This policy was last amended on 23rd of May 2018 to comply with the new GDPR (General Data Protection Regulation) law which supersedes the DPA, by using our website and our services you consent to this privacy policy. If we decide to change this policy, we will post those changes on this page, and update the privacy policy modification date above.

We are a “data controller” for the purposes of the Act, as we process personal data on your behalf. With this deadline approaching, we are currently in the process of contacting all of our data subjects to inform them of our terms of business that meet the requirements of GDPR.

If you have any questions regarding this privacy policy you may contact our DPO, Paweł Żelazik at info@cava.pl
Or contact us directly: CAVA ul. Nowy Świat 30, 00-373 Warsaw, Poland

What information do we collect?

We collect information from you when you place an order, fill out a form or make a payment. When contacting us on the phone, we may record your call for training and quality control purposes. When contacting us from this site you may be asked to enter your name, e-mail address or phone number as appropriate. You may, however, visit our site anonymously.

For placing orders online we require you to use our booking engine. We implement a variety of security measures to maintain the safety of your personal information when you place an order:

• Our booking site is a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology. This is then encrypted into our payment gateway provider’s database, it is only to be accessible by those authorized with special access rights to such systems, and who are required to keep the information confidential.
• After a transaction, sensitive private information (social security numbers, financials, etc.) will not be stored on our servers.

What do we use your information for?

Any of the information we collect from you may be used to:

• Improve customer service. Your information helps us to more effectively respond to your customer service requests and support needs.
• Process transactions.
• Administer a contest, promotion, survey or other site feature.
• Send periodic emails. The email address you provide for order processing, may be used to send you information and updates pertaining to your order. These updates may on occasion also include company news, updates, related product or service information, etc.

Lawful basis for processing your personal data

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

If customers do not provide the information required for processing transactions, then we will be unable to provide a service to the customer.

Processing of your personal data

Description of processing

• The following is a broad description of the way this organisation/data controller processes personal information. Or see ICO Register of Data Controllers – Registration Number: ZA014467, ZA336570 (CCTV) & ZA014397.
• We process personal information to enable us to promote our goods and services, to maintain our accounts and records and to support and manage our staff.
• We process information relevant to the above reasons/purposes. This may include:
• Personal details.
• Family, lifestyle and social circumstances.
• Financial details
• Employment and education details.
• Goods or services provided.

We also process sensitive classes of information that may include:

• Physical or mental health details.
• Racial or ethnic origin.
• Religious or other beliefs of a similar nature.
• Trade union membership.

We may at times need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (GDPR). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons

Where necessary or required we share information with:

• family, associates and representatives of the person whose
• personal data we are processing
• employment and recruitment agencies
• current, past and prospective employers
• educators and examining bodies
• central government
• credit reference agencies
• suppliers and service providers
• debt collection and tracing agencies
• financial organisations
• CCTV is used for maintaining the security of property and premises and for prevention and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
• It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your web browser (if you allow). This enables the sites or service providers systems to recognize your browser and capture and remember certain information.

We use cookies to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

If you would like to delete our cookies from your computer then click here.

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

We may also release your information when we believe release is appropriate. For example, this may be to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Retention Policy

CAVA will no longer be holding data which we have not gained contractual obligations for after 30 days, depending on the sensitivity of this data, it will be deleted instantly. Ranks of sensitivity will be outlined below, as well as some exceptions where data may be held longer lawfully.

Where personal data is held

CAVA holds personal data in a few different locations, these can include: Our own database servers, email accounts, desktops, employee owned devices, paper files and backup storage.

Procedures in place for deletion

Accounts related data that is processed via our two database servers are subject to a 90 day non-usage review of the account, followed up by a 6 month review before the erasure or separation of any personal or sensitive data. Also upon request by the authorised account holder data will be deleted from both database servers within 30 days of the request followed up by a privacy notification and confirmation of the deletion. This can be done by contacting the DPO at CAVA on +48 228266427 or info@cava.pl

Data processed via email are subject to the Apple Software on board retention policy, this includes the purging of unfiled mail after 30 days.

Employee and mobile users including sub-processors who process data on behalf of our company are subject to a systematic 30 days deletion policy after the completion of a contractual obligation. This is achieved via our Ground Alliance Software which is downloaded onto mobile devices. On board encryption is also enabled on all our mobile devices which are set to delete all information on the device after multiple failed password attempts.

Exceptions where data may be held longer than our 30-day retention period

Financial data stored on our accounts server or stored as hard copies are held for up to 7 years before disposal due to TAX and VAT legalities.

