Privacy policy

General information

This document, in connection with the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (hereinafter: GDPR), informs about the principles related to the processing of personal data provided within the framework of the website at: and related to cookies within this website. Users of the website may provide their personal data. This document aims to inform about issues related to the processing of personal data and cookies.


Terms used in this document mean:

  • Carrier – an entity providing transportation services with which Aura has entered into an agency agreement for the sale of tickets through the Website, and thus with which the Customer concludes a contract of carriage.
  • Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, in the form of a statement or a clear affirmative action, consents to the processing of personal data concerning him or her (Article 4(11) of the GDPR);
  • Controller – the controller of your personal data is Centrum Podróży Aura sp. z o. o., Al. Jerozolimskie 144, 02-305 Warszawa (hereinafter: Aura);
  • GDPR – Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Personal data – means personal data as referred to in Article 4(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 04.05.2016, p. 1, as amended); this is information about a natural person identified or identifiable by one or more specific factors that determine physical, physiological, genetic, mental, economic, cultural or social identity, including device IP, Internet ID, and information collected through cookies and other similar technology;
  • Policy – this Privacy Policy;
  • Processing – means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, erasing or destroying; an individual or other entity that alone or jointly with others determines the purposes and means of processing personal data (Article 4(7) of the GDPR);
  • User or Customer – any natural person visiting the Website or using one or more of the services or functionalities described in the policy;
  • Website – website operated by the Administrator at;

Personal data controller

The controller of your personal data is Centrum Podróży Aura sp. z o. o., Al. Jerozolimskie 144, 02-305 Warszawa.

In all matters related to the protection of personal data at Aura, you can contact the dedicated mailbox

The controller of the Customers’ personal data provided for the purpose of purchasing a ticket is the Carrier with whom the specific contract of carriage is concluded. The Carrier’s contact information is provided each time in the information about a specific route.

Processing of personal data in connection with the use of the Website

In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the particular services offered. Detailed principles and purposes of processing Personal Data collected while using the Website by the User are described below.

Purposes and legal basis for data processing

Aura processes your Data. The purpose of their processing defines Aura’s business profile of conducting as a ticket broker. Your data will be processed in connection with the performance of the ticket sales contract, the legal basis in this situation is Article 6(1)(b) of the GDPR, which allows for the processing of data if it is necessary for the performance of the contract. In the case of the Carrier as the controller – personal data are processed for purposes related to the conclusion and performance of the contract of carriage, and in such a case the legal basis for processing is the necessity of processing to perform the contract or to take action at the request of the data subject before concluding the contract (Article 6(1)(b) of the GDPR). Providing data is voluntary, however, it is necessary to conclude a contract of carriage. Failure to provide them results in:

  • impossibility of concluding a contract,
  • restricting the ability to read the content contained on,
  • restricting the ability to contact and respond to customer inquiries via email or telephone.

Therefore, your name and surname, e-mail address, telephone number, date of birth, gender, nationality, ID number are processed. This data is processed solely for the purpose of selling a ticket and fulfilling the contract of carriage.

Period of personal data processing

The period of data processing by the Controller depends on the type of service provided and the purpose of the processing. As a general rule, data are processed for the duration of the service, until the consent given is withdrawn or an effective objection is raised in cases where the legal basis for the processing is the legitimate interest of the Controller.

Personal data processed for marketing purposes are processed until an objection to their processing for marketing purposes is raised or consent is withdrawn. The period of data processing may be extended if the processing is necessary for the establishment and assertion of possible claims or defense against claims, and thereafter only if and to the extent required by law. After the processing period, the data is irreversibly deleted or anonymized.

Recipients of personal data

In connection with the performance of services, personal data will be disclosed to carriers, external entities, including in particular IT service providers allowing for the proper use of the Website and payment processors (PayU S.A.). If the User’s consent is obtained, his or her data may also be shared with other entities for their own purposes, including marketing purposes.

