Privacy Policy - How we protect your data

Introduction

This Privacy Policy and Cookies document describes how WEBET Sp. z o.o. ("Administrator", "we", "us", "our") collects, processes, stores and protects your personal data in connection with use of the CheaperForDrug platform (taniejpolek.pl). This document has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and the Polish Personal Data Protection Act.

1. Data Controller

1.1 Controller's details

The controller of your personal data is:
WEBET SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
ul. 1 Maja 30A
45-355 Opole, Poland
NIP: 7543346806
REGON: 520717497
KRS: 0000940072
Email: biuro@webet.pl
Phone: +48 798 908 242

1.2 Contact for data protection matters

On all matters relating to data protection you can contact us:
Email: biuro@webet.pl
Phone: +48 798 908 242 (Mon-Fri, 9:00-17:00)
By post: WEBET Sp. z o.o., ul. 1 Maja 30A, 45-355 Opole, Poland, marked "Data Protection"

2. Scope of personal data processed

2.1 Data provided by the user

Account data (mandatory):

Email address
Password (stored exclusively as a cryptographic hash - bcrypt with a salt, making it impossible to read the password even by the Service's administrators)
First and last name (optional)

Subscription and payment data:

Subscription type (free, paid one-time, annual)
Subscription status and purchase date
Payment information (processed by Stripe)
Transaction history

Usage data:

Shopping list and searched medicines
Search and comparison history
Saved user preferences

2.2 Automatically collected data

IP address and approximate geographical location
Browser type and version
Operating system and device type
Pages visited and time spent on the site
Source of visit (referrer)
Technical session data
Cookies and similar technologies

2.3 Payment data

Important: Your payment card details (card number, CVV, expiry date) are processed exclusively by Stripe, Inc. - a PCI DSS Level 1 certified payment provider. We do NOT store and do NOT have access to your full payment card details.

We store only:

Stripe Customer ID - a unique identifier in the Stripe system
Stripe Subscription ID - the subscription identifier
Stripe Payment Intent ID - the transaction identifier
Payment amount and currency (PLN)
Payment status (pending, completed, failed, cancelled)
Last 4 digits of the card (for identification)

3. Purposes and legal bases of processing

We process your personal data only for specified purposes and on the basis of appropriate legal grounds in accordance with Art. 6 GDPR:

3.1 Performance of a contract (Art. 6(1)(b) GDPR)

Creating and managing the user account
Providing medicine price comparison services
Operating the subscription (free or paid)
Payment processing
Sending service-related notifications

3.2 Compliance with legal obligations (Art. 6(1)(c) GDPR)

Issuing and storing VAT invoices
Fulfilling tax obligations
Fulfilling consumer-law obligations
Responding to requests of state authorities (to the extent required by law)

3.3 Legitimate interest (Art. 6(1)(f) GDPR)

Ensuring security and detecting abuse
Analysis and improvement of platform operations
Handling complaints and disputes
Pursuing claims or defending against claims
Archiving data for compliance purposes

3.4 Consent (Art. 6(1)(a) GDPR)

Sending newsletters with offers and promotions (direct marketing)
Personalisation of marketing communication
Setting and reading analytics and marketing cookies

Newsletter - combined legal basis:

Newsletters are sent on the basis of three legal grounds jointly: (a) Art. 6(1)(a) GDPR - your voluntary consent to processing your email address; (b) Art. 10(1) of the Polish Act of 18 July 2002 on the Provision of Electronic Services - your consent to receive commercial information by electronic means; (c) Art. 172(1) of the Polish Act of 16 July 2004 - Telecommunications Law - your consent to the use of telecommunications terminal equipment for direct marketing purposes. Consents are collected jointly by actively ticking a checkbox in the subscription form. You can withdraw any consent at any time by clicking the "Unsubscribe" link in the footer of every email or by contacting biuro@webet.pl.

You can withdraw consent at any time, which does not affect the lawfulness of processing carried out before its withdrawal.

