Book a Balloon
FlightsBalloon fiestasBuy voucherRedeem voucherFAQContactAbout usCheck booking
|
For Operators
Book a Balloon

One place, every verified balloon operator in Poland. Confirmed dates, transparent pricing, insurance included.

Navigation
  • Flights
  • Balloon fiestas
  • Buy voucher
  • Redeem voucher
  • FAQ
  • Check booking
Information
  • Terms of service
  • Privacy policy
  • Information notice
  • Cookie policy
  • Contact
  • About us
For Operators
  • Join the platform
  • Operator panel

© 2026 Book a Balloon · All rights reserved

Dokument · Polityka prywatności

Privacy policy

Below you will find information about who controls your data, for what purposes and on what legal bases we process it, to whom we transfer it, and what rights you have.

§01

Data controller

The controller of personal data processed in connection with the use of the bookaballoon.com portal is Maciej Szymczuk conducting business under the name Book a Balloon, NIP 9661876768, REGON 387074085, ul. Horodniany 36, 16-001 Kleosin. Contact for data protection matters: office@bookaballoon.com, Book a Balloon, Horodniany 36, 16-001 Kleosin. In connection with a specific balloon flight, data may be transferred to the Flight Operator indicated in the offer or booking. The Operator may act as an independent data controller with respect to the organisation and execution of the flight and their own legal obligations.

§02

What Book a Balloon portal is

Book a Balloon is a portal enabling users to search for, book, and purchase balloon flights, as well as contact flight operators. The seller or provider of the flight service is the Operator indicated in the relevant offer, unless the offer states otherwise. The portal may also handle quote requests, vouchers, tethered display events, and the operator panel.

§03

What data we process

We process the following categories of personal data depending on the person:

Categories of personal data processed
Category of personExample data
User visiting the portalIP address, cookie identifiers, device and browser data, technical logs, information about activity on the portal
Buyer or person booking a flightfirst name, last name, email, phone number, booking data, booking code, payment status, invoicing data, correspondence
Flight passengerfirst name, last name, flight organisational data, passenger weight if necessary for the safe organisation of the flight and preparation of the manifest
Person sending a query to an operator or about a tethered displayfirst name, email, phone number, message content, event data, location, date, number of participants, data needed to prepare a quote
Operator, pilot, crew memberoperator account data, contact details, role, pilot licence data, flight assignments, pilot logbook data, operator billing data, fleet and document data
User subject to analytics or marketingcookie identifiers, purchase events, traffic sources, campaigns, advertising identifiers, consent information
§04

Purposes and legal bases for processing

We process personal data for the following purposes and on the following legal bases:

Purposes and legal bases for processing personal data
PurposeLegal basisRetention period
Use of the portal, security, session management, abuse preventionArt. 6(1)(f) GDPR — legitimate interest of the controller; no consent required for necessary cookiessession duration or period necessary for abuse prevention
Creation and management of a user or operator accountArt. 6(1)(b) GDPR — performance of the account agreementfor the duration of the account, then until the limitation period for claims expires
Accepting and handling bookings, purchasing a flight, payment, voucher, contact regarding dates and weatherArt. 6(1)(b) GDPR — performance of a contract or pre-contractual actionsfor the duration of performance, then until the limitation period for claims expires
Transferring data to the relevant Flight Operator to fulfil the bookingArt. 6(1)(b) GDPR — performance of the booking agreement; alternatively Art. 6(1)(f) GDPR — legitimate interest in transferring data to the service providerfor the duration of the booking and flight
Preparing the passenger manifest, flight operational plan, and safe balloon balancing, including processing of passenger weightArt. 6(1)(b) GDPR and Art. 6(1)(f) GDPR — safe organisation and execution of the flightfor the period necessary to execute and document the flight
Handling quote requests, enquiries to operators, and tethered display eventsArt. 6(1)(b) GDPR — pre-contractual actions or Art. 6(1)(f) GDPR — handling communications and forwarding the enquiry to the relevant operator12 months from last contact
Sending confirmations, transactional messages, SMS, and organisational emailsArt. 6(1)(b) GDPR or Art. 6(1)(f) GDPR — efficient booking managementfor the duration of the booking
Issuing and storing invoices, tax and accounting settlementsArt. 6(1)(c) GDPR — legal obligation5 years from the end of the tax year (tax regulations)
Complaints, incident handling, establishing, pursuing, or defending claimsArt. 6(1)(f) GDPR and, to the extent of legal obligations, also Art. 6(1)(c) GDPRuntil the limitation period for claims expires
Analytics, advertising effectiveness measurement, remarketing, Google Analytics, Google Ads, Google Tag Manager, marketing cookies, and referral attributionArt. 6(1)(a) GDPR — consent; with respect to writing/reading information from a terminal device, also consent required under the Electronic Communications Actuntil consent is withdrawn or the cookie/identifier expires
Direct marketing by email, SMS, telephone, or similar, where conductedArt. 6(1)(a) GDPR — consent; additionally, Electronic Communications Act provisions on marketing communicationsuntil consent is withdrawn
Crew data, pilots, pilot logbook, licences, and settlements in the operator paneldepending on the function: the Operator as controller and Book a Balloon as processor under a data processing agreement; for managing the operator's own account — Art. 6(1)(b) or (f) GDPRin accordance with the agreement with the operator and the DPA
§05

Special categories of data and passenger weight

The portal does not envisage collecting special categories of data within the meaning of Article 9 GDPR, such as health data. Passenger weight is collected only when it is necessary for the safe preparation of the flight, balancing the balloon, and preparing the passenger manifest. You should not enter additional health information, medical restrictions, or other special category data in the forms unless a specific feature expressly requires it and is covered by a separate information notice.

