Discounts up to €150

Daily, exclusively in the app. Download now!

Download
Flight ticketsBlog
Help & Support

FRU.PL Privacy Policy

How we collect Users data and how we protect it

1. Introduction

1.1. This document constitutes the privacy policy (hereinafter referred to as the "Policy") of FRU.pl SA, with its registered office at al. 29 Listopada 85, 31-406 Kraków, entered in the register of Entrepreneurs of the National Court Register, kept by the District Court for Krakow Śródmieście in Kraków, XI Economic Division of the National Court Register, under number KRS: 0000308871, NIP: 5272579301, REGON: 141451213, with fully paid-up capital share capital in the amount of PLN 6,900,000.00 (hereinafter referred to as the "Controller").

1.2. The purpose of the Policy is to define the principles and methods of processing personal data obtained from individuals who are users of online services managed by the Controller (hereinafter referred to as "Users"). The Policy also contains information regarding the rights of individuals concerning the personal data they provide.

1.3. The legal basis for the Policy is the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR"), as well as the Personal Data Protection Act of May 10, 2018 (Journal of Laws 2018, item 1000). The Policy constitutes the Controller's fulfillment of obligations under Articles 12 and 13 of the GDPR.

1.4. The Policy applies to any website, application, or service referring to this information, as well as to data provided through them, by telephone, electronically, or in person at the Controller's headquarters. Please note that upon leaving the websites managed by the Controller (e.g., by following a link to a different domain), the User enters an area where the Policy does not apply. The Controller is not responsible for the privacy policies applicable to sites operated by other entities.

1.5. The Controller has appointed a Data Protection Officer (DPO), who can be contacted via email: dane@fru.pl, or by mail sent to the Controller's headquarters at Al. 29 Listopada 85, 31-406 Kraków, for any matters regarding personal data processing.

2. Data Controller

FRU.PL is the Controller of the personal data submitted by the Users of the websites who visited and used the functionalities offered by the mobile application operated by the Controller under the name “FRU” (hereinafter the Application), or by the website administered by the Controller at: https://www.fru.pl/ (hereinafter Website).

2.1. The Controller may collect Users' personal data in particular through:

  • Use of the Website/App by Users, the Controller collects data to the extent necessary to provide the services offered, as well as information about Users' activity on the Website/App.
  • Users' contact with the Controller through the contact forms available on the Website/Application and the transmission of personal data concerning them along with the content of the message.
  • Subscribing to the Controller's mailing list to receive information about offered services and products.
  • Direct contact via telephone, electronic communication, or postal correspondence.
  • Submission of application documents by job candidates directly to email addresses belonging to the Controller or through intermediary services.

2.2. When collecting personal data, the Controller records information about the source from which it was obtained. The acquisition of Users' personal data occurs directly from the individuals concerned, as well as from third parties.

2.3. The Controller takes particular care to ensure that personal data is processed in accordance with the purpose for which it was collected and used per the legal conditions and categories of processing allowed by law, in particular in compliance with the principles of personal data processing defined in Article 5 of the GDPR.

3. Purposes and Legal Basis for Personal Data Processing

The Controller processes personal data in accordance with the business profile, exclusively for the purposes specified below. If processing of other personal data becomes necessary due to legal regulations, the nature of the service, or settlement requirements, the Controller may process such data within the necessary scope.

3.1. Personal data of persons using the Website/Application (including IP address or other identifiers and information collected through cookies or other similar technologies), and who are not registered Users (i.e. persons who do not have a profile on the Website) are processed by the Controller:

3.1.1. for the purpose of providing services electronically to the extent of providing Users with access to content collected on the Website/App - in which case the legal basis for processing is the necessity of the processing for the performance of the agreement (Article 6(1)(b) RODO);

3.1.2. Analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), involving the analysis of Users' activity and preferences to improve functionalities and services;

3.1.3. Establishing, asserting, or defending claims – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), aimed at protecting its rights.

3.2. Individuals registering in the Online Service/Application are asked to provide data necessary for account creation and management. To facilitate usage, Users may provide additional data, thereby consenting to its processing. Such data can be deleted at any time. Providing required data is mandatory for account creation and management; failure to provide it will prevent account creation. Providing additional data is voluntary.

Users may also register in the Online Service/Application via social media (Facebook, G+). In this case, the Online Service/Application retrieves only the data necessary for registration and account management. By adjusting plugin settings, Users can expand the range of retrieved data for enhanced functionality in the Online Service/Application.

