Back to Project HERO

Privacy

Privacy policy

Below we explain what data we process, for what purpose, and what rights users of the website have.

Privacy policy of the rumourpandora.pl website

Last updated: 25 May 2026

1. General information

This Privacy Policy defines the rules for processing the personal data of users of the rumourpandora.pl website, including the Project HERO by Rumour × Pandora page, service subpages, Rumour Cocktail Bar and Pandora Cocktail Bar subpages, contact forms, the event brief form, and communication conducted by e-mail, phone, WhatsApp, Instagram, Facebook, Google, TripAdvisor and other channels indicated on the website.

The website serves to present the services of Project HERO, Rumour Cocktail Bar and Pandora Cocktail Bar, to receive enquiries, handle reservations, communicate with clients, and to prepare proposals relating to events, workshops, tastings, bar service and mobile bar hire.

2. Data controller

The data controller is:

Krakowska Ambasada Rumu sp. z o.o.

ul. Pijarska 9 lok. LU2, 31-015 Kraków

NIP: 6762711843

REGON: 543846200

KRS: 0001220573

Contact regarding personal data:

e-mail: events@rumourpandora.pl

phone: +48 693 389 210

If the website uses the trade names “Project HERO”, “Rumour Cocktail Bar” or “Pandora Cocktail Bar”, this does not change the fact that the data controller is Krakowska Ambasada Rumu sp. z o.o..

The Controller has not appointed a Data Protection Officer, unless separate information indicates otherwise.

3. What data we may process

Depending on the method of contact, we may process the following data:

  1. data provided in the event brief form: name and surname, e-mail address, phone number, company or organisation name, event date, location, city, event type, number of guests, estimated service duration, information about the required scope of service, invoice information, approximate budget, link to inspiration, message content and other information voluntarily provided in the form;
  2. data related to a reservation or contact with Rumour Cocktail Bar or Pandora Cocktail Bar: name, phone number, e-mail, date and time of reservation, number of persons, reservation preferences, message content and contact channel;
  3. data from communication via e-mail, phone, WhatsApp, Instagram, Facebook or other channels: name and surname or profile name, phone number, e-mail address, profile identifier, correspondence content, date of contact and information voluntarily provided in the conversation or message;
  4. technical data: IP address, date and time of visit, device, browser and operating system information, visited subpages, source of entry to the website, server logs, cookie data and data related to form security.

You should not submit data of special categories through forms, such as health information, views, beliefs or other sensitive data, unless this is genuinely necessary in a specific case and has been agreed in advance with the Controller.

4. Purposes and legal bases for processing

We process personal data for the following purposes:

  1. handling enquiries and forms, preparing responses and contacting you regarding an event — Article 6(1)(b) GDPR, i.e. actions prior to entering into a contract, and Article 6(1)(f) GDPR, i.e. the Controller’s legitimate interest in handling correspondence;
  2. preparing a proposal and determining the scope of service — Article 6(1)(b) GDPR;
  3. performance of a contract or reservation — Article 6(1)(b) GDPR;
  4. issuing invoices, bookkeeping and fulfilment of tax obligations — Article 6(1)(c) GDPR;
  5. handling complaints, establishing, pursuing or defending against claims — Article 6(1)(f) GDPR;
  6. ensuring the security of the website, forms and IT systems — Article 6(1)(f) GDPR;
  7. maintaining basic website usage statistics — Article 6(1)(f) GDPR or Article 6(1)(a) GDPR if the tool used requires consent;
  8. marketing activities, newsletter, remarketing or marketing cookies — only when used, on the basis of consent, i.e. Article 6(1)(a) GDPR, or to the extent permitted by law on the basis of the Controller’s legitimate interest.

If data is processed on the basis of consent, that consent may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

5. Voluntary nature of providing data

Providing data is voluntary, but may be necessary to handle an enquiry, prepare a proposal, make a reservation, enter into or perform a contract, issue an invoice, or provide a response.

Failure to provide contact details may prevent a reply. Failure to provide event details may prevent the preparation of a proposal.

6. Recipients of data

Personal data may be shared only to the extent necessary to achieve a given purpose with the following categories of recipients:

hosting providers, e-mail service providers, website technical support providers, form processors, security systems, analytics tools, communication tools, reservation or CRM system providers, an accounting office, legal or tax advisors, subcontractors involved in the delivery of an event, and public authorities where required by law.