§06

Recipients of data and service providers

Personal data may be transferred to the following recipients or categories of recipients:

Recipients of data and service providers
Recipient / category of recipientPurpose of sharing
Flight Operatorexecution of the flight, contact with passengers, preparation of the manifest and operational plan
Stripeonline payment processing and payment status management
Supabase / Supabase Storagedatabase, data and document storage, application infrastructure
Twilio / Twilio SendGridsending SMS, transactional emails, confirmations, and notifications
Vercelhosting, portal infrastructure, and analytics where consent has been given
Google Analytics / Google Tag Manager / Google Adsanalytics, conversion measurement, advertising, remarketing — after obtaining consent for the relevant cookies
Google Cloudcloud/OCR services, where actually used in a given feature
Upstashrate limiting, security, and abuse prevention
Sentry / Healthchecks.ioerror monitoring and technical task monitoring; configuration should minimise personal data
Open-Meteoweather data for flight planning; in accordance with the technical description, without transferring passenger personal data
Accounting firms, lawyers, auditors, public authoritiessettlements, legal obligations, claims, inspections
§07

Transfers of data outside the European Economic Area

Some service providers used by the portal may process data outside the European Economic Area, in particular in the United States. This applies in particular to providers of analytics, advertising, payment, communication, and infrastructure tools. Where data is transferred outside the EEA, the controller applies the mechanisms required by the GDPR, in particular European Commission adequacy decisions, the EU-US Data Privacy Framework where the provider is certified, or standard contractual clauses.

§08

Cookies and similar technologies

The portal uses cookies and similar technologies such as session identifiers, local storage, pixels, tags, and advertising identifiers. Necessary cookies are used to ensure the proper functioning of the portal and do not require consent. Analytical, marketing, advertising, and attribution cookies are used only after obtaining the user's consent, unless an exception is permitted by law. Users may accept all cookies, refuse cookies other than necessary cookies, or change their settings in the preference panel. Consent may be withdrawn at any time by reopening the cookie settings.

Cookies and similar technologies used by the portal
Category / namePurposePeriodConsent required?
Necessary / sessionsession management, security, form operation, remembering technically required choicessession duration or period necessary for the portal to functionno
Consent cookierecording cookie preferences and evidence of the user's choiceuntil preferences are changed or the cookie expiresno, to the extent necessary for remembering the choice
bab_refoperator/referral attribution upon entry via a referral link30 daysyes — marketing/attribution
referral_visitsmeasurement of referral visits: IP hash + user agent + date, operator_id, campaign, visited_at12 months, then in aggregated or anonymised formyes — unless strictly necessary
Google _ga, _gidGoogle Analytics — visit and event measurementas configured by Googleyes
Google _gcl_* and similarGoogle Ads, conversion measurement, remarketing, advertisingas configured by Googleyes
Stripe cookiespayment processing and transaction security at checkoutas configured by Stripeusually necessary for payment
Vercel Analytics / other analyticsportal statistics and performance improvementas configured by the provideryes, if not strictly necessary
§09

Cookie banner

On the first visit to the portal, a cookie banner is displayed that allows users at minimum to: accept all cookies, refuse cookies other than necessary cookies, and access detailed settings. In the cookie settings, users receive information about cookie categories and providers, in particular Google tools. Analytical, marketing, advertising, remarketing, and attribution cookies are not activated before the user's consent. Refusal and withdrawal of consent settings are as easily accessible as acceptance.

§10

Data retention periods

We retain personal data for the following periods: • User account data — for the duration of the account, then until the limitation period for claims or accountability actions expires. • Booking and flight purchase data — for the duration of the booking, then until the limitation period for claims expires. • Payment and accounting data — for the period required by tax and accounting regulations, usually 5 years from the end of the tax year. • Manifest data, operational plan, and passenger weight — for the period necessary to execute and document the flight; longer only where data is needed for an incident, complaint, or claim. • Quote requests and leads — for the duration of the enquiry, then for 12 months from the last contact, unless a contract was concluded or the data is needed to defend a claim. • Referral visits and attribution data — for 12 months necessary for campaign settlement/analysis, then in aggregated or anonymised form. • Cookie/analytics/marketing data — until consent is withdrawn or the cookie/identifier expires. • Operator, pilot, and crew data — in accordance with the agreement with the operator and the DPA; data is deleted or returned in accordance with the operator's instructions, unless Book a Balloon has its own legal basis for further retention.

§11

Rights of data subjects

The data subject has the right to access their data, obtain a copy of their data, rectify their data, erase their data, restrict processing, port their data, object to processing based on legitimate interest, and withdraw consent at any time where processing is based on consent. To exercise these rights, please contact the controller at: office@bookaballoon.com. The data subject also has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO).

§12

Marketing and consents

Purchasing or booking a flight does not require giving marketing consent. Messages necessary for the handling of a booking, payment, rescheduling, weather updates, the manifest, or the execution of the flight may be sent within the scope of contract performance or legitimate interest. Consent is required for newsletters, email/SMS/telephone marketing communications, and for cookies and similar technologies used for analytics, advertising, remarketing, or attribution where they are not necessary for the operation of the portal.

§13

Automated decision-making and profiling

The portal does not make decisions regarding users based solely on automated processing that would produce legal effects or similarly significantly affect users. Following consent to marketing or analytics cookies, user activity may be used for marketing profiling, advertising effectiveness measurement, and remarketing.

§14

Security

The controller applies technical and organisational measures designed to protect data against unauthorised access, loss, alteration, or disclosure. Access to data should be restricted to persons who need it for the handling of bookings, payments, flight execution, system security, settlements, or claims management.

§15

Changes to this policy

This privacy policy may be updated in connection with changes to the portal, changes to providers, features, legislation, or data processing practices. The current version of the policy is available at bookaballoon.com.