The Controller reserves the right to disclose selected information concerning the User to competent authorities or third parties who make a request for such information, relying on the relevant legal basis and in accordance with the provisions of the applicable law.


The User’s personal data may also be used by the Controller to send marketing content to him via e-mail or telephone. Such actions are taken by the Controller only if the User has given their consent, which may be withdrawn at any time.

Personal data is processed:

  • for the purpose of sending requested commercial information – the legal basis for processing, including with the use of profiling, is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in connection with consent;
  • for analytical and statistical purposes – the legal basis of the processing is the Controller’s legitimate interest (Art. 6 (1) (f) GDPR), consisting in conducting analyses of Users’ activity on the Website in order to improve the applied functionalities.

Users’ rights related to personal data

In connection with the processing of personal data by the Administrator, the User has the right, on the terms described in detail in the GDPR, to:

  • request access to personal data,
  • rectify or supplement your personal data,
  • delate of personal data pursuant to Article 17 of the GDPR, i.e. personal data are no longer necessary for the purposes for which they were collected or otherwise processed; the data subject has withdrawn the consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing; the data subject objects pursuant to Art. 21(1), against the processing and there are no overriding legitimate grounds for the processing, or the data subject objects under Article 21(2) against the processing; the personal data have been unlawfully processed; the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject; the personal data have been collected in connection with the offering of information society services referred to in Article 8(1).

Transfer of personal data outside the EEA

The level of protection for personal data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, the Controller transfers personal data outside the EEA only when necessary and with an adequate degree of protection, primarily by:

  • cooperating with processors of personal data in countries for which a relevant decision of the European Commission has been issued regarding the determination of an adequate level of protection for personal data;
  • applying standard contractual clauses issued by the European Commission;
  • applying binding corporate rules approved by the relevant supervisory authority.

The European Commission certifies that certain third countries have data protection comparable to the EEA standard based on a so-called “adequacy decision” (a list of these countries and a copy of the adequacy decision can be downloaded from: However, sometimes personal data may be transferred to third countries within the meaning of the GDPR that are not included in the list above, such as Armenia, Belarus, Montenegro, Georgia, Russia, Ukraine, Moldova, Serbia. Travel to countries outside the EU, will be able to involve the processing of personal data by that country.

In all cases of data transfer, the standards adopted by the European Commission contained in Article 46 of the GDPR apply.

Security of personal data

The controller conducts risk analysis on an ongoing basis to ensure that personal data is processed in a safe manner – ensuring, above all, that only authorized persons have access to the data and only to the extent necessary for the tasks they perform. The Controller shall ensure that all operations on personal data are recorded and performed only by authorized employees and associates.


A cookie is a small text file that is stored on your computer or mobile device when you access a website. On each subsequent visit, cookies are sent back to the controller of the originating site or to a third party.

What are cookies used for on the Website?

The Controller uses cookies primarily to enable the User to access the Website and facilitate the User’s use of the Website.

The Controller also uses cookies for analytical and marketing purposes – but only if the User agrees to this when first accessing the Website.

The Controller also uses other technologies and technical solutions that allow access to information stored on the User’s device or browser (e.g. Local Storage, through which the Controller gains access to information stored during use of the Website in a separate part of the User’s browser memory).

What types of cookies are used on the website?

Necessary cookies – provide the User with access to the Website and its basic functions, and therefore do not require the User’s consent. Without the necessary cookies, the Controller would not be able to provide Users with services on the Website.

Optional cookies – these cookies are used by the Controller only if the User consents to them.

How to change cookie settings

Consent to cookies is voluntary and can be withdrawn at any time on the Customize consents page.

Google Analytics

The operator uses Google Analytics, Google’s online statistical analysis tool. Google Analytics uses cookies in the form of text files stored on the customer’s device to analyze the use of the Website. In addition, this website uses the Google AMP Client ID API to connect Users’ activity on AMP websites with their activity on non-AMP websites via Google Analytics. Google tracking codes on this website use the “_anon” function.