Privacy Policy

Data controller

The controller of your personal data is Łukasz Ryłko, sole proprietor trading as „Łukasz Ryłko — Przewodnik Tatrzański", registered office: Os. Kasprusie 13/5, 34-500 Zakopane, Poland, Polish tax ID (NIP): 7361750140, business registry (REGON): 529530576 (the „Controller"). Contact for all data protection matters: kontakt@tatractive.pl, phone +48 508 710 246. The Controller has not appointed a Data Protection Officer — data protection inquiries are handled directly by the Controller.

Scope of collected data

• Booking form: full name, e-mail, phone, number of participants, optional notes (including health information relevant to safety)
• Contact form: name, e-mail, phone (optional), message content
• Payments: data processed by Stripe (we do not store payment card data — we receive only the transaction ID and payment status)
• Cookies: technical cookies necessary for the website, analytics (Google Analytics) and marketing (Google Ads) — only with your consent
• Image: photos from the tour (only with your consent given at booking or at the meeting point — § 26 of the Terms)

Purpose of data processing

• Performance of the guiding service contract (booking, payment, tour-related communication)
• Payment handling and issuance of accounting documents (invoice/receipt)
• Responding to contact form inquiries
• Website traffic analysis (Google Analytics 4 — only with consent)
• Marketing and ad performance measurement (Google Ads — only with consent)
• Pursuing or defending against claims (after the contract ends)
• Ensuring Participant safety during the tour (health information from the booking „Notes" field — processed as a special category of personal data under Art. 9(2)(a) GDPR based on consent)

Legal basis for processing

• Performance of the guiding service contract (booking, payment, tour-related communication) — Art. 6(1)(b) GDPR
• Payment handling and accounting documentation — Art. 6(1)(c) GDPR (legal obligation — tax and accounting regulations)
• Responding to inquiries from the contact form — Art. 6(1)(f) GDPR (legitimate interest — communication with a person interested in the offer)
• Traffic analytics (Google Analytics 4) and marketing (Google Ads) — Art. 6(1)(a) GDPR (consent given in the cookie banner)
• Image (tour photos) — Art. 6(1)(a) GDPR (consent) + Article 81 of the Polish Copyright Act
• Health data — Art. 9(2)(a) GDPR (consent for processing special-category data)
• Pursuing / defending claims — Art. 6(1)(f) GDPR (legitimate interest)

Legitimate interests

• responding to inquiries sent via the contact form or e-mail (communication with persons interested in the offer)
• ensuring website security and protection against abuse (bot protection, anomaly monitoring)
• pursuing or defending against claims (after the contract ends, until limitation periods expire)

Post-trip keepsake album

• Scope of data: photos of participants from the given trip and the e-mail address provided at booking.
• The album is private - available only via an individual, unguessable link and not indexed by search engines. We do not publish it anywhere publicly.
• We keep the album and photos for up to 365 days from sending, after which they are permanently deleted.
• You may object to the processing or request deletion of the photos at any time - just message kontakt@tatractive.pl and we will remove them promptly.

Data retention period

• Booking and payment data — 5 years from the end of the year in which the accounting document was issued (Art. 86 § 1 of the Polish Tax Ordinance, Art. 74(2) of the Accounting Act)
• Data for pursuing / defending claims — up to 6 years after contract end (Art. 118 of the Polish Civil Code for business activity; for consumers typically 3 years)
• Contact form data — up to 30 days after the correspondence ends (unless a contract was concluded — then contractual periods apply)
• Google Analytics 4 data — up to 14 months (GA4 default setting)
• Cookies — according to the lifetime of the specific cookie listed in the „Cookies" section
• Image (tour photos) — until consent is withdrawn (photos are removed within 14 days of the request)
• Health data from the booking „Notes" field — together with the entire booking for 5 years (tax regulations); information given verbally to the Guide is destroyed after the tour ends