Personal data is processed for:

3.2.1. Providing services related to account management in the Online Service/Application – the legal basis for processing is the necessity of processing for contract performance (Article 6(1)(b) GDPR); for optional data, the legal basis is consent (Article 6(1)(a) GDPR);

3.2.2. Analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), involving analysis of User activity and account usage to improve functionalities;

3.2.3. Establishing, asserting, or defending claims – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), aimed at protecting its rights;

3.2.4. Recording User activity in the Online Service/Application – personal data is processed in system logs that store a chronological record of events and actions related to the IT system used for service provision. The collected log information is primarily processed for service-related purposes. The Controller also processes it for technical, administrative, security, system management, and analytical/statistical purposes – the legal basis for processing in this regard is the Controller’s legitimate interest (Article 6(1)(f) GDPR).

3.3. The purchase of tickets or services through the Website/Application involves the processing of Users' personal data. Provision of data marked as mandatory is required in order to accept and process the order, and failure to provide such data will result in the failure to process the order. Provision of the remaining data is optional

Personal data is processed:

3.3.1. To fulfill the placed order – the legal basis for processing is the necessity of processing for contract performance (Article 6(1)(b) GDPR); for voluntarily provided data, the legal basis is consent (Article 6(1)(a) GDPR);

3.3.2. To fulfill statutory obligations imposed on the Controller, particularly those arising from tax and accounting regulations – the legal basis for processing is a legal obligation (Article 6(1)(c) GDPR);

3.3.3. For analytical and statistical purposes – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), involving analysis of User activity and purchase preferences to improve functionalities;

3.3.4. To establish, assert, or defend claims – the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), aimed at protecting its rights.

3.4. In order to contact the Controller through the contact forms provided on the Website/Application in connection with the submission of a question or an application sent, it is necessary to process Users' personal data.

The legal basis for processing personal data is the Controller’s legitimate interest (Article 6(1)(f) GDPR), involving handling messages and responding to inquiries. Refusing to provide personal data will result in the inability to process the submitted message, leading to its deletion.

3.5. To send newsletters to Users electronically, it is necessary to process Users’ personal data. Providing data is voluntary but required for sending marketing messages.

The legal basis for processing personal data, including profiling, is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in connection with the expressed consent to receive newsletters.

3.6. To conduct the recruitment process, candidates must provide personal data as specified in Article 221 §1 of the Labor Code: full name, date of birth, contact details provided by the candidate, education, professional qualifications, and employment history, if necessary for performing a particular job or holding a specific position.

The legal basis for conducting the recruitment process is:

  • The Act of June 26, 1974, Labor Code (Journal of Laws 1974 No. 24, item 141, as amended);
  • Article 6(1)(b) GDPR, which allows processing of personal data necessary to take steps towards contract performance.

Providing other data not listed in Article 221 §1 of the Labor Code is voluntary. The legal basis for processing such personal data is Article 6(1)(a) GDPR, which allows processing based on voluntary consent. This consent can be withdrawn at any time without affecting the lawfulness of processing carried out before its withdrawal.

The recruitment process consists of several stages, during which candidates’ personal data is processed: initial selection of applications, contact with selected candidates, and employee selection.

If a candidate consents to their personal data being processed for future recruitment, the legal basis for processing is Article 6(1)(a) GDPR. This consent can be withdrawn at any time without affecting the legality of processing performed before withdrawal.

4. Recipients of Personal Data

4.1. The recipients of personal data provided to the Controller by the data subjects are the following entities, to whom personal data is transferred to the minimal extent necessary for the realization of the purposes for which it was collected:

  • Authorized personnel of the Controller,
  • Entities processing personal data on behalf of the Controller – service providers responsible for IT system maintenance, entities such as banks and payment operators, accounting service providers, and entities affiliated with the Controller, including companies within its capital group,
  • Competent authorities authorized under applicable laws that submit a request for such information based on a valid legal basis.

4.2. The Controller declares that it does not sell, share, or transfer the collected personal data for processing to other individuals or institutions unless this occurs with explicit consent or at the request of the data subject, or upon the request of authorized state authorities under the law for proceedings or activities related to security or defense, for legally specified tasks performed in the public interest, when it is necessary to fulfill the legally justified purposes of the Controller.

