Privacy Policy

Last updated: 2025-11-23

1. Data Controller

The controller of personal data is:

  • KrakowPlaces
  • ul. Zamknięta 10/1.5, 30-554 Kraków, Poland
  • Email: contact@krakowplaces.com
  • For matters regarding personal data processing, you can contact us at the above email address.

2. Legal Basis and Purpose of Processing

We process your personal data on the basis of:

  • Art. 6(1)(b) GDPR - performance of a contract (provision of guide services, payment processing)
  • Art. 6(1)(a) GDPR - consent (analytics, marketing, optional cookies)
  • Art. 6(1)(f) GDPR - legitimate interest (ensuring service security, technical analytics)
  • Art. 6(1)(c) GDPR - legal obligation (accounting, taxes)
  • We process data for the purpose of: providing guide services, processing payments, communicating with users, ensuring security, analytics and improving the service.
  • Data is processed in accordance with GDPR regulations and the Act on Provision of Electronic Services.

3. Categories of Processed Data

We collect the following categories of personal data:

  • Identification data: first name, last name, email address (via Clerk - authentication provider)
  • Transaction data: email address, payment amounts, Stripe session identifiers (via Stripe - payment provider)
  • Technical data: IP address, browser type, device, session data (via PostHog - analytics, Sentry - error monitoring)
  • Usage data: visited pages, time spent on site, clicks (via PostHog)
  • Error data: error logs, failure information (via Sentry)
  • Marketing data: Facebook cookies (_fbp, _fbc), hashed personal data (email, IP) sent to Meta Platforms via Facebook Conversions API for measuring ad effectiveness and campaign optimization

4. Data Retention Period

We store data for the following periods:

  • User account data: until account deletion by user or 3 years from last activity
  • Transaction data: in accordance with legal requirements (5 years for tax and accounting purposes)
  • Analytics data: maximum 25 months (PostHog) or until consent withdrawal
  • Error logs: maximum 90 days (Sentry)
  • Session data: until end of browser session or up to 30 days
  • After retention periods expire, data is deleted or anonymized.

5. User Rights

In accordance with GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR) - you can request information about processed data
  • Right to rectification (Art. 16 GDPR) - you can request correction of incorrect data
  • Right to erasure (Art. 17 GDPR) - you can request data deletion (right to be forgotten)
  • Right to restriction of processing (Art. 18 GDPR) - you can request restriction of processing
  • Right to data portability (Art. 20 GDPR) - you can receive data in a structured format
  • Right to object (Art. 21 GDPR) - you can object to data processing in certain cases
  • Right to withdraw consent - you can withdraw consent for data processing based on consent at any time. To exercise the above rights, contact us at: contact@krakowplaces.com

6. Transfer of Data to Third Countries

Your data may be transferred to the following service providers based outside the EEA:

  • Clerk (USA) - user authentication, Standard Contractual Clauses (SCC)
  • Stripe (USA) - payment processing, SCC, PCI DSS certification
  • PostHog (USA/EU) - analytics, SCC
  • Sentry (USA) - error monitoring, SCC
  • Meta Platforms (Facebook, USA) - marketing and ad analytics (Facebook Pixel, Conversions API), Standard Contractual Clauses (SCC), GDPR compliant. All personal data (email, IP) is hashed before transmission.
  • All transfers of data to third countries are carried out with appropriate safeguards in accordance with GDPR, including Standard Contractual Clauses approved by the European Commission.

7. Data Security

We apply the following security measures:

  • Data encryption in transit (HTTPS/TLS)
  • Encryption of sensitive data in the database
  • Limited access to data only for authorized persons
  • Regular security system updates
  • Monitoring and detection of unauthorized access (Arcjet)

7a. Personal Data Hashing

To protect your privacy, some personal data (email, IP address) is hashed using SHA256 algorithm before being sent to external partners (Facebook/Meta). Hashing means:

  • One-way process - it is impossible to recover the original value from the hash
  • SHA256 algorithm - industry-standard cryptographic method
  • Hashing occurs on our server side before data transmission
  • External partners (e.g., Meta) do not receive data in readable form
  • Hash is used solely for user matching and measuring ad effectiveness

8. Cookies

Detailed information about cookies used is available in our Cookie Policy at /cookies. We use cookies necessary for service operation and optional analytics (PostHog) and monitoring (Sentry) cookies.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority - the President of the Personal Data Protection Office (UODO), if you believe that the processing of your personal data violates GDPR provisions. Contact: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland, tel. +48 22 531 03 00, email: kancelaria@uodo.gov.pl.

10. Changes to Privacy Policy

We reserve the right to make changes to this Privacy Policy. We will inform users of any changes by publishing an updated version on this page along with the date of last update. We recommend regularly reviewing this policy.