Your rights

• Access your personal data (Art. 15 GDPR)
• Rectify (correct) your data (Art. 16 GDPR)
• Delete your data — „right to be forgotten" (Art. 17 GDPR)
• Restrict processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Withdraw consent at any time — without affecting the lawfulness of processing based on consent before its withdrawal. Cookie consent can be withdrawn via the „Manage cookies" link in the footer. Image or other category consent can be withdrawn by e-mail to the Controller.
• Lodge a complaint with the supervisory authority — President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl

Requirement to provide data

Providing personal data in the booking form is voluntary, but necessary to conclude and perform the guiding service contract. Failure to provide required data (full name, e-mail, phone, number of participants) prevents booking. The „Notes" field is optional, but we recommend disclosing safety-relevant health circumstances there (§ 11 of the Terms). Providing data in the contact form is voluntary — without it the Controller cannot respond to your inquiry.

Automated decision-making and profiling

The Controller does not make decisions about users based solely on automated processing, including profiling, that produce legal effects on them or similarly significantly affect them (Art. 22 GDPR). Google Analytics and Google Ads use profiling techniques for analytics and advertising, but the Controller does not use their output to make individual decisions about specific users.

Data recipients

• Stripe Payments Europe Ltd. (Ireland) and Stripe Inc. (USA) — online payment processing, PCI DSS certified
• Supabase Inc. — database hosting (EU region, Frankfurt)
• Vercel Inc. (USA) — website hosting
• Google LLC (USA) — analytics (Google Analytics 4) and ads (Google Ads) — only with your consent
• Karolina Gac — licensed Class III Tatra mountain guide, leads selected tours under a cooperation agreement with the Controller (data processed solely for contract performance)
• Meta Platforms Inc. (USA — WhatsApp/Instagram/Facebook) — only if you consent to join the tour's WhatsApp communication group (§ 26 of the Terms) or to publication of your image on social media
• Rescue services (TOPR, Horská záchranná služba) — solely in life- or health-threatening emergencies (transmission of information necessary for the rescue operation)
• Public authorities — only at the request of authorized authorities (tax office, court, prosecutor, police) under applicable law

Transfer of data outside the European Economic Area (EEA)

• Stripe Inc. (USA) — online payment processing
• Vercel Inc. (USA) — website hosting
• Google LLC (USA) — analytics (Google Analytics 4) and ads (Google Ads)
• Meta Platforms Inc. (USA) — WhatsApp / Instagram / Facebook

Google Analytics 4 and Google Ads

Google Analytics 4 collects data on how you use the website (pages viewed, time spent, device type, approximate location based on IP address — IP is not stored). Although Google declares that the IP is not recorded, GA4 data may contain identifiers allowing indirect identification of the user, so it is processed as personal data based on consent (Art. 6(1)(a) GDPR). We use the Google Consent Mode v2 mechanism — by default all consents (analytics_storage, ad_storage, ad_user_data, ad_personalization) are set to „denied" and Google collects no data until you give explicit consent in the cookie banner.

Cookies — categories and consent management

We use three categories of cookies: (1) necessary — required for the site to function (language preference, booking session, CSRF protection), no consent required; (2) analytics — Google Analytics 4, helps us understand how you use the site, requires your consent; (3) marketing — Google Ads (remarketing, ad performance measurement), requires your consent. Analytics and marketing cookies are enabled only after your consent expressed in the banner. You can withdraw or change your consent at any time via the „Manage cookies" link in the footer, or manage cookies in your browser settings.

Detailed list of cookies

The list is updated as changes occur. The cookies actually active at any given time can be checked in browser tools (DevTools → Application → Cookies).

Newsletter and marketing communication

The Controller currently does not run a newsletter, mailing list, or other regular marketing communication. Contact details provided by the Client to conclude a guiding service contract (e-mail, phone) are not used for marketing or commercial offers. If a newsletter is launched in the future, its use will require a separate, voluntary, and explicit consent of the Client expressed separately (a separate „Subscribe to newsletter" checkbox), in line with Art. 6(1)(a) GDPR and Art. 10 of the Polish Act on Providing Services by Electronic Means.