1. GENERAL INFORMATION
1.1. This Privacy Policy (the “Policy”) sets out the rules for collecting, processing, and protecting personal data and other information relating to the users of the PointAPlace mobile application (the “App”), as well as the rules for the use of cookies and similar technologies within the App and related services (the “Services”).
1.2. The controller of Users’ personal data is Piotr Goryl, conducting business under the name “Piotr Goryl – Gorilla Business,” with its registered office in Kraków, ul. Bronisława Malinowskiego 15, 30-699 Kraków, Poland, Tax ID (NIP): 9451969937, National Business Registry No. (REGON): 527321740 (the “Operator” or the “Controller”). The Operator is responsible for ensuring that data processing is carried out in compliance with the laws of the European Union, in particular Regulation (EU) 2016/679 (GDPR), the Polish Data Protection Act, as well as the laws of the United States (to the extent applicable), including the California Consumer Privacy Act (CCPA/CPRA) and the Children’s Online Privacy Protection Act (COPPA).
1.3. The Operator ensures that the App and data processing procedures comply with the regulatory requirements of the Apple App Store and Google Play, in particular with respect to the App Store Privacy Nutrition Labels and the Google Play Data Safety Form.
1.4. The Controller may be contacted on matters relating to personal data: by email: gdpr@pointaplace.com or by post: ul. Bronisława Malinowskiego 15, 30-699 Kraków, Poland; or within the App: via the contact form or the electronic contact point.
1.5. The Operator has appointed [if applicable: a Data Protection Officer (DPO)]. The DPO’s contact details will be made available to Users in the App and on the Operator’s website. If no DPO has been appointed, all responsibilities in this respect are fulfilled by the Controller.
1.6. This Policy applies to all Users of the App, regardless of their place of residence or use of the Services, taking into account local data protection law differences (e.g., EU, California, other U.S. states).
1.7. The Policy forms an integral part of the App’s Terms of Service. Use of the App constitutes acceptance of this Policy in its current version.
2.1. Personal Data – any information relating to an identified or identifiable natural person, in particular such as first name, last name, email address, telephone number, location data, online identifiers (e.g., IP address, device identifiers), as well as any other information which, in combination with other data, may lead to the identification of a person.
2.2. Processing – any operation or set of operations performed on personal data, whether automated or not, including the collection, recording, organization, storage, modification, review, use, disclosure by transmission, dissemination, or otherwise making available, as well as deletion or destruction.
2.3. User – a natural person using the App. Depending on the context, the User may also be a Consumer (a natural person acting outside the scope of business activity) or a natural person acting on behalf of and for the benefit of a third-party entity.
2.4. Consumer – a User who uses the App for private purposes, not directly related to business, professional, or other commercial activities.
2.5. Child – under the GDPR, a person under the age of 16; under COPPA, a person under the age of 13. If local law provides for a higher age threshold for independently giving consent to the processing of personal data, such higher threshold shall apply.
2.6. Cookies and Similar Technologies – small text files, pixels, SDKs, device identifiers, and other tracking technologies that may be installed on the User’s end device in order to ensure the proper functioning of the App, analytics, security, and – only with the User’s consent – for marketing purposes.
2.7. Processor – an entity processing personal data on behalf of the Controller, based on a data processing agreement (e.g., hosting provider, cloud services provider, analytics tools, content moderation services).
2.8. Supervisory Authorities – authorities responsible for personal data and privacy protection, including in particular: the President of the Polish Data Protection Authority (PUODO), relevant supervisory authorities in EU member states, and state or federal regulators in the United States (e.g., Federal Trade Commission, California Privacy Protection Agency).
2.9. Policy – this Privacy Policy of the PointAPlace App.
2.10. Terms of Service – the Terms of Service of the PointAPlace App, available within the App and in App Stores, which set out the rules for the use of the Services and form an integral part of the agreement between the User and the Operator.
3. CATEGORIES OF PERSONAL DATA PROCESSED
3.1. The Operator processes personal data only to the extent necessary for the provision of the Services and in accordance with the principle of data minimization. The categories of data include:
3.1.1.Identification and contact data (first name, last name, email address, telephone number (if provided); data used for registration and login (username, encrypted password, session tokens)) – registration and management of the Account, authentication, communication with the User.
