Privacy policy

The following Privacy Policy is provided to clearly inform users about what data the application collects, how it is used, with whom it may be shared, and what rights users have regarding their information. If your app’s target audience includes children under 13, special emphasis is placed on regulations governing children’s data (including obtaining parent/guardian consent). Additionally, we outline common pitfalls in data processing—particularly regarding compliance with GDPR (for EU countries) and other regulations (e.g., COPPA in the U.S.).

1. Definitions and Scope

1.1. Data Controller

The data controller is [Your Company Name or Owner’s Name], located at [address], email: [contact email], phone: [phone number], Tax ID (NIP): [NIP or other identifier].

1.2. User

A “User” is any natural person who uses the [App Name] application, including children under age 13 if the app is used by them.

1.3. Service / Application

“Application” means the mobile/web software available on platforms such as [e.g., Google Play, App Store], designed to provide [brief description of app functionality].

1.4. Personal Data

“Personal Data” refers to any information relating to an identified or identifiable natural person (e.g., name, email address, contact details).

1.5. Device Data and Automatically Collected Data

Technical data such as a unique device identifier (IDFA, Android Advertising ID), device model, operating system, app version, IP address, server logs, cookies, and in-app behavior analytics.

2. What Data We Collect and Why

2.1. Data Provided Directly by the User

  • Registration and Account Data: first name, last name, email address, password (encrypted), phone number (optional).
  • Profile Data: avatar, preference settings (e.g., language, theme).
  • Contact Forms and Inquiries: message content, contact details (if provided).

Purpose: to create and maintain the user account, allow personalization, enable email/phone communication for technical or marketing purposes (only with consent), and provide user support.

2.2. Automatically Collected Data

  • Device Technical Data: device model, operating system, app version, device language.
  • Connection Data: IP address, network information (carrier, connection type).
  • Usage Data: event logs, time spent in the app, clicks, feature usage statistics.
  • Cookies and Similar Technologies: session identifiers, user preferences, analytical data (anonymous IDs to support statistical analysis).

Purpose: monitoring app performance, diagnosing errors, improving quality and performance, conducting statistical analysis (e.g., identifying most-used features), personalizing content, and—if applicable—serving in-app advertisements.

2.3. Sensitive Data

The application does not collect or process any sensitive data (e.g., health information, political views, sexual orientation, etc.). If sensitive data collection is introduced in the future, it will be explicitly disclosed, and the user’s separate, voluntary consent will be obtained.

3. Legal Bases for Processing (GDPR and Other Regulations)

For users within the European Union (GDPR):

  • Article 6(1)(b) GDPR: processing is necessary for the performance of a contract (e.g., providing account-related services).
  • Article 6(1)(a) GDPR: voluntary user consent (e.g., for newsletters, profiling, sharing data with third parties for marketing).
  • Article 6(1)(c) GDPR: compliance with a legal obligation (e.g., maintaining accounting records).
  • Article 6(1)(f) GDPR: legitimate interests of the controller (e.g., app security, fraud prevention).

For children under 13:

  • If the application is directed to children or may be used by children under 13, verifiable parental or guardian consent is required before collecting any personal data (COPPA in the U.S.; in the EU—national laws implementing GDPR and guidance from the European Data Protection Board).
  • In Poland and generally in Europe: parental/guardian consent must be obtained in verifiable form (typically via email confirmation), and information about data processing must be presented in an understandable way for the child.

4. Purpose and Use of Collected Data

4.1. Service Delivery and Account Management

  • Verifying identity during registration and authentication.
  • Storing contact data to enable communication (e.g., password resets, technical notifications).
  • Retaining user settings, including language preference, theme selection, notification settings.

4.2. App Functionality Improvement

  • Analyzing error logs and event records to swiftly address technical issues.
  • Fraud and abuse prevention—guarding against spam, bots, and fraud.
  • Conducting statistical research and analytics (e.g., Google Analytics, Firebase Analytics) to understand user behavior and guide product development.

