Privacy Policy

Apilo Sp. z. o.o. (limited liability company) (hereinafter “Apilo”) cares about your privacy and wants you to feel safe and comfortable while using our services. Therefore, below we present the most important information about the principles of our processing of your personal data on our Website. This information has been prepared taking into account GDPR, the General Data Protection Regulation. The Privacy Policy is uniform for all our websites and covers all areas of Apilo’s business. When you use Apilo’s services, the recipients of your data may be companies from the Shoper Group to which we belong, as well as our Business Partners. At the same time, our cooperation with Business Partners is based on service agreements and contracts setting conditions for the processing of personal data.

 

Personal data controller

The personal data controller is Apilo sp. z o.o. (limited liability company), ul. Pawia 9, 31-154 Krakow, NIP (Tax ID No.): 9372715154, REGON (Statistical No.): 380848632, KRS (National Court Register) No.: 0000741999, email: daneosobowe@apilo.com, phone: +48 (12) 44 66 800. Apilo processes data only on your behalf as a processor and only on your documented instructions (including on the basis of the relevant contract on entrusting data processing annexed to the main contract), and without such instruction only if we are obliged to do so by law.

 

Personal data and privacy

In connection with your use of the Website, Apilo collects data to the extent necessary to provide the services offered, as well as information about your activity on the Website. This means that, as a Controller, we have access to the data you provide when you enter into and perform a contract, create accounts and profiles in our services, and complete surveys or forms. We also process data that provide information about your activity, and data derived from cookies. On the basis of a separate consent Apilo may also process your data for other purposes.

 

Purposes and bases of data processing

In the course of its business activities, Apilo processes personal data for the following purposes depending on specific facts:

 

 
• Concluding an agreement/ providing services

At Apilo, an agreement is the primary document binding Apilo with each User. In this regard, we process data to conclude an agreement, perform a service, provide support or remind you about payment. The legal basis for this action is Article 6 section 1 letter b) of the GDPR until the termination or dissolution of the agreement, but subject to the expiration of any counterclaims. For the sake of quality and correctness of our services, we may also tailor them to the needs of our Users. Personal data will be stored for the term of the agreement and, after its termination, until the expiration of the deadlines for claims arising therefrom, usually 3 years and maximally 6 years.

 

 
• Marketing

If you give your consent to receive marketing information, or enter the Site with settings that allow us to conduct marketing activities, your personal data are processed on the basis of your consent. The legal basis for this action is Article 6 section 1 letter a) of the GDPR. Personal data are processed until you withdraw your consent or, when the law so provides, until the expiration of legal obligation on the part of Apilo.

 

 
• We are subject to a legal obligation, especially with regard to financial and accounting settlements, as well as the storage of evidence related to debt collection activities, litigation, etc.

Extra paid services, contests and special offers that are subject to tax settlements. Debt collection activities, possible disputes, complaints. In terms of fulfilling legal obligations – 6 years. The legal basis for this action is Article 6 section 1 letter c) of the GDPR.

 

 
• Performance of the Controller’s legitimate interest

On the basis of Article 6 section 1 letter f) of the GDPR on legitimate interest, Apilo processes data for purposes including: managing client relations, satisfaction surveys on our services provided in connection with the Website, direct marketing purposes, analytical purposes, establishing, pursuing, or defending possible claims, fraud prevention and ensuring network and information security
within our information systems, until an objection is filed.

 

Retention of personal data

The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. As a general rule, data are processed for the period of service provision or order fulfilment, until the withdrawal of the granted consent or until an effective objection to data processing is raised in cases where the legal basis for data processing is the legitimate interest of the Controller.

Accordingly, we will process your data only for the period in which we have a legal basis to do so, that is until:

 
• we are no longer under a legal obligation to process your data (especially in relation to accounting in the case of paid services), or

 

• it is no longer possible to establish, assert or defend claims related
  to the agreement concluded between us, or

 

• you revoke your consent to data processing, if it has been the basis for it, or

 

• your objection to the processing of your personal data is accepted – where the basis for the processing of your data has been the legitimate interest of the controller or the data have been processed for direct marketing purposes (including profiling)

– depending on what is applicable in a given case and whichever comes later.

 

If you would like to know more about the retention periods, please contact us at the email indicated
in the Contact section.