If a user follows links to external platforms such as Google, Google Maps, Google Business Profile, Instagram, Facebook, WhatsApp, TripAdvisor or other services, data may also be processed by the operators of those platforms in accordance with their own privacy policies.

7. Transfer of data outside the European Economic Area

Some providers of internet, communication or analytics tools may process data outside the European Economic Area, in particular where we use the services of global providers such as Google, Meta, WhatsApp, Instagram, Facebook or TripAdvisor.

In such cases, the transfer of data should take place on the basis of appropriate legal mechanisms provided for in the GDPR, such as an adequacy decision, standard contractual clauses or other permissible safeguards.

8. Data retention period

We retain data for no longer than is necessary for the purposes for which it was collected.

Data from enquiries and forms is retained for the duration of handling the enquiry and then for the period necessary to preserve the correspondence history and to secure any potential claims.

Data related to a contract, event, reservation or invoice is retained for the duration of service delivery and then for the period required by law, in particular tax and accounting law, and for the limitation period of any potential claims.

Data processed on the basis of consent is retained until consent is withdrawn, unless there is another basis for continued processing.

Technical data and server logs are retained for the period necessary to ensure website security, diagnose errors and prevent abuse.

9. Rights of data subjects

The data subject has the right to:

  • access their data,
  • receive a copy of their data,
  • rectify their data,
  • erase their data,
  • restrict processing,
  • data portability,
  • object to processing,
  • withdraw consent, where data is processed on the basis of consent,
  • lodge a complaint with the President of the Personal Data Protection Office (UODO).

To exercise these rights, please contact the Controller at:

events@rumourpandora.pl

The Controller may request additional information to confirm the identity of the person making the request, where necessary for data protection purposes.

10. Cookies and similar technologies

The website may use cookies and similar technologies.

Necessary cookies are used for the proper functioning of the website, forms, security and basic website features. They may be used without additional consent if they are necessary for the operation of the website or the provision of a service requested by the user.

Analytics, marketing, remarketing or social cookies are used only when actually deployed and when the user has given consent, where such consent is required.

As of the date of the last update, the website uses Google Tag Manager, Google Analytics 4, Google Consent Mode v2, Vercel Speed Insights, Vercel Analytics and a form handled by Resend. UTM parameters, gclid, gbraid and wbraid may be stored in the browser session memory solely for the purpose of attributing an enquiry to a campaign. Google Ads conversion tracking should operate via GTM exclusively in accordance with consent settings.

Users may manage cookies through browser settings and, where implemented, through the cookies settings panel available on the website.

If the website uses only technical cookies, this information should be indicated in a banner or in the footer of the website.

If the website uses tools such as Google Analytics 4, Google Tag Manager, Google Ads, Meta Pixel, Google Maps, embedded social media content or other external tools, an appropriate cookie banner should be implemented enabling acceptance, refusal and modification of consents.

11. Social media and external platforms

The Controller may maintain profiles or communications via Instagram, Facebook, WhatsApp, Google Business Profile, Google Maps, TripAdvisor and other platforms.

If a user contacts the Controller via these platforms, the Controller processes data for the purpose of replying to the message, handling an enquiry, reservation, preparing a proposal or conducting ongoing communication.

The operators of these platforms may process data as independent data controllers, in accordance with their own terms of service and privacy policies.

12. Photos, reviews and event materials

The Controller may publish reviews, photographs, recordings or event coverage only when it has an appropriate legal basis to do so.

If a material contains the image of an identifiable person, publication should take place on the basis of that person’s consent or another appropriate legal basis.

If a user wishes to raise an objection to the use of a review, photograph or material, they may contact the Controller at:

events@rumourpandora.pl

13. Data of minors

The website is not directed at children. Services related to alcohol are directed exclusively at adults.

Alcohol is served exclusively to persons of legal age. The Controller may refuse to provide a service in situations required by law, in particular to persons who are underage or intoxicated.

14. Automated decisions

The Controller does not make decisions based solely on automated data processing that would have legal effects on users or similarly significantly affect them.

15. Data security

The Controller applies appropriate organisational and technical measures to protect personal data, in particular restricting access to data, securing e-mail and forms, controlling access to systems, using trusted providers and minimising the scope of data processed.

16. Changes to the Privacy Policy

The Privacy Policy may be updated, in particular in the event of changes to regulations, changes to the website’s functions, the introduction of new forms, analytics, marketing or communication tools, or changes of technical providers.

The current version of the Privacy Policy is available at rumourpandora.pl.

Last updated: 25 May 2026