Privacy policy

Below you can find key information about how we process personal data on the platform.

Data controller

The data controller is Maciej Szymczuk, sole proprietor (Book a Balloon), NIP: 9661876768, REGON: 387074085, address: Horodniany 36, 16-001 Kleosin, Podlaskie, Poland, contact email: office@bookaballoon.com.

Scope of processing

We process data required to complete bookings and voucher purchases, provide customer support, handle settlements, and ensure operational flight safety. To maintain platform stability and security, we also collect technical data: IP addresses (temporarily, for abuse prevention), application error reports (automatic error monitoring), and server function activity logs.

Legal bases

Data is processed under Article 6(1)(b) GDPR (contract performance), Article 6(1)(c) GDPR (legal obligation), and Article 6(1)(f) GDPR (legitimate interest). SMS notifications are sent solely based on a separate, voluntary user consent (Article 6(1)(a) GDPR). SMS consent may be withdrawn at any time. Each consent action (accepting Terms, Privacy Policy, SMS opt-in) is recorded with the date, document version, IP address, and browser information — in accordance with Article 7(1) GDPR (obligation to demonstrate consent).

Data sharing

Passenger data is shared with the Operator performing the flight and with technical/payment providers only to the extent necessary for service delivery.

Your rights

You have the right to access, rectify, erase, restrict processing, transfer your data, object to processing, and file a complaint with the competent supervisory authority. To download a copy of your data or request its deletion, use the form at /dane-osobowe. Identity verification is performed using your email address and booking code.

Cookies and analytics

The service uses cookies and analytics tools to ensure proper operation, security, and continuous platform improvement. The error monitoring tool (Sentry) may transmit performance tracing headers but does not set cookies. The abuse protection mechanism (rate limiting) uses hashed IP addresses — they are not stored in plain text.

Data retention periods

We retain personal data for as long as necessary to fulfil the purposes of processing: booking and passenger data — 5 years from the flight date (tax obligation under Polish Tax Ordinance); voucher data — 5 years from expiry or redemption; invoices — 5 years from issue date; waitlist sign-ups — 12 months from sign-up; notification logs — 12 months; user consent records — 5 years (obligation to demonstrate consent under GDPR Art. 7). After the retention period, personal data is automatically anonymised or deleted.

Automated decision-making

We do not use automated decision-making or profiling as referred to in GDPR Art. 22 that would produce legal effects or similarly significantly affect users.

Data processors (sub-processors)

  • Stripe Technology Europe, Limited (payments)
  • Supabase Inc. (database hosting — EU region)
  • Twilio Inc. (SMS notifications)
  • Twilio SendGrid (email notifications)
  • Vercel Inc. (website hosting)
  • Google Cloud (OCR document verification)
  • Functional Software, Inc. dba Sentry (error monitoring — EU region)
  • Upstash, Inc. (abuse protection — rate limiting)
  • Pinging GmbH / Healthchecks.io (cron job monitoring — no personal data)