 

User Rights

Apilo ensures the exercise of the User’s rights indicated below:

 

 
• Right to information about the processing of personal data (right of access) – on this basis, the Controller provides the requesting person with information
  about the processing of data, including, in particular, the purposes and legal bases for processing, the scope of data held, the entities to which they are disclosed and the planned date of data deletion.

 

• Right to rectification – the Controller is obliged to remove any inconsistencies or errors in the processed Personal Data and supplement them if they are incomplete.

 

• Right to obtain a copy of data – on this basis, the Controller provides a copy of the processed data concerning the person making the request.

 

• Right to data erasure – on this basis, you may request the erasure of data whose processing is no longer necessary to carry out any of the purposes for which they have been collected.

 

• Right to restrict processing – if such a request is made, the Controller shall cease the performance of operations on personal data, with the exception of operations consented to by the data subject, and their storage, in accordance with the adopted retention rules or until the causes for restricting data processing cease to exist (e.g. a decision is issued by a supervisory authority to authorise further data processing);

 

• Right to data portability – on this basis, within the scope in which data are processed by automated means in connection with a concluded agreement or given consent, the Controller shall issue the data provided by the data subject in a computer-readable format. It is also possible to request that such data be sent to another entity, provided, however, that it is technically possible in this regard both on the part of the Controller and the designated entity.

 

• Right to object – the data subject may, at any time, object to the processing of personal data that is carried out on the basis of the legitimate interest of the Controller. In addition, you can object to our use of cookies (which you can read about below), in particular, by using the appropriate browser settings and by deleting the cookies saved on your device.

 

• Withdrawal of consent – in the case of personal data processing on the basis of consent, without affecting the lawfulness of processing carried out on the basis of consent before the withdrawal.

 

A request for the exercise of data subjects’ rights can be submitted electronically via daneosobowe@apilo.com

 

Is it mandatory to provide data?

The provision of personal data is a condition for the conclusion and performance of the agreement for the provision of services by Apilo. The Users of the Website are obliged to provide them, and failure to provide personal data will result in the inability for Apilo to conclude and perform the agreement for the provision of services. Apilo always collects only the data that are necessary in accordance with the principle of data minimisation.

 

What data do we collect about you?

Data provided directly by you:

1 During registration: email address.

Providing the above data is necessary to use the services offered as part of the Account.

2 Additional personal data:

You may also voluntarily provide the following additional data when using our Services:

 
• full name;

 

• email address;

 

• mobile phone number.

 

Personal data recipients

The recipients of your personal data, i.e. entities to whom Apilo may transfer personal data, may be: state authorities or other entities authorised to access the data to the extent and for the purpose specified in specific legislations; Polish Post Office and courier companies; banks in the case of the need to conduct settlements; entities providing services to the Controller in support of its functioning within the scope of provided services, i.e., among others, IT service providers, auditing entities, entities providing accounting services, entities providing services supporting the recruitment process and entities providing marketing services, where such entities process data on the basis of an entrusting agreement and only in accordance with the Controller’s instructions; entities belonging to the Shoper capital group.

When sharing personal data with third parties or other entities, the data shared will be limited to the extent required by the third party or another entity to provide the required processing. In such cases, your personal data are protected under Data Processing Agreements that oblige third-party service providers to process your personal data for specific purposes and in accordance with our instructions, to comply with the GDPR, and apply appropriate security measures to protect your personal data in accordance with our internal policies. All transfers outside the EEA to countries deemed by the European Commission as not providing an adequate level of personal data protection are secured by an agreement based on the Standard Contractual Clauses approved by the European Commission.

 

Information about forms

The Website provides access to various forms that collect information voluntarily provided by the User, including personal data, if they are required and provided. The data provided in the form are processed for the purpose resulting from the function of the specific form, such as registration of services, business contact, etc. Each time, the context and description of the form clearly states its purpose.

 

Profiling

We use profiling on the Website. This will apply to you if your browser settings allow it. Such profiling involves the automatic assessment of what products or services you might be interested in, using information about the content you view. As a result, the advertisements for products or services displayed as part of the online services you use will be better tailored to you and your needs.

The profiling we perform does not result in decisions that produce legal effects against you or affect you in a similarly significant manner.

