Data controller

Personal data controller: Transfer PL JDG Henadzi Nabochanka, ul. Mysliwska 89a, 80-283 Gdansk, NIP 9571176286. Contact for privacy requests: use the email shown on the Contact page unless you have been given another channel.

Purposes of processing

We process personal data to deliver the transfer service and related operations. Examples include:

• Handling bookings and performing the transport contract (route, pickup time, passenger count, vehicle choice, special requests).
• Payments and fraud prevention when you pay online (handled by Stripe; we do not store full card numbers).
• Transactional email such as confirmations and updates (email provider: Resend or equivalent configured in production).
• Operational alerts to our operators via optional Telegram Bot messages (new bookings, payments, status changes). This is separate from contacting us through the Telegram link on the site—that is your voluntary message to us as a contact channel.
• Scheduling when Google Calendar integration is enabled for confirmed trips.
• Protecting public flows from abuse (optional Cloudflare Turnstile on booking and GDPR self-service requests) and maintaining service security.
• If you consent: audience measurement with Google Analytics loaded via Google Tag Manager.
• If you consent: marketing or advertising tags you configure in Google Tag Manager.

Legal bases (GDPR Art. 6)

Depending on the processing activity, we rely on one or more of the following:

• Performance of a contract — processing necessary to provide the transfer you booked.
• Consent — analytics and marketing cookies/tags where European rules require consent (you can withdraw consent via cookie settings).
• Legitimate interests — for example protecting our systems, ensuring availability of the service, and limited operational messaging that does not override your rights.
• Legal obligation — where applicable (for example tax or accounting retention).
• When several bases could apply, we document the primary basis for each processing purpose.

Recipients and subprocessors

Depending on configuration and your choices, personal data may be processed by:

• Stripe — card payments and payment status (privacy policy: stripe.com/privacy).
• Resend (or another configured ESP) — transactional email.
• Google Maps / Places / Routes APIs — address autocomplete, routing, and maps display on the booking flow.
• Google Calendar API — optional calendar entries for operators.
• Telegram (Bot API) — optional booking-related alerts for order handling when enabled; unrelated to the public Telegram contact link in the footer.
• Cloudflare — Turnstile abuse protection when enabled.
• Google Tag Manager / Google Analytics — only after you enable analytics in cookie preferences.
• Hosting and database providers where your deployment stores bookings (follow your infrastructure vendor documentation).

Transfers outside the EEA

Some providers above may process data in third countries. They typically offer Standard Contractual Clauses or other safeguards described in their documentation. Review each vendor’s data processing addendum for details.

Retention

We keep booking records for as long as needed to provide the service, handle disputes, refunds, and legal/fiscal obligations. Exact retention depends on contract type and local law — define concrete periods with your accountant or lawyer. After retention expires, data should be deleted or anonymised.

Cookies, Google Tag Manager, and Google Analytics

We use strictly necessary cookies and similar technologies to operate this site (including session stability and security). Google Tag Manager, Google Analytics (to understand service usage), and marketing tags served through GTM load only after you opt in via the cookie banner or cookie settings. The list below breaks this down by category.

Cookies are small text snippets your browser may store on your device when you visit a website. They help pages work reliably, remember your preferences, and—when you opt in—let us understand how the service is used.

• Strictly necessary: required for core functionality you explicitly request (for example completing a booking).
• Analytics: Google Tag Manager may load Google Analytics (measurement and diagnostics) after you opt in.
• Marketing: optional tags (for example ads remarketing) load only if you enable marketing in preferences.
• You can change your mind anytime via “Cookie settings” in the footer.

Some cookies last only for your browser session (session cookies) and are typically cleared when you close the browser; others may remain between visits (persistent cookies), including to store your cookie preference choices.

You can also manage cookies through your browser settings (block, delete, or prompts). Completely blocking or frequently clearing cookies may cause parts of the site to work incorrectly; strictly necessary cookies may still be required for the booking flow.

Browser storage and booking links

In addition to cookies:

• This site may save recent booking references locally on your device (browser storage) so you can reopen orders from the same browser.
• Your order page URL contains the booking code. Anyone with the link may see booking summary details shown on that page — do not share it in public channels.
• Cookie preferences are stored in a first-party cookie and may be mirrored in browser local storage so your choice survives reloads reliably.

Your rights

Under GDPR you may have the following rights in respect of your personal data:

• Access — obtain confirmation and a copy of data we hold about you.
• Rectification — correct inaccurate data.
• Erasure (“right to be forgotten”) — subject to exceptions such as legal retention.
• Restriction — limit processing in certain cases.
• Data portability — receive structured machine-readable data where processing is based on consent or contract and automated.
• Object — object to processing based on legitimate interests.
• Withdraw consent — where processing is consent-based (cookie preferences).
• Lodge a complaint — with the supervisory authority in your country (Poland: UODO, uodo.gov.pl).

How to exercise your rights

Contact us via the email on the Contact page. For booking-related data we offer self-service endpoints after verifying your booking code and email address.

• General requests: use the support email listed on the Contact page.
• Export copy of data tied to a booking: HTTP POST to /api/gdpr/data-export with JSON fields bookingCode (e.g. BK- followed by 8 hex chars), email, and optional captchaToken when Turnstile is enabled.
• Request anonymisation of personal data for a booking: HTTP POST to /api/gdpr/erase with the same JSON fields. This replaces identifying fields with placeholders where permitted; some accounting records may still need to be retained in aggregated form — confirm with legal counsel.
• Payment processors (for example Stripe) may keep transaction, dispute, or anti-fraud records under their own policies and legal obligations. Erasing data in our systems does not automatically delete everything held by the payment provider — contact support if you need help coordinating requests.

This page is informational and not legal advice. Align texts and retention with Polish law and your contracts.

Payments and pricing

• • No additional card payment surcharge.
• • Route prices are based on booking details provided at checkout.
• • Additional route changes may result in additional fees after confirmation.

Cancellation policy (summary)

• • Where self-service cancellation is enabled in the app, you can cancel until 24 hours before scheduled pickup (Europe/Warsaw). Outside that window, cancellation may require contacting support.
• • If you paid online on the site, refunds after cancellation are processed manually where applicable and follow payment-provider timelines — allow several business days unless stated otherwise in your confirmation.
• • Late cancellation, changes after confirmation, or no-show may incur fees up to the quoted price; contact support for changes.