3.1.2.Payment and subscription data (transaction identifiers and payment status; information on the selected Subscription plan, billing periods, promotions, and trial periods) – billing, management of Subscriptions, consumer rights.
3.1.3.Technical and device data (IP address, device identifiers (e.g., Android ID, IDFV); operating system, App version, system logs; diagnostic data and crash reports) – ensuring compatibility, security, technical support, and improvement of the Services.
3.1.4.Location data (precise GPS data (if the User has consented); approximate data (e.g., IP address, network information); locations assigned to Content (e.g., photos, notes)) – proper functioning of the App, assigning Content to locations, additional mapping and search functions.
3.1.5.Content data (User Content) (text notes, photos, audio and video recordings, metadata; location-linked data, descriptions, tags) – storage and sharing of Content within the App, in accordance with the User’s choices.
3.1.6.Communication data (content of reports, complaints, and correspondence with the Operator; information provided within moderation procedures (e.g., appeals, complaints)) – handling of complaints, reports, appeals, and ensuring compliance with applicable law.
3.1.7.Marketing data and preferences (marketing consents; settings regarding push notifications, cookies, and similar technologies; user preferences (e.g., favorite locations, map view settings)) – Operator’s own marketing (only with consent), personalization of App settings.
3.1.8.Cookies and similar technologies (cookies, pixels, SDKs, device identifiers) – functionality, security, analytics, and marketing (only with consent).
3.2. The Operator does not require and does not knowingly process special categories of data (so-called sensitive data under Article 9 GDPR), such as health data, biometric data, or data revealing political opinions. If a User enters such data into the App as part of their own Content, the processing takes place solely under the User’s responsibility and according to their chosen privacy settings.
4.1. The Operator processes personal data only to the extent necessary for the proper provision of the Services, based on clear purposes and legal grounds. Processing is carried out on the basis of:
4.1.1.Article 6(1)(b) GDPR – performance of the Agreement (e.g., registration, login, storage of Content),
4.1.2.Article 6(1)(c) GDPR – legal obligations (e.g., taxes, accounting, obligations arising under the DSA),
4.1.3.Article 6(1)(f) GDPR – legitimate interests of the Operator (e.g., IT security, fraud prevention, defense against claims),
4.1.4.Article 6(1)(a) GDPR – User’s consent (e.g., GPS location, marketing, push notifications).
4.2. Legal bases under U.S. law (CCPA/CPRA, COPPA):
4.2.1.Data are used for “business purposes” and “service provider purposes” (e.g., provision of Services, security, fraud detection);
4.2.2.The Operator does not sell personal data within the meaning of CCPA/CPRA;
4.2.3.In the case of processing data of children under the age of 13 in the U.S., the provisions of COPPA apply (although the App is not directed at them – see Section 6.12 of the Terms of Service).
4.3. Summary of Purposes and Legal Bases:
|
Purpose of Processing |
Categories of Data |
Legal Basis (EU – GDPR) |
Legal Basis (USA) |
|
Registration and Account Management |
Identification data, login data |
Art. 6(1)(b) GDPR |
Business purpose – providing services |
|
Provision of Services (storage, organization, and sharing of Content) |
Content data, location data |
Art. 6(1)(b) GDPR |
Business purpose – service provider |
|
Subscription and Payment Processing |
Subscription data, transaction identifiers |
Art. 6(1)(b) and (c) GDPR |
Business purpose – transactions |
|
App Security and Integrity (prevention of fraud, abuse, and cyberattacks) |
Technical data, logs, IP addresses |
Art. 6(1)(f) GDPR |
Business purpose – security and fraud prevention |
|
Handling of Complaints, Reports, and Moderation Procedures |
Communication data, content data |
Art. 6(1)(b) and (c) GDPR |
Business purpose – customer support |
|
Compliance with Legal Obligations (tax, accounting, DSA, DMCA) |
Identification data, transactional data |
Art. 6(1)(c) GDPR |
Legal compliance |
|
Statistical Analysis and Service Development |
Technical data, usage data |
Art. 6(1)(f) GDPR |
Business purpose – analytics |
|
Operator’s Own Marketing (newsletter, push notifications, promotions) |
Identification data, marketing data |
Art. 6(1)(a) GDPR |
Consent – opt-in marketing |
|
Personalization of App Settings |
Location data, user preferences |
Art. 6(1)(a) GDPR |
Consent |
|
Defense Against Claims and Legal Enforcement |
All categories of data, as necessary |
Art. 6(1)(f) GDPR |
Business purpose – legal defense |
5.1. Users’ personal data may be transferred outside the European Economic Area (“EEA”) solely to the extent necessary for the purposes specified in this Policy.
