Privacy policy

This policy was last amended on 23rd of May 2018 to comply with the new GDPR (General Data Protection Regulation) law which supersedes the DPA, by using our website and our services you consent to this privacy policy. If we decide to change this policy, we will post those changes on this page, and update the privacy policy modification date above.

We are a “data controller” for the purposes of the Act, as we process personal data on your behalf. With this deadline approaching, we are currently in the process of contacting all of our data subjects to inform them of our terms of business that meet the requirements of GDPR.

If you have any questions regarding this privacy policy you may contact our DPO, Paweł Żelazik at
Or contact us directly: CAVA ul. Nowy Świat 30, 00-373 Warsaw, Poland

What information do we collect?

We collect information from you when you place an order, fill out a form or make a payment. When contacting us on the phone, we may record your call for training and quality control purposes. When contacting us from this site you may be asked to enter your name, e-mail address or phone number as appropriate. You may, however, visit our site anonymously.

For placing orders online we require you to use our booking engine. We implement a variety of security measures to maintain the safety of your personal information when you place an order:

What do we use your information for?

Any of the information we collect from you may be used to:

Lawful basis for processing your personal data

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

If customers do not provide the information required for processing transactions, then we will be unable to provide a service to the customer.

Processing of your personal data

Description of processing

We also process sensitive classes of information that may include:

We may at times need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (GDPR). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons

Where necessary or required we share information with:

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your web browser (if you allow). This enables the sites or service providers systems to recognize your browser and capture and remember certain information.

We use cookies to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

If you would like to delete our cookies from your computer then click here.

Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

We may also release your information when we believe release is appropriate. For example, this may be to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Retention Policy

CAVA will no longer be holding data which we have not gained contractual obligations for after 30 days, depending on the sensitivity of this data, it will be deleted instantly. Ranks of sensitivity will be outlined below, as well as some exceptions where data may be held longer lawfully.

Where personal data is held

CAVA holds personal data in a few different locations, these can include: Our own database servers, email accounts, desktops, employee owned devices, paper files and backup storage.

Procedures in place for deletion

Accounts related data that is processed via our two database servers are subject to a 90 day non-usage review of the account, followed up by a 6 month review before the erasure or separation of any personal or sensitive data. Also upon request by the authorised account holder data will be deleted from both database servers within 30 days of the request followed up by a privacy notification and confirmation of the deletion. This can be done by contacting the DPO at CAVA on +48 228266427 or

Data processed via email are subject to the Apple Software on board retention policy, this includes the purging of unfiled mail after 30 days.

Employee and mobile users including sub-processors who process data on behalf of our company are subject to a systematic 30 days deletion policy after the completion of a contractual obligation. This is achieved via our Ground Alliance Software which is downloaded onto mobile devices. On board encryption is also enabled on all our mobile devices which are set to delete all information on the device after multiple failed password attempts.

Exceptions where data may be held longer than our 30-day retention period

Financial data stored on our accounts server or stored as hard copies are held for up to 7 years before disposal due to TAX and VAT legalities.

Ranks of sensitive data – Different retention periods

Security criticality of sensitive or personal data which we process will be described and provided for in section 3.1 below, this policy contains requirements for the deletion of any data we process either personal or sensitive ranked ‘low’, ‘medium’ and ‘high’.

System data ranking

Your rights as a data subject

We have a robust process for dealing with costumer queries and subject access request is in place, this includes but not limited to the right to withdraw any processing of your personal data and to remove any personal or sensitive data. The request can be made via email or telephone to the  DPO at CAVA on +48 228266427 or

Our consumer query process is also used to monitor our customers, our data partner and our product/processes. Root cause analysis is applied to every enquiry, allowing us to identify if further action is required.

Your right to request from the controller restriction of processing of personal data can be applied upon request by the authorised account holder.

You have a right to lodge a complaint with a supervisory authority in regards to how your information has been handled. Please contact the Information Commissioner’s Office (ICO).

Client account data is stored in SQL tablespaces & data file formats which can be exported into either a Microsoft excel spreadsheet or Adobe PDF which is then encrypted with a password before sending out electronically. Immediate access to account details is available to clients with web access to our online booking platform which allows the client to update or change the account records, this functionality is secured using a Secure Socket Layer (SSL).

Childrens Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act). We do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.