4. Data retention period

We store your personal data for periods necessary to achieve the stated purposes, taking into account the periods required by law:

Data category	Retention period
Account data (email, password)	For the duration of the active account + 30 days after deletion
Payment data and invoices	6 years from the end of the calendar year of the transaction
Shopping list and search history	For the duration of the account or until deletion by the user
Technical data (IP, logs)	12 months
Marketing consent	Until consent is withdrawn
Correspondence and complaints	3 years after the matter is closed

5. Special categories of data - health data (Art. 9 GDPR)

The OTC medicine shopping list you create in the Service may, in certain situations, constitute health data within the meaning of Art. 4(15) and Art. 9(1) GDPR (e.g. a list containing medicines specific to a particular condition).

5.1 Legal basis of processing

Explicit consent of the User (Art. 9(2)(a) GDPR), expressed when first adding an item to the shopping list or when registering an account. Without this consent it is not possible to use the basket comparison function.

5.2 Scope

Names of OTC medicines and their quantities added to the shopping list, together with the User's account identifier.

5.3 Purpose

Exclusively price comparison of these medicines in online pharmacies presented in the Service. Data is used to generate a price-optimised basket and - at the User's request - to save the list in the account panel for reuse.

5.4 Withdrawal of consent

You may withdraw your consent at any time by deleting your shopping list in the user panel or by contacting biuro@webet.pl. Withdrawal does not affect the lawfulness of processing carried out before its withdrawal.

5.5 No health profiling

The Administrator does NOT use this data for health profiling, personalised marketing or share it with third parties for purposes other than price comparison in pharmacies. The Service does not provide medical or pharmaceutical advice.

5.6 No transfer to marketing

This data is NOT transferred to marketing processors (Google Ads, Meta Platforms) or analytics providers beyond anonymised aggregates in which individual medicines are not identifiable at the level of a single User.

6. Sharing of personal data

Your personal data may be shared with trusted processors exclusively to the extent necessary for the processing purposes. We have concluded data processing agreements with all the processors listed below in accordance with Art. 28 GDPR.

6.1 Stripe Payments Europe Ltd. and Stripe, Inc. (payment provider)

Role: Processor
Purpose of processing: Processing credit/debit card and other payment methods, managing subscriptions and automatic renewal, handling refunds and preventing payment fraud.
Data scope: Stripe Customer ID, Subscription ID, transaction ID, amount and currency, payment status, last 4 digits of card, User's email address, IP address (for fraud verification). Full card details (number, CVV, expiry date) are entered directly into the Stripe system and do not pass through our servers.
Location: Stripe Payments Europe Ltd. - Ireland (EEA); Stripe, Inc. - United States (global infrastructure).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest - fraud prevention).
Transfer basis outside the EEA: EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) - Stripe, Inc. is a certified entity. Additionally Standard Contractual Clauses (SCCs) and PCI DSS Level 1 certification.
Privacy policy: stripe.com/privacy

6.2 Hetzner Online GmbH (infrastructure hosting)

Role: Processor
Purpose of processing: Hosting the web application, API and PostgreSQL database, hosting the Elasticsearch search index and Redis cache.
Data scope: full scope of User data stored in the database (account data, shopping lists, search history, session data, technical logs).
Location: Germany (European Economic Area) - data does not leave the EEA.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Transfer basis: not applicable - processing takes place entirely within the EEA. Hetzner holds ISO 27001 and ISO 9001 certificates.

6.3 Twilio SendGrid, Inc. (transactional emails and newsletter)

Role: Processor
Purpose of processing: Sending transactional emails (registration confirmations, payment confirmations, subscription renewal notifications, password resets, confirmation links) and marketing newsletters.
Data scope: email address, first and last name (if provided at onboarding), message content, confirmation links, delivery/open status.
Location: United States.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract - transactional emails) and Art. 6(1)(a) GDPR in conjunction with the Polish Act on Electronic Services and the Telecommunications Law (consent - marketing newsletter).
Transfer basis outside the EEA: EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) - Twilio SendGrid is a certified entity. Additionally Standard Contractual Clauses (SCCs).

