Information for persons purchasing a balloon flight via the bookaballoon.com platform.
The controller of personal data processed in connection with the use of the bookaballoon.com platform and the purchase/reservation of a balloon flight is Maciej Szymczuk conducting business under the name Book a Balloon, NIP 9661876768, REGON 387074085, ul. Horodniany 36, 16-001 Kleosin. Contact for data protection matters: office@bookaballoon.com, Book a Balloon, Horodniany 36, 16-001 Kleosin.
The seller or provider of the balloon flight service is the Operator indicated in the relevant offer or reservation. Book a Balloon operates the booking platform and acts as an intermediary in transmitting the data necessary to carry out the flight. After the data is transmitted to the Flight Operator, the Operator may process that data as a separate controller, in particular in relation to the organisation, safety, and execution of the flight, as well as the Operator's own legal obligations. If the purchaser provides data of other passengers, they should pass this information or a link to it to those passengers before submitting their data in the form.
In connection with the purchase or reservation of a flight, we may process in particular: the first and last name of the purchaser and passengers; e-mail address, telephone number, and contact details for booking communication; booking data: date, departure/flight location, number of passengers, booking code, booking and payment status; data required for the safe organisation of the flight, in particular the passenger's weight if required for the correct balancing of the balloon and preparation of the passenger manifest; payment and billing data, to the extent received from the payment operator, and invoice details where an invoice is issued; contents of correspondence, complaints, enquiries, and reports relating to the reservation; technical data related to the use of the platform, including IP address, cookie identifiers, session identifiers, and security logs.
We process personal data for the following purposes, on the following legal bases, and for the following retention periods:
| Purpose | Legal basis | Retention period |
|---|---|---|
| Handling the purchase, reservation, payment, transmitting data to the Operator, and communication regarding the flight | Art. 6(1)(b) GDPR — performance of a contract or pre-contractual steps | for the duration of reservation handling, then until expiry of the limitation period for pursuing or defending claims |
| Preparation of the passenger manifest and flight operational data, including passenger weight where required for flight safety | Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR — legitimate interest consisting in the safe organisation of the flight | for the period necessary to carry out and document the flight; longer only where the data is needed for a complaint, incident, or claim |
| Issuing and retaining accounting documents and tax settlements | Art. 6(1)(c) GDPR — legal obligation | for the period required by tax and accounting regulations, typically 5 years from the end of the tax year |
| Handling complaints, incidents, enquiries, and claims | Art. 6(1)(b), (c), or (f) GDPR — depending on the nature of the matter | until the matter is resolved, then until the expiry of the limitation period for claims |
| Ensuring platform security, preventing abuse, and maintaining technical logs | Art. 6(1)(f) GDPR — legitimate interest of the controller | for the period necessary to ensure security, detect abuse, and maintain accountability of actions in the system |
| Analytics, statistics, advertising, remarketing, referral attribution, and non-essential cookies | Art. 6(1)(a) GDPR — consent; in respect of terminal equipment also provisions of the Electronic Communications Law | until withdrawal of consent or expiry of the validity period of the given cookie / identifier |
| Direct marketing by e-mail, SMS, or telephone, where conducted | Art. 6(1)(a) GDPR — consent; additionally provisions of the Electronic Communications Law on marketing communications | until withdrawal of consent |
Providing the data marked as required in the form is voluntary but necessary for the conclusion and performance of the flight reservation contract. Failure to provide the data may prevent the acceptance of the reservation, communication regarding the flight, payment processing, or safe preparation of the flight.
Data may be transmitted to the following categories of recipients: the Flight Operator who provides the balloon flight service; payment operators, in particular Stripe, if the payment is processed by that provider; providers of hosting, IT infrastructure, e-mail, SMS, technical monitoring, and error tracking, including Supabase, Vercel, Twilio, Twilio SendGrid, Upstash, Sentry, Healthchecks.io — in accordance with the actual configuration of the platform; providers of analytical and advertising tools, in particular Google Analytics, Google Tag Manager, and Google Ads — solely to the extent resulting from the consent granted for cookies/analytics/marketing; entities handling accounting, legal claims management, auditing, or security; public authorities, if the obligation to transfer data arises from statutory provisions.
Some providers of IT, payment, analytical, or communication services may be established or have infrastructure outside the European Economic Area. In such cases, data is transferred solely with the application of appropriate safeguards required by the GDPR, in particular standard contractual clauses or mechanisms recognised by the European Commission, where applicable.
You have the right to access your data, receive a copy of your data, rectify your data, erase your data, restrict processing, data portability, object to processing based on legitimate interests, and the right to withdraw consent at any time where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO).
Your data will not be used to make decisions based solely on automated processing that would produce legal effects or similarly significantly affect you. If a user consents to marketing cookies, data on platform activity may be used for marketing profiling and measuring the effectiveness of advertisements, in accordance with consent settings.
If the purchaser provides data of other passengers, they should ensure that the data is accurate, up to date, and provided only to the extent necessary for the organisation of the flight. The purchaser should also share a link to this information with the other passengers so that they may familiarise themselves with the principles of processing of their data.