1. Data Controller
1.1. The data controller is C0D3 sp. z o.o., with registered office at ul. Karmelicka 27/301, 31-131 Krakow, Poland, entered into the National Court Register under KRS 0001194905, Tax ID (NIP) 6762702494 (hereinafter: the "Controller").
1.2. Contact the Controller regarding personal data matters: [email protected].
2. What Data We Collect
2.1. Data provided during registration: first name, last name, email address, password (stored in encrypted form).
2.2. Data provided during booking: contact details, booking information (date, hours, room), payment data (processed by Stripe).
2.3. Automatically collected data: IP address, browser type, operating system, date and time of visit, pages viewed.
2.4. Review data: review content, ratings, publication date.
2.5. Correspondence data: messages sent through the Platform's messaging system.
3. Purposes and Legal Bases of Processing
3.1. We process personal data for the following purposes and on the following legal bases (in accordance with Article 6(1) of GDPR):
| Purpose | Legal Basis |
|---|---|
| Contract performance (booking, account) | Art. 6(1)(b) - contract performance |
| Payment processing | Art. 6(1)(b) - contract performance |
| Issuing invoices and accounting documents | Art. 6(1)(c) - legal obligation |
| Complaint handling | Art. 6(1)(b) - contract performance |
| Operating the review system | Art. 6(1)(f) - legitimate interest |
| Ensuring Platform security | Art. 6(1)(f) - legitimate interest |
| Analytics and service improvement | Art. 6(1)(f) - legitimate interest |
4. Data Recipients
4.1. Personal data may be shared with the following categories of recipients:
- Stripe, Inc. - payment processing (PCI DSS Level 1 certified)
- Studio Owners - to the extent necessary for booking fulfillment (name, contact details)
- Hosting provider - data storage on servers in Poland/EU
- Public authorities - in cases provided by law
4.2. We do not sell personal data to third parties.
4.3. We do not transfer data outside the European Economic Area (EEA), except for transfers to Stripe, Inc. (USA) based on Standard Contractual Clauses (SCC).
5. Data Retention Period
5.1. User account data - for the duration of account ownership and 30 days after deletion.
5.2. Booking data - for 5 years from the booking date (tax and accounting obligations).
5.3. Payment data - in accordance with Stripe's retention policy (card data is not stored on our servers).
5.4. System logs - for 12 months.
5.5. Review data - for the duration of review publication on the Platform.
6. Cookies and Tracking Technologies
6.1. The Platform uses cookies for the following purposes:
- Essential - user session management, language preferences, security tokens (CSRF)
- Functional - remembering user preferences
6.2. The Platform does not use advertising cookies or third-party tracking cookies.
6.3. Users can manage cookie settings in their browser. Disabling essential cookies may prevent Platform use.
7. User Rights
7.1. Under the GDPR, you have the following rights:
- Right of access (Art. 15) - obtaining information about processed data
- Right to rectification (Art. 16) - correcting inaccurate data
- Right to erasure (Art. 17) - data deletion ("right to be forgotten")
- Right to restriction of processing (Art. 18) - limiting the scope of processing
- Right to data portability (Art. 20) - receiving data in a machine-readable format
- Right to object (Art. 21) - objecting to processing based on legitimate interest
7.2. To exercise your rights, contact us at: [email protected].
7.3. You have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland.
8. Contact the Controller
8.1. For all matters related to personal data protection, please contact:
- Email: [email protected]
- Mailing address: C0D3 sp. z o.o., ul. Karmelicka 27/301, 31-131 Krakow, Poland
8.2. We respond to personal data inquiries without undue delay, no later than within 30 days.
9. Changes to the Privacy Policy
9.1. The Controller reserves the right to update this Privacy Policy.
9.2. Users will be informed of significant changes via the Platform or by email.
9.3. The current version of the Privacy Policy is always available on the Platform.