 

Analytical activities

On the Website we conduct analytical activities to make it more intuitive and accessible – this will apply to you if your browser settings allow it. As part of the analysis, we take into account how Site Users navigate the Site. For example, how much time they spend, on average, on given subpages, or which places on the Site they click on, all this without being able to identify a specific User. This allows us to customise the layout and appearance of the Website and the content posted therein to meet the needs of the Users.

The legal basis for this processing is Article 6 section 1 letter a) of GDPR (your consent).

While conducting analytical activities, we use the services of entities that may transfer your personal data outside the EEA. In such situations, pursuant to Article 46 section 2 letter c of the GDPR, we are bound by contracts with these entities that contain standard contractual clauses, as adopted by the European Commission.

 

Google Analytics

Our website uses Google Analytics, a website analysis service provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland (https://about.google/). Google Analytics uses cookies, that is text files stored on the computer to analyse how you use the website. The information generated by cookies about the use of the site is usually transferred to a Google server in the United States and stored there. If you activate IP anonymisation on this site, your IP address is first hashed by Google in the European Union member states and other signatory states to the agreement on the European Economic Area. The full IP address is only sent to a Google server in the United States and hashed there in exceptional cases. IP anonymisation on our site is active. On behalf of the site owner: Google uses this information to analyse site traffic in order to compile reports on activity on the owner’s site and to provide other services to the site owner related to the use of the site and the Internet in general. The IP address provided by your browser for Google Analytics purposes will not be merged with other Google data. You can prevent cookies from being saved by using the appropriate setting in your browser software, but we would like to inform you that if you do so, you may not be able to take full advantage of all the features of our website. Data processed through Google Analytics are deleted after 12 months.

In addition, you can prevent the collection of data generated by cookies and related to your use of our website (including your IP address) and sent to Google, as well as the processing of such data by Google, by downloading and installing the browser plug-in at the following link: https://tools.google.com/dlpage/gaoptout?hl=pl

The Google Analytics service is based on the collection and aggregation of data, but does not enable the identification of activities of specific users and their personal data.

The terms of use and data protection information can be found at https://www.google.com/analytics/terms/pl.html and https://policies.google.com/?hl=pl&gl=en

 

Google Tag Manager

Google Tag Manager is a tool for managing scripts on a website. With this tool, you can install various types of scripts on your website. This includes, but is not limited to, scripts related to consents given by the User, scripts that track User behaviour through analytical tools, such as Google Analytics, or conversion tracking from advertising systems, such as Google Ads. In connection with the use of the tool, Google collects aggregate data on the running of these scripts, without being able to identify a specific User. Detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/analytics/terms/tag-manager/

 

Google Ads

Google Ads is a tool that makes it possible to measure the effectiveness of the advertising campaigns carried out by the Controller, allowing for the analytics of such data as keywords or the number of unique users. The Google Ads platform also allows us to display our ads to people who have visited the Website in the past. Google Ads does not allow the identification of users’ activities to be linked to their personal data. The information on Google’s data processing in relation to the above service can be found at the following link: https://policies.google.com/technologies/ads?hl=pl

 

Google Conversion Tracking

Our website uses Google Conversion Tracking. This means that if you come to our site thanks to an advertisement placed on Google search engine, a corresponding cookie will be stored by Google Ads on your computer. The conversion tracking cookie only works when a user clicks on an ad or sponsored link on Google. These cookies become inactive after 30 days and are not used for personal identification. If a user only visits certain pages on our site and the cookie has not yet expired, we and Google can also see that the user has clicked the ad and has been sent to our site in response to it. Every Google Ads client receives different cookies. The cookies obtained in this way cannot be used by the websites of other Google Ads clients, and the information collected using cookies is used for statistics and conversion analysis (for Google Ads clients who have selected conversion tracking). The clients are provided with the total number of users who have clicked on an Apilo ad and have then been sent to a page with a conversion tracking tag. In such cases, Apilo does not receive any information which would enable users to be personally identified.

If you do not want to participate in tracking, you can opt out of cookies, for example, by using the browser settings which usually deactivate cookie settings or introduce browser settings that block cookies from a specific domain, e.g. the fake advertising platform of “googleleadservices.com.”

