Privacy Policy
1. General Provisions
This Privacy Policy is informational in nature and sets out the rules for processing personal data of Users using the website unisonhearts.pl (hereinafter: “Service”), through which tickets are sold for events organized under the Unison Hearts brand.
The Policy does not impose obligations on Users, but constitutes the fulfillment of the Controller’s information obligation arising from Article 13 of the GDPR.
2. Personal Data Controller
The personal data controller is:
| Name: | Colorful Sp. z o.o |
| Trade name: | Unison Hearts |
| Headquarters: | Kraków, Poland |
| Tax ID: | 6772379072 |
| REGON: | 123025909 |
| KRS: | 0000494219 |
| Email: | unisonhearts.pl@gmail.com |
The Controller has not appointed a Data Protection Officer. For matters related to personal data protection, you can contact us at the email address provided above.
3. Method of Collecting Personal Data
Users’ personal data is collected through the Service in the following ways:
- providing personal data during the ticket purchase process for an event;
- providing personal data during optional account registration in the Service;
- subscribing to the newsletter;
- collecting data through cookies—only with the User’s prior consent.
Providing personal data is voluntary, but necessary to purchase a ticket and participate in the event. Failure to provide the required data makes it impossible to enter into a contract.
4. Scope of Processed Data
Depending on the actions taken in the Service, we process the following categories of personal data:
- first and last name,
- date of birth (for age requirement verification),
- email address,
- phone number,
- data on purchased tickets and order history,
- data provided voluntarily by the participant (e.g., preferences regarding participant matching),
- Tax ID—optionally, only for invoice issuance purposes.
Age requirement: events organized by the Controller are intended exclusively for people aged 25 to 55. Providing the date of birth is used to verify compliance with this condition. People who do not meet the age criterion cannot participate in the event.
5. Purposes and Legal Bases for Data Processing
The table below presents the purposes of data processing, their scope, and legal bases in accordance with the GDPR:
| Type of data | Purpose of processing | Legal basis |
| First name, last name, email, phone, date of birth, order history, Tax ID (optional) | Conclusion and performance of ticket sale contract; account registration; order processing; electronic ticket delivery; handling complaints | Article 6(1)(b) GDPR (performance of contract) |
| First name, last name, email, purchase history | Issuance and storage of invoices and accounting documents | Article 6(1)(c) GDPR (legal obligation) |
| First name, last name, email, purchase data | Establishment, defense, or pursuit of claims | Article 6(1)(f) GDPR (legitimate interest of the Controller) |
| Email address | Sending newsletter—information about upcoming events | Article 6(1)(a) GDPR (consent) + Article 172 of the Telecommunications Law |
| Participant preferences | Participant matching—without disclosing data to other participants | Article 6(1)(a) GDPR (consent) |
| Image (photos/video) | Documentation and promotion of events | Article 6(1)(a) GDPR (consent) |
| Activity data from cookies | Marketing, profiling of User preferences | Article 6(1)(a) GDPR (consent) |
| Data from contact form | Responding to User inquiries | Article 6(1)(f) GDPR (legitimate interest of the Controller) |
| All data processed in IT systems | Creating and storing backups; ensuring integrity, availability, and confidentiality of systems | Article 32(1)(b) and (c) GDPR |
6. Recipients of Personal Data
Users’ personal data may be shared with the following categories of recipients:
- entities verifying tickets during the event (first name, last name, order code, email);
- payment intermediaries (e.g., PayU, BLIK and payment card operators);
- SaaS software providers used by the Controller;
- IT and hosting service providers;
- Google Ireland Limited—for Google Analytics services;
- Meta Platforms Ireland Limited—for Facebook Pixel services and advertising on Facebook and Instagram platforms;
- TikTok Technology Limited—for collecting statistical data.
Participants’ personal data is not shared with other event participants or third parties, except for the entities listed above, acting solely on the basis of data processing agreements (Article 28 GDPR).
7. Transfer of Data Outside the European Economic Area (EEA)
Users’ personal data may be transferred to third countries (in particular to the United States of America) in connection with the Controller’s use of services provided by Google Inc. and Meta Platforms.
