those websites. We recommend reviewing the privacy policy of each external website visited.

§13. Changes to the Privacy Policy

1. 1.

   The Controller reserves the right to make changes to this Privacy Policy. Users will be informed of material changes by electronic means or by means of a notice on the website. The updated version of the Policy will always be available on the website https://rally.travel.

§14. Contact with the Controller

1. 1.

   For matters related to the processing of personal data, the data controller may be contacted at the e-mail address: office@rally.travel