6.4 Amazon Web Services EMEA SARL (S3 file hosting)

Role: Processor
Purpose of processing: Storing attachment files, static resources and backups in Amazon S3 (Active Storage).
Data scope: files attached by the User or generated by the Service (PDF invoices, GDPR data exports, static resources).
Location: Amazon Web Services EMEA SARL - Luxembourg (headquarters). Bucket region in the European Union (eu-west-1 / eu-central-1 - EU region for cheaperfordrug-* buckets - to be verified in the production configuration).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligation - invoice storage).
Transfer basis outside the EEA: EU-US Data Privacy Framework (Amazon Web Services is a certified entity) and Standard Contractual Clauses (SCCs). AWS holds ISO 27001, ISO 27017, ISO 27018 and SOC 1/2/3 certificates.

6.5 Rollbar, Inc. (application error monitoring)

Role: Processor
Purpose of processing: Detection, reporting and diagnosis of application errors to maintain the quality and security of the Service.
Data scope: error stack trace, session identifier, user agent, IP address, technical request context. User personal data is filtered (PII scrubbing) before transmission - first name, last name, email address, password and payment data are not transferred.
Location: United States.
Legal basis: Art. 6(1)(f) GDPR - legitimate interest of the Administrator in ensuring the security, stability and quality of the service provided.
Transfer basis outside the EEA: Standard Contractual Clauses (SCCs - Commission Implementing Decision (EU) 2021/914). As of the date of this Policy, Rollbar, Inc. is not certified under the EU-US Data Privacy Framework - data is transferred exclusively on the basis of SCCs and additional technical measures (PII scrubbing).

6.6 Google Ireland Ltd. and Google LLC (Google Tag Manager, Google Analytics 4, Google Ads)

Role: Processor - in respect of GA4 and Google Ads in accordance with the Google Ads Data Processing Terms.
Purpose of processing: Traffic measurement, user behaviour analysis, measurement of advertising campaign effectiveness (conversions), retargeting and Enhanced Conversions. Google Tag Manager container ID: GTM-5ZLFN8Z7.
Data scope: behavioural data (pages visited, session time, conversion path), conversion events, device identifiers (Google Client ID), IP address (truncated/anonymised). For Enhanced Conversions: user identifier and SHA-256 hashed email address.
Location: Google Ireland Ltd. - Ireland (EEA); Google LLC - United States (global infrastructure).
Legal basis: Art. 6(1)(a) GDPR (consent of the User expressed in the cookie banner) in conjunction with the Polish Telecommunications Law.
Transfer basis outside the EEA: EU-US Data Privacy Framework (Google LLC is a certified entity - Decision (EU) 2023/1795). Additionally Standard Contractual Clauses (SCCs).
Privacy policy: policies.google.com/privacy

6.7 Meta Platforms Ireland Ltd. and Meta Platforms, Inc. (Facebook Pixel)

Role: Joint controller (in respect of conversion event measurement - in accordance with the Controller Addendum for Facebook Business Tools).
Purpose of processing: Measurement of conversions of advertising campaigns on the Meta network (Facebook, Instagram), retargeting and creation of Lookalike Audiences. Pixel ID: 699317922143678.
Data scope: conversion events (PageView, AddToCart, PharmacyClick - custom Service event), Meta user identifier (if present), standard parameters (URL, event time), IP address. Data is transferred without direct personal identifiers on the Service side.
Location: Meta Platforms Ireland Ltd. - Ireland (EEA); Meta Platforms, Inc. - United States (global infrastructure).
Legal basis: Art. 6(1)(a) GDPR (consent of the User expressed in the cookie banner) in conjunction with the Polish Telecommunications Law.
Transfer basis outside the EEA: EU-US Data Privacy Framework (Meta Platforms, Inc. is a certified entity - Decision (EU) 2023/1795). Additionally Standard Contractual Clauses (SCCs).
Privacy policy: facebook.com/privacy/policy

We have concluded data processing agreements (DPA) with all the processors listed above in accordance with Art. 28 GDPR. The Administrator has not appointed a Data Protection Officer (DPO) - processing does not meet the criteria for mandatory designation set out in Art. 37(1) GDPR. All data protection matters can be addressed directly to the Administrator at biuro@webet.pl.

