Below you can find key information about how we process personal data on the platform.
The data controller is Maciej Szymczuk, sole proprietor (Book a Balloon), NIP: 9661876768, REGON: 387074085, address: Horodniany 36, 16-001 Kleosin, Podlaskie, Poland, contact email: office@bookaballoon.com.
We process data required to complete bookings and voucher purchases, provide customer support, handle settlements, and ensure operational flight safety. To maintain platform stability and security, we also collect technical data: IP addresses (temporarily, for abuse prevention), server function activity logs, technical error data, and analytics/performance data if the user consents to analytics cookies.
Data is processed under Article 6(1)(b) GDPR (contract performance), Article 6(1)(c) GDPR (legal obligation), and Article 6(1)(f) GDPR (legitimate interest). SMS notifications, newsletters, and marketing communications are sent solely based on separate, voluntary user consent (Article 6(1)(a) GDPR). Consents may be withdrawn at any time. Each consent action (accepting Terms, Privacy Policy, SMS opt-in, or marketing consent) is recorded with the date, document version, IP address, and browser information — in accordance with Article 7(1) GDPR (obligation to demonstrate consent).
You have the right to access, rectify, erase, restrict processing, transfer your data, object to processing, and file a complaint with the competent supervisory authority. To download a copy of your data or request its deletion, use the form at /dane-osobowe. Identity verification is performed using your email address and booking code.
We retain personal data for as long as necessary to fulfil the purposes of processing: booking and passenger data — for the period required to handle the flight, settlements, and tax obligations; voucher data — 5 years from expiry or redemption; invoices and settlement data — for the legally required period calculated under applicable tax rules; waitlist sign-ups — 12 months from sign-up; notification logs — 12 months; user consent records — 5 years (obligation to demonstrate consent under GDPR Art. 7). After the retention period, personal data is automatically anonymised or deleted.
We do not use automated decision-making or profiling as referred to in GDPR Art. 22 that would produce legal effects or similarly significantly affect users.