5. Transfer of Personal Data to Non-European Economic Area (EEA) Countries

Since the Controller uses applications whose servers are located outside the EEA, personal data obtained in connection with Users’ use of the websites may be transferred to third countries. Therefore, the Controller ensures that it only uses providers who offer high levels of personal data protection. These guarantees arise, in particular, from the provider’s participation in the Data Privacy Framework program, as well as the standard contractual clauses concluded by the Controller as issued by the European Commission.

6. Retention Period of Personal Data

The Controller processes acquired personal data for the period necessary to achieve the purposes for which it was provided. The data retention period depends on the purposes and legal bases for processing, as follows:

  • Data processed based on statutory (tax) requirements will be processed for the period required by law for data retention;
  • Data processed based on the Controller’s legitimate interest will be processed until an effective objection is submitted by the data subject or until this interest ceases. Data processed for the purpose of asserting or defending claims will be processed for a period equal to the statute of limitations for such claims;
  • Data processed based on consent will be processed until the data subject withdraws their consent;
  • Personal data processed in the recruitment process will be processed until the completion of the process.

7. Rights of Data Subjects

7.1. The Controller shall exercise the data subjects' rights related to the processing of their personal data. In particular, each data subject has the right to:

  • access to their personal data,
  • rectification of personal data,
  • erasure of data (“right to be forgotten”),
  • restriction of the processing of personal data,
  • object to the processing of personal data.

7.2. Where the basis for the processing of personal data is the legitimate interest of the Controller, Users shall have the right to object at any time to the processing of personal data, without having to justify their decision, especially where the legitimate interest consists in carrying out activities related to direct marketing.

7.3. Consent given by Users through the Websites/App may be withdrawn at any time, which will not affect the legality of data processing that was carried out before the withdrawal.

7.4. The Controller informs that there is no obligation to delete the data (i.e. to exercise the “right to be forgotten”) in the case where the processing is necessary for:

  • exercise of rights and freedom of expression and information,
  • fulfilling a legal processing obligation under European Union or Polish law,
  • archival purposes in the public interest, scientific or historical research purposes, or statistical purposes,
  • to establish, assert or defend claims.

7.5. The above-mentioned rights may be exercised by sending an appropriate request by e-mail to: dane@fru.pl, or by mail to the Controller's registered office address specified in Section 1.1 of the Policy.

8. Automated Decision-Making and Profiling

The Controller may process data automatically, including profiling, but no automated decisions affecting individuals will be made based on this processing.

9. Security and Data Storage

The Controller ensures the security of personal data against unauthorized disclosure, unauthorized access, destruction, loss, damage, alteration, or processing in a manner that does not comply with the provisions of the GDPR.

To secure personal data, the Controller implements technical and organizational measures that meet GDPR requirements, particularly those specified in Articles 24 and 32 of the GDPR, ensuring the confidentiality, integrity, and availability of services related to the processing of personal data.

10. Cookies

Cookies are small files sent by a web server to the User’s browser and stored on their computer. Cookies help the Controller analyze web traffic and identify which parts of the website have been visited. Cookies do not grant the Controller access to the User’s computer or personal information, except for data related to how the website is used and personal data that Users automatically provide through their browser settings.

The Controller uses both session and persistent cookies, as well as the Facebook Pixel. Session cookies are temporary files stored on the User’s device until they log out or leave the website. Persistent cookies allow the Controller to recognize the User’s browser during their next visit to the Online Services/Application and adjust these services to the User’s needs (e.g., remembering the preferred language or font size) as well as for statistical purposes. Persistent cookies remain in the memory of the User’s device until they are deleted.

By using the Online Services, the User consents to the placement of cookies on their computer or other device for the above-mentioned purposes. If the User does not consent to receiving cookies, they can manage and control them through their browser settings. However, it should be noted that deleting or blocking cookies may affect the way the Online Services function.

To monitor and improve the Online Services, aggregated information about Users is collected while browsing the website, including details such as the operating system, browser version, domain name, IP address, URL of the User’s referring page, and destination page, as well as which subpages of the website were visited. The Controller may generate general statistics, collect website and application traffic data, and share these aggregated data with third parties for marketing, advertising, or other promotional purposes; however, these aggregated data do not contain any personal data.