4.3. Marketing and Communication

  • Sending personalized updates about new features or news (newsletters, push notifications) only with prior user consent.
  • Displaying tailored advertisements (if the app contains ads) based on user profile and preferences—only with voluntary consent (especially for children under 13).
  • Conducting surveys and satisfaction polls—user participation is voluntary.

4.4. Data Sharing

User data may be shared only for the purposes listed below and only with proper authorization:

  • Technology Subprocessors: hosting providers, analytics providers (e.g., Google, Firebase), email service providers (e.g., MailChimp)—to deliver and maintain services (e.g., database storage, analytics).
  • Payment Service Providers: if in-app payments are offered (e.g., Google Pay, Apple Pay, PayU)—to facilitate transactions.
  • Marketing Partners: only if the user has given explicit consent to receive marketing materials and to share data for that purpose (e.g., affiliate programs, advertising networks).
  • Public / Legal Authorities: upon lawful request (e.g., court, prosecution, police).

Note: Data will never be sold to third parties for advertising without explicit, separate user consent. Any sharing of data strictly complies with applicable laws, including GDPR (for EU users) and local data protection regulations (e.g., COPPA in the U.S.).

5. Data Security and Storage

5.1. Technical and Organizational Security Measures

  • Use of HTTPS to encrypt communication between the app and servers.
  • Authentication credentials (passwords) stored securely (e.g., bcrypt or another strong hashing algorithm).
  • Limited database access—only authorized technical personnel.
  • Regular updates of application and server software to protect against known vulnerabilities.
  • Routine data backups stored securely.

5.2. Data Retention Periods

  • Account Data (e.g., email, password): stored as long as the account is active or until deletion.
  • Usage Data (logs, statistics): stored for up to 24 months from the date collected (unless a longer period is required by law or for the controller’s legitimate interests).
  • Payment Data: subject to legal accounting requirements (e.g., 5 years as per Polish accounting law).
  • Backup Copies: retained for up to 6 months (unless backup specifics require longer storage).

5.3. Data Transfer Outside the European Economic Area (EEA)

If hosting or analytics services operate servers outside the EEA, appropriate safeguards are used, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Security certifications (e.g., Privacy Shield—though post-2020 it is recommended to rely on SCCs or Binding Corporate Rules).

6. User Rights

Under the GDPR and local laws, each user has the right to:

  1. Access their personal data—request a copy of what is stored.
  2. Rectify inaccurate or incomplete data.
  3. Erase (“right to be forgotten”) where no legal obligation requires further retention.
  4. Restrict Processing—temporarily suspend processing in certain circumstances.
  5. Data Portability—receive data in a structured, commonly used format (e.g., CSV) and transfer it to another controller.
  6. Object to processing—for example, for marketing or profiling purposes.
  7. Withdraw Consent at any time—this does not affect processing carried out before withdrawal.
  8. Lodge a Complaint with a supervisory authority—e.g., in Poland, the President of the Personal Data Protection Office (PUODO).

To exercise these rights, users may contact: [contact email] or use the provided form within the app/website.

7. Special Provisions for Children Under 13

7.1. Obtaining Parent/Guardian Consent

  • If the app can be used by children under 13, no personal data of the child is collected without verifiable parental or guardian consent.
  • Practically, before child registration:
    1. The child provides a parent/guardian’s email address.
    2. A verification email (with a link or code) is sent to that address, which the parent/guardian must confirm.
    3. Only after parental/guardian confirmation does the app collect any personal data from the child.
  • All information about processing children’s data is presented in clear, simple language understandable to a child.

7.2. Minimum Necessary Data

  • Only data strictly necessary to provide the service to the child is collected (e.g., basic account data without marketing information).
  • Children’s data is never shared with third parties for advertising or profiling.