7. Data transfers outside the EEA

Some data may be processed outside the European Economic Area. Processing outside the EEA concerns the following entities: Stripe, Inc. (United States), Twilio SendGrid, Inc. (United States), Amazon Web Services - global infrastructure (with Service data hosted in EU regions), Rollbar, Inc. (United States), Google LLC (United States), Meta Platforms, Inc. (United States). Data processed by Hetzner Online GmbH remains entirely in Germany (EEA). Transfer of data outside the EEA takes place on the basis of:

(a) Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the EU-US Data Privacy Framework - in respect of certified entities (Stripe, Twilio SendGrid, AWS, Google, Meta)
(b) Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) - in other cases, including Rollbar, Inc.
(c) Organisational and technical measures compliant with PCI DSS Level 1, ISO 27001, SOC 2 - depending on the provider
(d) Additional technical safeguards such as SSL/TLS encryption, pseudonymisation and filtering of personal data (PII scrubbing) before transmission

A copy of the Standard Contractual Clauses (SCCs) and information on specific transfer safeguards can be obtained by contacting the Administrator at biuro@webet.pl.

8. Your rights (GDPR)

Under the GDPR you have the following rights:

8.1 Right of access to data (Art. 15 GDPR)

You can obtain confirmation as to whether we process your data and access to that data.

8.2 Right to rectification (Art. 16 GDPR)

You can request rectification of incorrect data or completion of incomplete data.

8.3 Right to erasure - "right to be forgotten" (Art. 17 GDPR)

You can request the erasure of data if it is no longer necessary or you have withdrawn consent.

8.4 Right to restriction of processing (Art. 18 GDPR)

You can request restriction of processing in certain situations.

8.5 Right to data portability (Art. 20 GDPR)

You can receive your data in CSV or JSON format and transmit it to another controller.

8.6 Right to object (Art. 21 GDPR)

You can object at any time to data processing for marketing purposes.

8.7 Right to withdraw consent (Art. 7(3) GDPR)

If processing is based on consent, you can withdraw it at any time.

8.8 Right to lodge a complaint (Art. 77 GDPR)

You may lodge a complaint with the supervisory authority - in Poland the President of the Personal Data Protection Office:

Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Email: kancelaria@uodo.gov.pl
Phone: +48 22 531 03 00
Website: uodo.gov.pl

How to exercise your rights?

To exercise any of the above rights, contact us:

Email: biuro@webet.pl
Phone: +48 798 908 242
By post: WEBET Sp. z o.o., ul. 1 Maja 30A, 45-355 Opole, Poland (marked "Data Protection")

We will respond to your request without undue delay - no later than within one month of receipt of the request.

9. Data security

We apply appropriate technical and organisational measures to protect your personal data:

9.1 Technical measures

SSL/TLS encryption for all data transmissions
Hashing of passwords with the bcrypt algorithm with an individual salt (one-way, irreversible - the password cannot be recovered even by the administrator)
Encryption of sensitive data in the database
Regular encrypted backups
Firewall and DDoS protection
24/7 security monitoring

9.2 Organisational measures

Limited access to personal data
Information security policies
Regular staff training
Confidentiality agreements with employees and contractors
Periodic security audits

10. Cookies policy

10.1 What are cookies?

Cookies are small text files saved by your browser on your device while browsing websites. They allow your device to be recognised and information about your visit to be remembered.