5.2. Such transfers may in particular involve: hosting and cloud service providers with data centers located outside the EEA (e.g., in the United States); providers of analytics and marketing services (e.g., Google, Firebase); App Stores (Apple, Google), which may process data within their global infrastructures; and public authorities or law enforcement agencies, where required by applicable law outside the EEA.
5.3. In the case of transfers to third countries, the Operator applies appropriate safeguards as required under the GDPR, including: adequacy decisions of the European Commission; Standard Contractual Clauses (SCCs) adopted by the European Commission; and additional technical and organizational measures such as encryption, pseudonymization, and access restrictions.
5.4. The Operator informs that its key service providers (Apple Inc. and Google LLC) hold certifications and have implemented compliance mechanisms (including SCCs) that ensure an adequate level of protection of personal data.
5.5. Detailed information regarding the safeguards applied in connection with data transfers outside the EEA is available to Users upon request.
5.6. Users in the United States acknowledge that the Operator, being established in Poland, is primarily subject to the GDPR and Polish law, and their data may be transferred to the EU in accordance with applicable U.S. federal and state privacy regulations.
6. DATA RETENTION
6.1. Users’ personal data are retained for the period necessary to fulfill the purposes for which they were collected and are then deleted or anonymized, unless the law requires further storage: User account data – for the duration of the Agreement and use of the Application; upon account deletion, the data are erased without undue delay, no later than within 30 days, except for data required by law; Subscription and payment data – for the period required under tax and accounting regulations (generally 5 years after the end of the tax year); User Content – until deleted by the User or until termination of the Services, unless longer retention is required by law; Technical data and system logs – generally for up to 12 months from the date of collection, unless needed for security or legal defense purposes; Communication data (complaints, reports, moderation) – for the period necessary to process the request and any proceedings, no longer than 3 years after the matter is closed; Marketing data and consents – until the User withdraws consent or objects to processing. Retention periods apply to the relevant categories of data indicated in §3 and are implemented in line with the principles of data minimization and storage limitation. Detailed mapping of categories to retention periods may be made available to the User upon request.
6.2. The Operator applies the principle of storage limitation, under which data are erased or anonymized once they are no longer needed for the purposes for which they were collected.
6.3. Where personal data are necessary for the establishment, exercise, or defense of legal claims, the Operator may retain them until the expiry of limitation periods under applicable law (in Poland generally 6 years, and in the case of claims for recurring benefits and claims related to business activities – 3 years).
6.4. After the expiry of the above periods, the data are irreversibly deleted or anonymized in a manner preventing identification of the User.
7.1. Rights of Users in the European Union (GDPR)
7.1.1.Right of access – The User has the right to obtain confirmation as to whether the Operator processes their personal data, and if so, the right to access those data and receive information about the processing rules.
7.1.2.Right to rectification – The User has the right to request without undue delay the correction of inaccurate data and the completion of incomplete data.
7.1.3.Right to erasure (“right to be forgotten”) – The User may request the erasure of their personal data if one of the conditions set out in Article 17 GDPR applies (e.g., the data are no longer needed for the purposes for which they were collected, or consent has been withdrawn).
7.1.4.Right to restriction of processing – The User has the right to request restriction of processing in the circumstances set out in Article 18 GDPR.
7.1.5.Right to data portability – The User has the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit those data to another controller.