7.3. Storage and Deletion of Children’s Data

  • Children’s data is stored only as long as necessary to provide the service (e.g., until the child’s account is deleted).
  • The parent/guardian may request deletion of all child data at any time (right to be forgotten).

7.4. Avoiding Common Mistakes

  • Lack of Verifiable Consent: Relying solely on the child’s declaration instead of obtaining verified parental consent.
  • Overly Legalistic Language: Privacy information for children must be in plain, understandable language—avoid legal jargon.
  • Hiding Information in Terms of Service: Children’s data processing details cannot be buried in general terms; they must be clearly highlighted.
  • No Easy Consent Withdrawal: The child or parent/guardian must be able to withdraw consent and delete the child’s account easily.

8. Cookies and Similar Technologies

8.1. What Are Cookies?

Cookies are small text files stored on the user’s device that allow recognition of the browser and retention of user preferences (e.g., language, shopping cart contents, login status).

8.2. Types of Cookies Used

  • Strictly Necessary Cookies: enable basic app functions (login, authentication).
  • Performance (Analytical) Cookies: collect information on how users interact with the app (e.g., Google Analytics, Firebase Analytics).
  • Functional Cookies: remember user preferences (e.g., language, theme).
  • Marketing (Targeting/Advertising) Cookies: used for showing personalized ads (only with prior consent, especially for users under 13).

8.3. Managing Cookies

Users can change their cookie settings at any time:

  • In the browser settings (block or delete cookies).
  • In app settings (if the app offers a cookie management panel).

Disabling cookies might affect app functionality (e.g., inability to stay logged in or retain personalized settings).

9. Sharing Data with Third Parties

9.1. Integrations with External Services

  • Google Analytics / Firebase Analytics: analyzes anonymous usage data to improve user experience.
  • Payment Services: e.g., Stripe, PayPal, PayU—process payment data (card number, billing information) to complete transactions.
  • Email Marketing Services: e.g., MailChimp, SendGrid—use the user’s email to send newsletters or promotional messages (only with consent).

9.2. Transfers Outside the EEA

If data is transferred to countries outside the European Economic Area (e.g., servers in the U.S.), the controller implements Standard Contractual Clauses approved by the European Commission or other safeguards ensuring adequate data protection.

10. Transfer of Children’s Data

For children under 13, no data is shared with third parties for marketing purposes. Any transfer of their data occurs only with parental/guardian consent and strictly to the extent necessary for providing the service (e.g., passing the email address to the push notification system).

11. Data Retention and Deletion Procedures

11.1. Retention Periods

Data TypeRetention Period
Account Data (login, email, password)Until account deletion or as long as the account is active
Technical Data (logs, statistics)Up to 24 months from the date of collection (unless longer retention is required by law or legitimate interest)
Payment DataAccording to accounting regulations (min. 5 years)
Children’s Data (under 13)Until the child’s account is deleted or parental consent is withdrawn
Backup CopiesUp to 6 months (unless specific backup requirements dictate otherwise)

11.2. Deletion Procedure

  1. The user can delete their account through the app’s settings.
  2. The user may request data deletion via email: [contact email].
  3. The controller will delete all user data within 30 days of the request (unless law requires longer retention).
  4. Backup copies may remain for up to 6 months but will no longer be linked to the active user in the system.

12. User Rights and Exercise Procedures

12.1. Rights of Access, Rectification, Erasure, Restriction, Portability

Users can exercise their rights by sending a request to:

  • Email: [contact email]
  • Contact form: [link to form]

The controller will respond within 30 days. In complex or numerous requests, the period may be extended by another 60 days, with the user notified promptly.

12.2. Withdrawing Consent

  • A user who has given consent (e.g., for marketing) may withdraw it anytime by contacting: [contact email].
  • Withdrawal does not affect the lawfulness of processing done prior to withdrawal.