Please note that you cannot delete the cookies on tracking opt-out if you want your data not to be recorded. If you delete all cookies in your browser, you will need to set the corresponding cookie opt-out file again.

 

Google Remarketing

Our website uses the remarketing function of Google Inc. This feature is used to present interest-based ads on the Google advertising network. A cookie is stored in the browser of the visitor to our site, which enables us to recognise the user’s device when they visit sites belonging to the Google advertising network. On these sites, the visitor may be shown ads related to content the visitor has previously visited on sites that use the Google remarketing function.

According to the information provided by Google, the provider does not collect any personal data in the process. However, if you do not want to use the Google remarketing feature, you can disable it by adjusting the appropriate settings on the following website http://www.google.com/settings/ads

Alternatively, you can disable the use of cookies for interest-based advertising through an advertising network initiative by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp 

 

Custom Audiences

Our site also uses communication tools provided by Google, in particular Google Customer List Targeting. An irreversible and non-personal hash code is generated from your usage data, and it can be passed on to Google for analytical and marketing purposes. Additional information about the purpose and scope of data collection, further processing and use of data, as well as information on privacy settings options, can be found in the data protection guidelines on the Google website https://policies.google.com/privacy?hl=pl

Google users can control what ads are displayed to them on the websites of Google services (this also applies to ads targeted to the client list) in the Google Ads Settings. If you have a Google account, you can opt out of personalised ads using the following link: https://www.google.com/settings/ads/onweb/

As part of our marketing efforts, we may also target ads to our clients through the Meta platform (Facebook, Instagram). To this end, we send our clients’ contact information, such as email address and phone number, to Meta in an encrypted form (hashed according to Meta’s requirements, such as the SHA256 algorithm). These data are only used to match the ads to the right recipients (Custom Audiences) and to create similar groups of users (Lookalike Audiences). We do not provide Meta with any additional information about the clients (e.g. their purchase history, background or type of service), and the segmentation itself is done solely on our side, based on data collected in the CRM system. The processing of data for advertising purposes within Meta is based on the user’s consent, if given, or on our legitimate interest as a data controller, if applicable to our existing clients (Article 6 section 1 letter f of the GDPR).
The data submitted to Meta are protected in accordance with their security standards and regulations on the processing of personal data, including the GDPR. The user has the right, at any time, to withdraw their consent to the processing of data for marketing purposes or to object to the use of their data for such purposes. In order to do so, please contact us at: daneosobowe@apilo.com

 

Hotjar

HotJar is a tool that allows the Controller to analyse the Users’ activity on the Website, e.g. through surveys or satisfaction studies, and through the anonymous collection of information about clicks on particular places on the Website. The tool does not allow for User identification. The information generated by the cookie about the use of our site is stored by Hotjar on servers in the European Union. Detailed information about the data collected via HotJar and how to deactivate User tracking is available at the following link: https://www.hotjar.com/privacy.

 

Userpilot

Our Website uses the Userpilot tool provided by Userpilot, 7200 North MoPac Expressway Suite 300, Austin, Texas 78731, USA. This tool allows the displaying of dynamic messages, prompts and surveys in real time to the users so as to better understand and improve the user experience. Userpilot may collect such data as: user ID (e.g. ID assigned by the system), email address (if provided), information about interaction with site elements (e.g. clicks, views) and other technical data (e.g. browser type, operating system). Data may be transferred outside the European Economic Area, in particular to the USA. Userpilot employs data protection measures in accordance with the requirements of the GDPR, including certification mechanisms (e.g. Data Privacy Framework). Legal basis: legitimate interest of the controller (Article 6 section 1 letter f of the GDPR) to ensure proper operation and to improve the functionality of the website. More information: https://userpilot.com/privacy/

 

Tools and plug-ins

Which providers do we use?
Our website uses social media plug-ins from the following providers: Facebook, Instagram, YouTube and LinkedIn.  The plug-ins allow the user to share content published on the Site with the social network of their choice. The use of plug-ins on the Site allows a given social network to receive information about the user’s activity on the Site which can be assigned to the user profile created in a given social network. The controller has no knowledge of the specific purposes of the social networks’ or the scope of data collection.

