Prejsť na obsah
NaCzarter — czarter jachtów Mazury

Privacy Policy

Last updated: 20 April 2026 · Policy version 2026-04-20.v2

This policy explains what personal data NaCzarter collects, why, and how you can control it. It aligns with the GDPR (EU 2016/679, Polish RODO) and the ePrivacy-derived Polish Prawo Telekomunikacyjne Art. 173. If something on this page contradicts the storefront's own privacy page, the storefront page wins.

1. Data controller

The storefront you are viewing is the controller for personal data you submit while using it. Contact details are in the page footer. For data-subject-rights requests, see section 7.

2. Cookie categories + what loads when

The cookie banner lets you accept or reject cookies by category. The current categories and their technical scope:

  • Necessary (always on) — session cookies for login + CSRF protection (__Secure-ny-next.session-token, __Secure-ny-next.csrf-token), the consent decision itself (cookie-consent), currency + locale selectors. Legal basis: Art. 6(1)(b) performance of contract / Art. 6(1)(f) legitimate interest.
  • Analytics (off by default) — Plausible Analytics (EU-hosted, privacy-friendly, no cross-site identifier) for page-view counts and funnel drop-off. Map tiles (OpenStreetMap) and Leaflet assets from unpkg.com only load when this category is accepted (Sprint 221 P0-4). Legal basis: Art. 6(1)(a) consent.
  • Marketing (off by default) — reserved for future advertising-pixel integrations. Today, no Meta/Google Ads pixel ships. Legal basis: Art. 6(1)(a) consent.

Re-open the banner any time via "Zarządzaj cookies" in the footer. Cookies last 12 months; policy changes re-ask.

3. What data we collect

  • Account + booking data you submit: name, email, phone, address, company / NIP (optional).
  • Booking history: which yachts, which dates, total paid.
  • Technical: IP address, user agent, registration IP, last-login IP (forensic + fraud prevention).
  • Consent history: every cookie-banner decision, marketing opt-in flip, terms acceptance — see section 6.

4. Processors (Art. 28)

We share minimum-necessary data with the following processors. Each has a Data Processing Agreement in place:

  • Railway (app + Postgres hosting, EU region).
  • Resend (transactional + marketing email delivery).
  • Stripe + PayU (payment processing).
  • Cloudflare (Turnstile bot-challenge; DDoS + WAF at the edge).
  • Sentry (error monitoring; PII scrubbed before send).
  • Plausible Analytics (only when analytics consented; EU-hosted).
  • OpenStreetMap Foundation (map tiles; only when analytics consented).
  • Bunny CDN (static assets + yacht images; EXIF stripped).

5. Retention

Retention windows live in docs/data-retention.md. In brief:

  • Invoice-adjacent rows (Order, OrderPayment): 6 years (Polish VAT Art. 112).
  • Audit log: 7 years (RODO Art. 30 + Polish Accounting Act Art. 74).
  • PII on User, UserDetails, OrderCustomer: anonymised on erasure request + purged after 6 years.
  • Consent records: 5 years (marketing consent lifecycle).
  • Cookie-consent cookie: 12 months or on policy change.

6. Consent audit trail

Every decision — banner accept/reject, marketing opt-in toggle, terms acceptance at registration — is written to ConsentRecord with the exact banner text you saw, the policy version, the method of expression, your user agent, and a salted IP hash (for forensic signatures without raw-IP retention). On a data-portability (Art. 20) request, the full history is returned alongside your account data.

7. Your rights (Art. 15-22)

  • Access (Art. 15) — download a complete export at /api/users/me/export while signed in.
  • Rectification (Art. 16) — edit your profile at /dashboard/profile.
  • Erasure (Art. 17) — self-service "Delete my account" at /dashboard/profile#danger-zone. Invoices / payment history stay 6 years per Polish tax law (Art. 17(3)(b) exception).
  • Portability (Art. 20) — same export endpoint as access; machine-readable JSON.
  • Object / withdraw consent (Art. 21, 7(3)) — re-open the cookie banner via footer link; toggle marketing at /dashboard/profile#email-preferences.
  • Complaint — to the Polish data protection authority UODO: uodo.gov.pl.

8. Security

Passwords are bcrypt-hashed at cost 12 (OWASP ASVS L2 2024). 2FA via TOTP is enforced for SUPERADMIN and SHOP_OWNER roles. Session cookies are__Secure- prefixed, HttpOnly, SameSite=Lax. PII onUserDetails is encrypted at rest under a rotating key (RFC 001). Breached-password checks (HIBP k-anonymity) gate registration + reset.