Ranks of sensitive data – Different retention periods

Security criticality of sensitive or personal data which we process will be described and provided for in section 3.1 below, this policy contains requirements for the deletion of any data we process either personal or sensitive ranked ‘low’, ‘medium’ and ‘high’.

System data ranking

• 1 – High – For the requirement of our business and the completion of contractual obligations with our clients it is very important to us that any financial data we store or process for or on behalf of our clients is subject to immediate tokenisation/masking of card details which include CVV/CVV2 information, card number and expiration date. However if data is to be processed as a one off request this data will be deleted after processing with immediate effect unless contractual consent is gained.
• 2 – Medium – Account data which may include but not limited to personal data and goods or services provided will be subject to regular review of the data stored for the purpose of maintaining account records. This data allows us to complete our contractual agreements and can include but not limited to the client’s name, address and contact details. Upon request by the authorised account holder this data can be deleted from our systems within 30 days of the request.
• 3 – Low – Sensitive classes of information that may include physical or mental health issues, racial or ethnic origin, religious or other beliefs of a similar nature and trade union memberships are stored for legalities but are not processed. We do not use profiling nor automated decision making systems as a part of our company policies. Deletion of this data is subject to but not limited to either upon request or legal obligations.

Your rights as a data subject

We have a robust process for dealing with costumer queries and subject access request is in place, this includes but not limited to the right to withdraw any processing of your personal data and to remove any personal or sensitive data. The request can be made via email or telephone to the  DPO at CAVA on +48 228266427 or info@cava.pl

Our consumer query process is also used to monitor our customers, our data partner and our product/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.

Your right to request from the controller restriction of processing of personal data can be applied upon request by the authorised account holder.

You have a right to lodge a complaint with a supervisory authority in regards to how your information has been handled. Please contact the Information Commissioner’s Office (ICO).

https://ico.org.uk/concerns/handling/

Client account data is stored in SQL tablespaces & data file formats which can be exported into either a Microsoft excel spreadsheet or Adobe PDF which is then encrypted with a password before sending out electronically. Immediate access to account details is available to clients with web access to our online booking platform which allows the client to update or change the account records, this functionality is secured using a Secure Socket Layer (SSL).

Childrens Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act). We do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.

This policy was last amended on 23rd of May 2018 to comply with the new GDPR (General Data Protection Regulation) law which supersedes the DPA, by using our website and our services you consent to this privacy policy. If we decide to change this policy, we will post those changes on this page, and update the privacy policy modification date above.

We are a “data controller” for the purposes of the Act, as we process personal data on your behalf. With this deadline approaching, we are currently in the process of contacting all of our data subjects to inform them of our terms of business that meet the requirements of GDPR.

If you have any questions regarding this privacy policy you may contact our DPO, Paweł Żelazik at info@cava.pl
Or contact us directly: CAVA ul. Nowy Świat 30, 00-373 Warsaw, Poland

What information do we collect?

We collect information from you when you place an order, fill out a form or make a payment. When contacting us on the phone, we may record your call for training and quality control purposes. When contacting us from this site you may be asked to enter your name, e-mail address or phone number as appropriate. You may, however, visit our site anonymously.

For placing orders online we require you to use our booking engine. We implement a variety of security measures to maintain the safety of your personal information when you place an order:

• Our booking site is a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology. This is then encrypted into our payment gateway provider’s database, it is only to be accessible by those authorized with special access rights to such systems, and who are required to keep the information confidential.
• After a transaction, sensitive private information (social security numbers, financials, etc.) will not be stored on our servers.

What do we use your information for?

Any of the information we collect from you may be used to:

• Improve customer service. Your information helps us to more effectively respond to your customer service requests and support needs.
• Process transactions.
• Administer a contest, promotion, survey or other site feature.
• Send periodic emails. The email address you provide for order processing, may be used to send you information and updates pertaining to your order. These updates may on occasion also include company news, updates, related product or service information, etc.

Lawful basis for processing your personal data

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

If customers do not provide the information required for processing transactions, then we will be unable to provide a service to the customer.

Processing of your personal data

Description of processing

• The following is a broad description of the way this organisation/data controller processes personal information. Or see ICO Register of Data Controllers – Registration Number: ZA014467, ZA336570 (CCTV) & ZA014397.
• We process personal information to enable us to promote our goods and services, to maintain our accounts and records and to support and manage our staff.
• We process information relevant to the above reasons/purposes. This may include:
• Personal details.
• Family, lifestyle and social circumstances.
• Financial details
• Employment and education details.
• Goods or services provided.