Data transfer takes place with appropriate safeguards required by the GDPR, in particular standard contractual clauses approved by the European Commission. The User has the right to obtain a copy of the data transferred to a third country.
8. Data Retention Period
Personal data will be stored for periods necessary to achieve the purposes for which they were collected:
Purpose of processing | Retention period |
Performance of ticket sale contract | Until deregistration or until the expiration of the limitation period for claims |
Tax and accounting obligations | 5 years from the end of the tax year, in accordance with legal provisions |
Pursuit or defense of claims | Until the expiration of the limitation period for claims |
Marketing (newsletter) | Until consent is withdrawn |
Data from cookies | According to browser settings or until consent is withdrawn |
User account | Until deregistration from the Service |
9. Rights of Data Subjects
Each User whose data is processed by the Controller has the following rights:
Right of access to data (Article 15 GDPR)—the right to obtain confirmation of whether data is being processed and access to it;
- Right to rectification (Article 16 GDPR)—the right to immediate rectification of inaccurate data or completion of incomplete data;
- Right to erasure (Article 17 GDPR)—the right to request immediate erasure of data if the conditions specified in this provision are met;
- Right to restriction of processing (Article 18 GDPR)—the right to request restriction of data processing in the cases specified in this provision;
- Right to data portability (Article 20 GDPR)—the right to receive data in a structured, commonly used format;
- Right to object (Article 21 GDPR)—the right to object to data processing for direct marketing purposes or based on legitimate interest;
- Right to withdraw consent—at any time, without affecting the lawfulness of processing before its withdrawal;
- Right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
To exercise the above rights, contact the Controller electronically at: unisonhearts.pl@gmail.com.
10. Objection to Data Processing for Marketing Purposes
The User has the right to object to the processing of personal data for direct marketing purposes, including profiling. After submitting an objection, the Controller will not process data for this purpose.
For direct marketing purposes, data may be processed in an automated manner, including in the form of profiling, which involves analyzing User behavior in the Service and tailoring the offer to their preferences. The User has the right not to be subject to profiling.
11. Cookies and Operational Data
The Service uses cookies—small text files stored on the User’s device.
Purposes of using cookies:
- identifying the User as logged in;
- remembering selected tickets in the shopping cart;
- remembering login credentials;
- adapting the Service content to User preferences;
- conducting anonymous statistics on Service usage;
- remarketing—displaying personalized ads to users who previously visited the Service.
By default, most web browsers accept cookies. The User can change cookie settings through their browser settings, which may, however, affect the functionality of the Service (e.g., prevent ticket purchase).
The Controller also processes anonymized operational data (IP address, domain) to generate statistics. This data is collective and anonymous—it does not contain features identifying specific Users.
12. Automated Decision-Making and Profiling
Users’ personal data will not be used for automated decision-making that produces legal effects or similarly significantly affects the User’s situation.
To a limited extent, data may be used to match event participants (so-called matching) based on preferences provided by the User, only with their consent. This action does not produce legal effects and does not significantly affect the User’s situation.
13. Data Security
The Controller applies appropriate technical and organizational measures to ensure the protection of processed personal data, in particular:
- encryption of transmitted data (SSL/TLS protocol);
- access control to IT systems;
- regular creation of backups;
- protection of data against disclosure to unauthorized persons, loss, destruction, or damage.
14. Voluntary Provision of Data
The Controller applies appropriate technical and organizational measures to ensure the protection of processed personal data, in particular:
- encryption of transmitted data (SSL/TLS protocol);
- access control to IT systems;
- regular creation of backups;
- protection of data against disclosure to unauthorized persons, loss, destruction, or damage.
15. Links to Other Websites
The Service may contain links to other websites. The Controller is not responsible for the privacy policies applied by these sites. We recommend reviewing the privacy policy of each external site you visit.
16. Changes to the Privacy Policy
The Controller reserves the right to change this Privacy Policy. All changes will be published on the Service website with the effective date. Using the Service after changes are introduced means accepting them.