7.1.6.Right to object – The User has the right to object to processing based on the Operator’s legitimate interests, including profiling, as well as to processing for marketing purposes.
7.1.7.Right to withdraw consent – The User has the right to withdraw consent at any time, if consent was the legal basis for processing, without affecting the lawfulness of processing carried out prior to withdrawal.
7.1.8.Right to lodge a complaint – The User has the right to lodge a complaint with the President of the Polish Personal Data Protection Office (PUODO) or another competent supervisory authority in the EU.
7.2. Rights of Users in the United States (CCPA/CPRA, COPPA)
7.2.1.Right to know – A California User has the right to request information on the categories and sources of data collected, the purposes of processing, the categories of third parties with whom the data are shared, and their rights.
7.2.2.Right of access and right to a copy – The User has the right to obtain a copy of their personal data processed by the Operator.
7.2.3.Right to delete – The User may request the deletion of their personal data, subject to the exceptions set out in CCPA/CPRA (e.g., legal obligations).
7.2.4.Right to rectification – The User may request the correction of inaccurate data.
7.2.5.Right to data portability – The User has the right to receive their personal data in a machine-readable format and – where technically feasible – to transfer them to another service provider.
7.2.6.Right to opt-out – The User has the right to opt out of the sale or sharing of their personal data. The Operator does not sell personal data within the meaning of CCPA/CPRA.
7.2.7.Right to limit the use of sensitive personal information – The User may request that such data be used only to the extent necessary to provide the Services.
7.2.8.Right to non-discrimination – The User may not be treated less favorably for exercising their rights under CCPA/CPRA.
7.2.9.Sensitive personal information – With respect to data classified as “sensitive personal information” under CCPA/CPRA, the User may request to limit their use strictly to the purposes necessary for providing the Services or otherwise permitted by law.
7.2.10. COPPA – The Operator does not knowingly collect data from children under the age of 13 in the United States; if such data are disclosed, they will be deleted.
7.3. Procedure for exercising rights
7.3.1.To exercise their rights, the User may contact the Operator via the in-App form or the email address indicated in §13. Since the Operator provides Services exclusively online, these channels are sufficient and compliant with CCPA/CPRA requirements for submitting requests.
7.3.2.The Operator responds to requests without undue delay, no later than within 30 days. For complex requests, this period may be extended by an additional 60 days, with prior notification to the User. For California Users, the maximum response time is generally 45 days (extendable by an additional 45 days, with justification provided).
7.3.3.The Operator may require verification of the User’s identity to an appropriate and proportionate extent to ensure data security.
7.3.4.Requests will be verified in an adequate and proportionate manner (e.g., verifying the email address associated with the Account or confirming an in-App action).
7.3.5.A User may act through an authorized agent; in such a case, the Operator may require confirmation of the granted power of attorney and verification of the User’s identity.
7.3.6.Household requests are handled in accordance with CCPA/CPRA, and the Operator may require additional verification if unable to identify all household members.
8. DISCLOSURE AND SHARING OF PERSONAL DATA (DATA RECIPIENTS)
8.1. The Operator does not “sell” Users’ personal data nor “share” them for cross-context behavioral advertising within the meaning of the CCPA/CPRA. If in the future the scope of processing changes, the Operator will provide the required notices, opt-out mechanisms, and appropriate updates to this Policy.
8.2. Personal data may be disclosed only to the extent necessary to achieve the purposes set out in this Policy and in accordance with the principle of data minimization, to the following categories of recipients: Processors – providers of hosting and cloud services, IT infrastructure and security, analytics and diagnostic tools (including crash reporting), content moderation services (Moderation Entity), communication systems, and helpdesk services – acting under data processing agreements and solely in accordance with the Operator’s instructions; Professional advisors – entities providing the Operator with legal, tax, accounting, audit, or consulting services – to the extent necessary to provide such services and subject to confidentiality; Public authorities – where disclosure is required by mandatory legal provisions or valid orders/subpoenas from competent authorities (including under the DSA/DMCA), and also to protect vital interests of individuals (e.g., child safety reports); Legal successors – in connection with reorganization, merger, acquisition, or sale of the Operator’s business; in such a case, the legal successor becomes the data controller in place of the Operator, while preserving Users’ rights and legal obligations; Other Users – strictly in accordance with the choices and privacy settings of the User (e.g., sharing Content with other Users or groups).