 

GetResponse

In order to carry out email marketing activities (e.g. sending newsletters, recurring messages, automated campaigns), we use the GetResponse system provided by GetResponse S.A. (joint-stock company), ul. Arkonska 6, 80-387 Gdańsk. GetResponse processes personal data, such as email address, first name (if provided), and information about interaction with the sent messages (e.g. opening emails, clicking links). Data may be stored on servers in the cloud infrastructure and, depending on the configuration, may be transferred outside the EEA. The legal basis for data processing is the user’s consent (Article 6 section 1 letter a of the GDPR).

 

Koda

On our website and in the client panel, we use the Koda tool provided by Koda Sp. z o.o. (limited liability company), with its registered office in Wrocław (ul. św. Mikołaja 7, 50-125 Wrocław). This tool allows the users to communicate with client services via chat available on the website and inside the client panel. As part of the chat operation, the following personal data may be processed: data voluntarily provided by the user (e.g. name, email address, message content), technical data (e.g. IP address, browser type, device, connection time), identification data if the user is logged in (e.g. account ID, contact information).

The data are used exclusively for: responding to user inquiries, correspondence on service-related matters, ensuring the continuity and quality of client services.
The legal basis for the processing of chat data is: Article 6 section 1 letter b of the GDPR – processing of data for the performance of a contract or pre-contractual activities, or Article 6 section 1 letter f of the GDPR – the controller’s legitimate interest in providing client services and improving the operation of the website.
Data may be stored for a limited period of time necessary to handle the ticket or for evidentiary purposes (e.g. complaints, requests for quotation) in accordance with the internal data retention policy.

Providers’ Data Privacy Statements
Additional information on the purpose and scope of data collection by plug-in providers can be found in the data protection statements provided by these providers. These statements also contain additional information about your rights and options regarding privacy protection.

 

 
• Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; additional information on data collection: http://www.facebook.com/help/186325668085084. Facebook has signed up for the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework

 

• Instagram LLC, 1 Hacker Way, building 14, second floor, Mento Park, CA, USA, https://help.instagram.com/519522125107875?helpref=page_content The entity legally responsible for the data protection of this plug-in is: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland

 

• Google’s privacy policy can be found here: https://policies.google.com/privacy?hl=pl

 

• LinkedIn privacy policy can be found here: https://pl.linkedin.com/legal/privacy-policy

 

Cookies

The apilo.com website uses the so-called “cookies” which are small files with information saved on the client’s hard drive. In this way it can obtain basic information about how often the User visits the site, what elements of the site interest them most, etc. (IP address, browser type, operating system, duration of the visit, source of entry). This information is used only to generate statistics on the popularity of the website. Everybody has the right to refuse to save “cookies” on their computer. Every browser offers the possibility to automatically reject cookies.

The information on how to exercise the above option can be found with the manufacturer of the browser used by the individual (Opera, Firefox, Internet Explorer, Chrome, Safari).

More information about cookies can be found in our Cookies Policy.

The use of external websites and services, e.g. Facebook, entails the need to read the data processing rules of these sites.

 

Transfer of data outside the EEA

The Controller transfers Personal Data outside the European Economic Area (EEA) only when necessary, and with the adequate degree of protection, primarily through:

a) cooperation with processors of personal data in countries for which the European Commission has issued a decision determining an adequate level of personal data protection;

b) use of standard contractual clauses issued by the European Commission;

c) application of binding corporate rules approved by the relevant supervisory authority.

 

Data security

All personal data of the user which have been obtained through the website are processed in a manner that ensures their security in accordance with the provisions of the generally applicable laws, in particular with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC.
In order to ensure the security of the Users’ data, Apilo has introduced the possibility of two-factor identity verification during logging in, the so-called two-factor authentication, 2FA). Two-factor user authentication is a mechanism through which you will secure access to the store’s Administration Panel with one-time, randomly generated codes sent to the user’s phone. By introducing an extra step when logging in, you will make it harder for your store’s account being hacked. As a user, you can use this feature to further secure your data and the data of your clients. However, this requires having an additional device and, among other things, sharing one’s phone number to receive messages with the codes.

 

Changes to the Privacy Policy

As we are constantly developing, our Privacy Policy is updated on a regular basis. Apilo reserves the right to update the above Privacy Policy. Changes will be made available to Users by publishing the updated version on this website.

The latest and current version of the Privacy Policy is effective as of 26 June 2025.