12.3. Right to Lodge a Complaint

If the user believes their rights have been violated, they may lodge a complaint with the supervisory authority. In Poland:

  • President of the Personal Data Protection Office (PUODO)
    Address: Stawki 2, 00-193 Warsaw
    Website: https://uodo.gov.pl

13. Changes to the Privacy Policy

  1. The controller reserves the right to amend this Privacy Policy (e.g., due to app development or legal changes).
  2. Users will be informed of any changes by email and via an in-app notification at least 14 days before they take effect.
  3. If the changes significantly affect data processing (e.g., new purposes or expanded scope), the user will be asked to give renewed consent.

14. Contact Information and Additional Details

  • Data Controller:
    [Company Name or Owner’s Name]
    Address: [street, postal code, city]
    Email: [contact email]
    Phone: [phone number]
  • Data Protection Officer (if appointed):
    Email: [DPO email]
    Phone: [DPO phone number]

For any questions regarding this Privacy Policy or to exercise data rights, please contact us via the details above.

15. Common Mistakes and Recommendations

  1. Lack of Clear Information
    • Mistake: Users do not know who the controller is or how to request data access.
    • Recommendation: Clearly present the controller and DPO contact details, along with response times, on the Privacy Policy page.
  2. Mixing with Terms of Service
    • Mistake: Hiding the Privacy Policy within the Terms of Service, making it hard to find.
    • Recommendation: Publish the Privacy Policy as a standalone document or a clearly marked section, easily accessible from the app (e.g., footer, “Information” menu).
  3. Outdated Information
    • Mistake: Not updating the list of data recipients when changing analytics or payment providers.
    • Recommendation: Conduct regular reviews (at least annually) and update the list of subprocessors/partners.
  4. No Parental Consent for Children
    • Mistake: Allowing children under 13 to register without verifying parental consent.
    • Recommendation: Implement a verified parental-consent mechanism (via email or phone confirmation) and do not collect any data from the child without approval.
  5. Collecting Excessive Data
    • Mistake: Requesting unnecessary data (e.g., date of birth if not needed).
    • Recommendation: Follow the minimization principle—collect only data strictly necessary to provide the service.
  6. Omitting Cookie Information
    • Mistake: Failing to explain what cookies are used and how to disable them.
    • Recommendation: Create a clear “Cookies” section with categories and management instructions.
  7. No Multilingual Policy
    • Mistake: Offering a global app but only providing the Privacy Policy in Polish.
    • Recommendation: Provide at least an English version, and translate into other languages as needed for your user base.
  8. Uninformed Consent Buttons
    • Mistake: Using an “Accept All” button without giving granular choices.
    • Recommendation: Allow users to separately consent to analytics, marketing, and cookies.
  9. Not Disclosing Third-Party SDKs
    • Mistake: Using external libraries (e.g., Facebook SDK, Google Analytics) without informing users what data those libraries collect.
    • Recommendation: Clearly list all SDKs used and the type of data they transmit.
  10. No Incident Response Procedures
  • Mistake: Lacking documented procedures for data breaches or security incidents.
  • Recommendation: Define and describe a procedure for notifying users of a breach (e.g., within 72 hours of detection).

Zasilane przez
Niezbędne pliki cookie umożliwiają podstawowe funkcje strony, takie jak bezpieczne logowanie i zarządzanie zgodami. Nie przechowują danych osobowych.
Brak
Funkcjonalne pliki cookie wspierają funkcje takie jak udostępnianie treści w mediach społecznościowych, zbieranie opinii oraz korzystanie z narzędzi firm trzecich.
Brak
Ciasteczka analityczne śledzą interakcje odwiedzających, dostarczając dane o liczbie odwiedzin, współczynniku odrzuceń i źródłach ruchu.
Brak
Ciasteczka reklamowe dostarczają spersonalizowane reklamy na podstawie Twoich poprzednich wizyt oraz analizują skuteczność kampanii reklamowych.
Brak
Zasilane przez