8.3. The Operator enters into data processing agreements with Processors that meet GDPR requirements, ensuring, inter alia, confidentiality, security, support in the exercise of Users’ rights, and auditability.
8.4. The Operator does not disclose data for third-party direct marketing purposes. The Operator’s own marketing takes place exclusively on the basis of valid opt-in consent, which the User may withdraw at any time.
8.5. In cases of disclosure based on legal requirements, the Operator verifies the legal basis of the request, the scope of data requested, and – where permitted – informs the User of such a request.
8.6. The Operator implements contractual and technical measures to reduce the risk of further unauthorized use of data by recipients, in particular confidentiality obligations, purpose limitation, retention restrictions, and – where applicable – encryption and pseudonymization.
8.7. The sharing of data in anonymous or aggregated form (e.g., usage statistics of the Application) does not constitute disclosure of personal data; such information does not allow the identification of the User.
8.8. The Operator respects – to the extent required by law and technically feasible within the Application environment – system privacy settings and Global Privacy Control (GPC) signals as an opt-out request under the CCPA/CPRA.
8.9. The Operator does not create “recipient” categories for hidden profiling or cross-context tracking-based advertising and does not participate in data auctions (ad exchanges).
8.10. The Operator does not offer financial incentive programs, price differences, or variations in the quality of Services in exchange for personal data within the meaning of the CCPA/CPRA.
9.1. The Operator implements and maintains appropriate technical and organizational measures ensuring a level of security appropriate to the risk of violating the rights or freedoms of individuals, in accordance with Article 32 GDPR and applicable U.S. laws. These measures are adapted to the state of technical knowledge, implementation costs, the nature, scope, context, and purposes of processing, as well as identified risks.
9.2. The measures applied include, in particular, data transmission encryption (TLS), role-based access control, system monitoring, regular security testing, and incident response procedures.
9.3. In the event of a personal data breach, the Operator fulfills its notification and disclosure obligations under the GDPR and applicable U.S. state and federal regulations, including – where required – notifying Users and relevant authorities.
10. COOKIES AND SIMILAR TECHNOLOGIES
10.1. The Application may use cookies and similar technologies (e.g., SDKs, device identifiers, pixels) for purposes necessary to ensure the proper functioning of the Services, security, and analytics.
10.2. The use of cookies for marketing or personalization purposes takes place solely with the User’s consent, which may be withdrawn at any time in the device or Application settings. Lack of consent does not limit the use of the Application’s core functionalities.
10.3. Detailed information about the technologies used can be found in the Application’s privacy settings.
11. CHILDREN AND MINORS
11.1. The Application is not directed at children under the age of 16 in the EU or under the age of 13 in the U.S.
11.2. The Operator does not knowingly collect children’s data. If such data are identified, they will be promptly deleted.
11.3. Where local law requires a higher age for independent consent, that higher threshold applies.
12. CHANGES TO THE POLICY
12.1. The Operator may make changes to this Policy for important legal, technical, or organizational reasons.
12.2. Users will be informed in advance of any changes through the Application or via email (if provided). In the case of material changes (e.g., involving new processing purposes), the Operator may require renewed consent from the User before further use of the Application.
12.3. The most recent version of the Policy is always available in the Application and on the Operator’s website.
13. CONTACT
13.1. In matters relating to the processing of personal data, the User may contact the Operator:
13.1.1. by email: gdpr@pointaplace.com,
13.1.2. by regular mail: ul. Bronisława Malinowskiego 15, 30-699 Kraków, Poland,
13.1.3. through the contact form in the Application.
13.2. In case of questions or concerns regarding personal data protection, the User also has the right to contact the competent supervisory authority (PUODO in Poland or another EU authority, and in the U.S. – the relevant state or federal regulator). In the EU, the User may approach the supervisory authority competent for their place of residence or work, regardless of PUODO in Poland.