10.2 What cookies do we use?

Essential cookies

Purpose: Necessary for the proper functioning of the website
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
Duration: Session or up to 1 year

Examples: session ID, CSRF token, cookie_consent

Functional cookies

Purpose: Remembering preferences and settings
Legal basis: Legitimate interest
Duration: Up to 12 months

Examples: user_preferences, theme_mode

Stripe cookies (payments)

Purpose: Payment processing, fraud prevention
Provider: Stripe, Inc. (USA)
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
Duration: From session up to 2 years

Examples: __stripe_mid, __stripe_sid
More info: stripe.com/cookies-policy/legal

Analytics cookies

Purpose: Analysis of user behaviour, site optimisation
Legal basis: User consent (Art. 6(1)(a) GDPR)
Duration: Up to 24 months

privacy.sections.cookies.types.analytics.examples

Note: These cookies will be used only with your explicit consent.

10.3 Cookies management

On your first visit we will display a banner with cookie information. You can:

Accept all cookies - consent to all types
Customise preferences - select cookie types
Reject optional cookies - essential cookies only

You can also manage cookies in your browser settings (Chrome, Firefox, Safari, Edge).

Note: Disabling some cookies may affect the functionality of the site. Essential cookies cannot be disabled without losing basic functionality.

11. Children's privacy

The Service is intended for adults (18 years and older) in accordance with the Terms. The Administrator does not knowingly collect personal data from persons under 16. If it is determined that data from a person under 16 has been collected without verifiable consent of the parental authority (Art. 8(1) GDPR), it will be deleted without delay. If you are a parent or guardian and believe that a child has provided us with personal data, please contact us at biuro@webet.pl.

12. Changes to the privacy policy

We may update this privacy policy from time to time. We will inform you of material changes:

By sending an email notification
By a notice on the home page
By a pop-up on first login after the change

In the event of material changes affecting the scope of personal data processing, we will ask you to actively accept the updated policy in the Service panel. Failure to accept within 14 days of being informed may result in limited access to features requiring consent to the new processing terms.

13. Contact

If you have questions about this privacy policy or wish to exercise your rights, contact us:

Email: biuro@webet.pl

Phone: +48 798 908 242 (Mon-Fri, 9:00-17:00)

Address: WEBET Sp. z o.o., ul. 1 Maja 30A, 45-355 Opole, Poland

We respond to general enquiries within 3 working days and to GDPR requests within one month.

GDPR compliance: CheaperForDrug is fully compliant with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) and the Polish Personal Data Protection Act of 10 May 2018. Your data is processed in accordance with the highest standards of security and privacy.

Legal references of the document:

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
The Polish Act of 10 May 2018 on the Protection of Personal Data
The Polish Act of 18 July 2002 on the Provision of Electronic Services
The Polish Act of 16 July 2004 - Telecommunications Law
The Polish Act of 30 May 2014 on Consumer Rights
Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 (EU-US Data Privacy Framework)
Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses)

Document change history

13 May 2026 - compliance audit update: list of data processors updated (Stripe, Hetzner, Twilio SendGrid, AWS, Rollbar, Google, Meta instead of previously mentioned Vercel/Scalingo), special-category data section added (Art. 9 GDPR - health data in OTC shopping lists), Terms-change clauses updated (active acceptance instead of silent) and automatic subscription renewal (notification 7 days in advance), bcrypt terminology corrected (hashing instead of encryption), age rules clarified (16/18), legal basis for newsletter updated.
17 November 2025 - initial version of the document.

Introduction

Data category

Retention period

Account data (email, password)

For the duration of the active account + 30 days after deletion

Payment data and invoices

6 years from the end of the calendar year of the transaction

Shopping list and search history

For the duration of the account or until deletion by the user

Technical data (IP, logs)

12 months

Marketing consent

Until consent is withdrawn

Correspondence and complaints

3 years after the matter is closed