Cookies used for monitoring traffic in the Online Services/Application, i.e., data analytics, include Google Analytics cookies. These cookies are used by Google to analyze how Users interact with the Online Services/Application, generate statistics, and provide reports on its operation. Google does not use the collected data to identify Users nor does it combine this information for identification purposes. Detailed information about the scope and principles of data collection in connection with this service can be found at the following link: https://www.google.com/intl/en/policies/privacy/partners.

11. Social Media Plugins

The Websites use so-called social plug-ins that redirect to the Controller's profiles maintained on social networks: 
Tik Tok: https://www.tiktok.com/@fru_pl, https://www.tiktok.com/@mama.i.mini.w.pod, https://www.tiktok.com/@mama.w.podrozy, https://www.tiktok.com/@milosniczkanieba, https://www.tiktok.com/@mamawchmurach
Facebook: https://www.facebook.com/TanieBiletyLotnicze, 
Instagram: https://www.instagram.com/fru.pl/, 
Youtube: https://www.youtube.com/@frupl, 
Linkedin: https://www.linkedin.com/company/frupl/

Using the functionalities offered by these plug-ins, Users can share individual content or share it on social media. However, we would like to point out that by using these plug-ins, data is exchanged between the User and the respective social network. The Controller does not process this data and has no knowledge of what User data is collected. Therefore, we encourage you to read the regulations and privacy policies of these social media sites before using the respective plug-in.

12. Right to Lodge a Complaint

Users who believe their rights have been violated can file a complaint with the Data Protection Authority in Warsaw at ul. Stawki 2.

13. Final Provisions

In matters not regulated by this Policy, applicable EU and national data protection laws apply.

Last updated: September 12th 2025

Annex to the Privacy Policy of FRU.PL

Social Media Policy

By using our social media accounts, you interact with us, for instance, by subscribing to a fanpage, leaving your reaction (like, comments) or sending a message to us. The information you provide us with about yourself may constitute personal information. Social media policy given describes how we process personal data collected through accounts on the following social media sites (hereinafter referred to as „Social Media Websites”).

We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as „General Data Protection Regulation”).

Data Controller
The controller of your personal data is FRU.PL S.A. with its registered office in Listopada 85, postal code 31-406 Krakow, Poland (hereinafter referred to as the „Controller” or „we”). You can contract Controller by email or by post at the above mentioned address of the Controller’s registered office. 
Data Protection Officer: Agnieszka Rowińska, e-mail: dane@fru.pl.

Categories of data subjects whose data are processed and the scope of data processing

FACEBOOK
We process data of data subjects who:

  • subscribed to the account by clicking the „Like” or „Watch” icon,
  • published a comment, shared it or clicked the „Like” icon under any of the posts in the account,

We process the following types of personal information:

  • account identifier (typically including your name or nickname),
  • your profile picture,
  • other photos (which may also present an image),
  • the content of your comments,
  • statistical data about visitors to the fanpage available through the „Facebook Insights” function, collected through cookies.

INSTAGRAM
We process data of data subjects who:

  • subscribed to the account by clicking the “Watch” icon,
  • published a comment or clicked the „Like” icon under any of the posts in the account,

We process the following types of personal information:

  • account identifier (typically including your name or nickname),
  • your profile picture,
  • other photos (which may also present an image),
  • the content of your comments,
  • statistical data about visitors to the fanpage collected through cookies.

LINKEDIN
We process data of data subjects who:

  • visited our profile,     
  • have interacted within our profile,
  • published or submitted personal data through the services offered by Linkedin (e.g. fulfilled forms, answers to our surveys etc.).

We process the following types of personal information:

  • first name, last name, image, and other identifying information you have made publicly available on the profile you have created on LinkedIn (including, but not confined to address, contact information e.g. email address, phone number, and information about your education, professional experience, professional eligibility, and history of previous employment),     
  • statistical data about visitors to the fanpage collected through cookies.

YOUTUBE
We process data of data subjects who:

  • subscribed to the account by clicking the “Subscribe” icon,
  • posted a comment under any of the videos posted on the account or reacted to the posted videos.

We process the following types of personal information:

  • Account ID (usually containing your first and last name or nickname),
  • profile photo,
  • the content of your comments,
  • statistical data about visitors to the account, collected through cookies.

TWITTER
We process data of data subjects who:

  • subscribed to the account by clicking the "Watch" icon,
  • published a comment under any of the posts on the account or reacted to published photos.

We process the following types of personal information:

  • account identifier (typically including your name or nickname),
  • profile picture,
  • other photos (which may also include an image),
  • the content of your comments,
  • statistical data on account visitors collected through cookies.

