Zum Inhalt springen
NaCzarter — czarter jachtów Mazury

Datenschutzrichtlinie

Last updated: 20 April 2026 · Policy version 2026-04-20.v2

This policy explains what personal data NaCzarter collects, why, and how you can control it. It aligns with the GDPR (EU 2016/679, Polish RODO) and the ePrivacy-derived Polish Prawo Telekomunikacyjne Art. 173.

1. Data controller

The storefront you are viewing is the controller for personal data you submit while using it. Contact details are in the page footer. For data-subject-rights requests, see section 7.

2. Cookie categories

  • Necessary (always on) — session cookies for login + CSRF protection, the consent decision itself, currency + locale selectors. Legal basis: Art. 6(1)(b) / Art. 6(1)(f).
  • Analytics (off by default) — Plausible Analytics (EU-hosted), OpenStreetMap tiles + Leaflet from unpkg.com. Legal basis: Art. 6(1)(a) consent.
  • Marketing (off by default) — reserved for future advertising-pixel integrations. Legal basis: Art. 6(1)(a) consent.

3. What data we collect

  • Account + booking data: name, email, phone, address, company / NIP (optional).
  • Booking history: which yachts, which dates, total paid.
  • Technical: IP address, user agent, registration IP, last-login IP.
  • Consent history: every cookie-banner decision, marketing opt-in flip, terms acceptance.

4. Processors (Art. 28)

  • Railway (hosting, EU region)
  • Resend (transactional + marketing email)
  • Stripe + PayU (payments)
  • Cloudflare (Turnstile + WAF)
  • Sentry (error monitoring, PII scrubbed)
  • Plausible Analytics (on consent)
  • OpenStreetMap Foundation (map tiles, on consent)
  • Bunny CDN (static assets + images)

5. Retention

  • Invoice-adjacent rows: 6 years (Polish VAT Art. 112).
  • Audit log: 7 years.
  • PII on User / OrderCustomer: anonymised on erasure request + purged after 6 years.
  • Consent records: 5 years.

6. Your rights (Art. 15-22)

  • Access (Art. 15) — export at /api/users/me/export.
  • Rectification (Art. 16) — edit profile at /dashboard/profile.
  • Erasure (Art. 17) — self-service in /dashboard/profile; invoices stay 6 years per Polish tax law.
  • Portability (Art. 20) — same JSON export endpoint.
  • Object / withdraw consent — re-open the cookie banner; toggle marketing in profile preferences.
  • Complaint — to the Polish data protection authority UODO: uodo.gov.pl.