We also process sensitive classes of information that may include:

• Physical or mental health details.
• Racial or ethnic origin.
• Religious or other beliefs of a similar nature.
• Trade union membership.

We may at times need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (GDPR). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons

Where necessary or required we share information with:

• family, associates and representatives of the person whose
• personal data we are processing
• employment and recruitment agencies
• current, past and prospective employers
• educators and examining bodies
• central government
• credit reference agencies
• suppliers and service providers
• debt collection and tracing agencies
• financial organisations
• CCTV is used for maintaining the security of property and premises and for prevention and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
• It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your web browser (if you allow). This enables the sites or service providers systems to recognize your browser and capture and remember certain information.

We use cookies to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

If you would like to delete our cookies from your computer then click here.

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

We may also release your information when we believe release is appropriate. For example, this may be to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Retention Policy

CAVA will no longer be holding data which we have not gained contractual obligations for after 30 days, depending on the sensitivity of this data, it will be deleted instantly. Ranks of sensitivity will be outlined below, as well as some exceptions where data may be held longer lawfully.

Where personal data is held

CAVA holds personal data in a few different locations, these can include: Our own database servers, email accounts, desktops, employee owned devices, paper files and backup storage.

Procedures in place for deletion

Accounts related data that is processed via our two database servers are subject to a 90 day non-usage review of the account, followed up by a 6 month review before the erasure or separation of any personal or sensitive data. Also upon request by the authorised account holder data will be deleted from both database servers within 30 days of the request followed up by a privacy notification and confirmation of the deletion. This can be done by contacting the DPO at CAVA on +48 228266427 or info@cava.pl

Data processed via email are subject to the Apple Software on board retention policy, this includes the purging of unfiled mail after 30 days.

Employee and mobile users including sub-processors who process data on behalf of our company are subject to a systematic 30 days deletion policy after the completion of a contractual obligation. This is achieved via our Ground Alliance Software which is downloaded onto mobile devices. On board encryption is also enabled on all our mobile devices which are set to delete all information on the device after multiple failed password attempts.

Exceptions where data may be held longer than our 30-day retention period

Financial data stored on our accounts server or stored as hard copies are held for up to 7 years before disposal due to TAX and VAT legalities.

Ranks of sensitive data – Different retention periods

Security criticality of sensitive or personal data which we process will be described and provided for in section 3.1 below, this policy contains requirements for the deletion of any data we process either personal or sensitive ranked ‘low’, ‘medium’ and ‘high’.

System data ranking

• 1 – High – For the requirement of our business and the completion of contractual obligations with our clients it is very important to us that any financial data we store or process for or on behalf of our clients is subject to immediate tokenisation/masking of card details which include CVV/CVV2 information, card number and expiration date. However if data is to be processed as a one off request this data will be deleted after processing with immediate effect unless contractual consent is gained.
• 2 – Medium – Account data which may include but not limited to personal data and goods or services provided will be subject to regular review of the data stored for the purpose of maintaining account records. This data allows us to complete our contractual agreements and can include but not limited to the client’s name, address and contact details. Upon request by the authorised account holder this data can be deleted from our systems within 30 days of the request.
• 3 – Low – Sensitive classes of information that may include physical or mental health issues, racial or ethnic origin, religious or other beliefs of a similar nature and trade union memberships are stored for legalities but are not processed. We do not use profiling nor automated decision making systems as a part of our company policies. Deletion of this data is subject to but not limited to either upon request or legal obligations.

Your rights as a data subject

We have a robust process for dealing with costumer queries and subject access request is in place, this includes but not limited to the right to withdraw any processing of your personal data and to remove any personal or sensitive data. The request can be made via email or telephone to the  DPO at CAVA on +48 228266427 or info@cava.pl

Our consumer query process is also used to monitor our customers, our data partner and our product/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.

Your right to request from the controller restriction of processing of personal data can be applied upon request by the authorised account holder.

You have a right to lodge a complaint with a supervisory authority in regards to how your information has been handled. Please contact the Information Commissioner’s Office (ICO).

https://ico.org.uk/concerns/handling/

Client account data is stored in SQL tablespaces & data file formats which can be exported into either a Microsoft excel spreadsheet or Adobe PDF which is then encrypted with a password before sending out electronically. Immediate access to account details is available to clients with web access to our online booking platform which allows the client to update or change the account records, this functionality is secured using a Secure Socket Layer (SSL).

Childrens Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act). We do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.