TIK TOK

We process data of data subjects who:

  • subscribed to the account by clicking the "Watch" icon,
  • published a comment under any of the posts on the account or reacted to published photos.

We process the following types of personal information:

  • account ID (typically name or nick),
  • profile picture,
  • content of comments,
  • statistical data on account visitors collected through cookies.

Purpose and legal basis of processing

We process your personal data:
a)    on the basis of legitimate interest (Article 6 (1) (f) of the General Data Protection Regulation) consisting of:

  1.  maintaining an account on the Social Media Website, under the terms and conditions specified by the operator of the Portal and informing through it about our activities, promoting events and the brand, products and services, building and maintaining a community with us (including supervision of the content published by users) and for the purpose of communication through the available functionalities of the Social Media Website (comments, messages), 
  2. keeping statistics (by analysing data on the activity of users of our account),
  3. possible establishment, investigation or defence against claims.

b)    on the basis of separately granted consent in the scope and for the purpose specified in the content of the consent and for the time until its withdrawal (Article 6 (1) (a) or Article 9 (1) (a)  of the General Data Protection Regulation),
c)    on the basis of statutory requirements in order to fulfil our legal obligations under the law (Article 6 (1) (c) of the General Data Protection Regulation),
If we organise promotional campaigns via the Social Network Website, the principles of processing your personal data, including the purpose and legal basis of such processing, are described in the regulations of such campaigns. Before participating in such a promotional action, please read its regulations.

Joint control of personal data

With regard to the processing of personal data for statistical purposes, we act as joint controllers within the meaning of Article 26 (1) of the General Data Protection Regulation together with the operator of the Social Media Website, which provides the statistics option. We undertake such activities within the framework of our legitimate interest (Article 6 (1) (f) of the General Data Protection Regulation) as described above.
For more information on the processing of data for statistics purposes, please follow the link:
 

Recipients of the data

Access to your personal data will be available to:

  • our authorised personnel and the entities providing services to us (including but not limited to marketing, IT and support services) who need access to your data to perform their duties,
  • other users of the Social Media Website (due to the fact that information about the people watching the account, likes, as well as the content of comments, posts and other information provided by users are overt),
  • public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purpose emerging from the provisions of the commonly applicable legal provisions,
  • Social Media Website Administrator on the terms described in the privacy policies provided.

Please note that the operators of Social Media Websites are separate entities responsible for the processing of data of persons using Social Media Websites, including data concerning you. These entities process your personal data for their own purposes based on the legal basis they have established. In particular, they may collect and process the information contained in the cookies of visitors to our account based on their own Social Media Website operating rules. Therefore, we have limited influence over the processing of data by the operators of the Social Media Website. Thus, we ask you to read the regulation of their functioning and the privacy policies provided by them, which you can find here:

Transfer of data to third countries or international organizations

We do not transfer your personal data to a third country or international organization.

Data retention period

The duration of data processing is related to the purposes and grounds for processing, whereby:

  • data processed on the basis of consent will be processed until you withdraw your consent,
  • data processed on the basis of statutory requirements shall be processed for the time in which the law prescribes data storage,
  • data processed on the basis of the legitimate interest of the Controller will be processed until an objection is lodged effectively or this interest ceases to exist, i.e:
    • by default, we process your data until we terminate your Social Media Wesbite account,
    • personal data obtained in the course of correspondence, we store for the time of processing the message sent to us,
    • data processed in order to establish, assert or defend against claims will be processed for a period equal to the period of limitation of such claims. 

You are entitled to the following rights:

  • the right to request access to your personal data, rectification, erasure or restriction of processing, as well as the right to data portability,
  • the right to object at any time to the processing of your data for direct marketing purposes,
  • the right to object to the processing of your data, based on your particular situation,
  • where the processing of your data is based on consent – the right to withdraw consent at any time without affecting the legality of processing carried out on the basis of consent before its withdrawal,

To exercise your rights, please contact us at our contact details indicated in the introduction.

You also have the right to lodge a complaint to the supervisory authority – President of the Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw.

Information about the source of the data and other information

  • we receive your personal data directly from you through your interaction with our account in the Social Media Website and from your public profile,
  • the provision of data is voluntary,
  • personal data will not be subject to automated decision-making, including profiling.

Date of last modification: August 21, 2025