Login
Register

Privacy Policy

How we protect and process your personal data in the Wombato service.

Last updated on 30-08-2025

1. General provisions

This Privacy Policy (hereinafter: "Policy") specifies comprehensive rules for processing and proper protection of personal data of data subjects who are users of the Wombato website (hereinafter: "Service"). The provisions of this Policy remain in full compliance with applicable legal acts, in particular:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as "GDPR",
  • Act of 10 May 2018 on the protection of personal data,
  • Act of 16 July 2004 Telecommunications Law.

2. Personal data controller

In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as "GDPR", the Personal Data Controller is: Wombato.com - operated by Kamil Grabowski, address: ul. Bydgoska 6, 30-056 Kraków, Poland, NIP: 6612220368, REGON: 260231175, Email: [email protected].

All inquiries and correspondence regarding personal data processing should be directed to the above email address.

3. Types of processed personal data

In the course of providing the Service, the Controller collects and processes the following categories of personal data:

  • 3.1. Personal data provided by the data subject

    Personal data is provided by the User during the Account registration process and voluntarily while using the Service.

    • Required data during Account registration:

      • Username
      • Email address
      • Password (stored in encrypted form)

    • Voluntarily provided data (optional):

      • First and last name
      • Phone number (publicly visible)
      • Date of birth
      • Profile picture
      • Language preferences (language selection)
      • User profile description
      • Opinions and reviews about camping places
      • Photographic materials (photos, videos)
      • Comments
      • Private messages (DM)

  • 3.2. Automatically collected personal data

    • Internet Protocol address (IP)
    • Type of web browser and operating system
    • Date and time of visit to the Service
    • Visited subpages within the Service
    • Time spent on individual pages
    • Traffic source (referrer)
    • Mobile device data
    • Geolocation data (GPS coordinates) - collected and stored only after prior explicit consent by the data subject.
    • Internet Protocol address (IP) and approximate geolocation data (based on IP address).
    • Device and browser information (e.g., browser type, operating system, screen resolution).
    • Data related to the use of reCAPTCHA v3 service (e.g., user interactions with the website, device technical data, software data).
    • Data related to the use of Mapbox service (e.g., map interactions, device location data, device technical data, software data).
    • Data related to the use of Sentry service (e.g., error information, application performance, device and browser data at the time of error occurrence).

  • 3.3. Personal data collected through cookies

    In accordance with the provisions of the separate Cookies Policy, the Controller processes data collected through cookies for the purpose of:

    • Maintaining user session
    • Remembering data subject preferences
    • Analyzing traffic in the Service
    • Content personalization

  • 3.4. Data collected through social media service providers

    In case of login or registration through external social media service providers (e.g., Google, Facebook), the Controller may collect the following categories of personal data:

    • User identifier at the social media service provider
    • First and last name
    • Email address
    • Profile picture (avatar)
    • Other data shared by the social media service provider in accordance with user privacy settings.

4. Purposes and legal bases for processing personal data

  • 4.1. Providing camping platform services

    • Data: First name, last name, email, phone number, location, photos, opinions, subscription and payment data.
    • Legal basis: Art. 6(1)(b) GDPR (execution of the contract)
    • Purpose: Enabling the User to use the platform's functionality, including account creation and management, publishing reviews and photographic materials, managing the Subscription Plan, and providing premium services.

  • 4.2. Communication with users

    • Data: First name, last name, email, phone number
    • Legal basis: Art. 6(1)(b) GDPR
    • Purpose: Providing answers to user inquiries, technical support, and notifying about important changes.

  • 4.3. Direct marketing and newsletter

    • Data: First name, last name, email
    • Legal basis: Art. 6(1)(a) GDPR (consent)
    • Purpose: Sending newsletters, information about new features, promotions, advice on outdoor activities, content generated by Users, and other important events related to the Service operation.
    • Newsletter subscription is also possible for non-active Users. Upon subscription, the User will receive an email confirmation.
    • Users have the right to withdraw consent for processing personal data for marketing purposes at any time, by selecting the appropriate option in the User's account panel or via a link included in each email message.

  • 4.4. Analysis and optimization of the Service

    • Data: IP address, browser data, usage statistics
    • Legal basis: Art. 6(1)(f) GDPR (legitimately justified interest)
    • Purpose: Analyzing network traffic, optimizing Service functionality, and continuous improvement of the quality of services provided.

  • 4.5. Fulfilling legal obligations

    • Data: All personal data
    • Legal basis: Art. 6(1)(c) GDPR (legal obligation)
    • Purpose: Realization of archiving and tax obligations arising from applicable legal provisions.

  • 4.6. Claims and defense of rights

    • Data: All personal data
    • Legal basis: Art. 6(1)(f) GDPR
    • Purpose: Pursuing potential claims and enforcing the provisions of the Service Regulations.

  • 4.7. Functions based on geolocation and location history

    • Data: Geolocation data (GPS coordinates)
    • Legal basis: Art. 6(1)(a) GDPR (consent)
    • Purpose: Enabling filtering and displaying locations near the User's location, personalizing search results, and creating and storing location history for improved filtering and recommendations.
    • Consent is obtained by requesting access to the device's location by the User's browser or operating system, prior to informing the User about the purpose of its use and the fact of storing location history.
    • Retention period: Geolocation data are stored until the User's account is deleted or until the consent to their processing is withdrawn. After the specified period or withdrawal of consent, these data are immediately deleted or anonymized.

  • 4.8. Geolocation based on IP address

    • Data: IP address and approximate geolocation data (based on IP address)
    • Legal basis: Art. 6(1)(f) GDPR (legitimately justified interest of the Controller)
    • Purpose: Proposing to the User people to observe from his circle of location, recommending places near the User, and personalizing the User's experience within the Service.
    • Legitimately justified interest: The Controller's interest in improving the User's experience is to provide more accurate recommendations and increase engagement in the Service community.
    • Source of geolocation data: To determine the approximate location based on the IP address, a locally stored database provided by MaxMind is used. The User's IP address is not transmitted to MaxMind.
    • Right to object: The User has the right to object to the processing of geolocation data based on the IP address at any time. Due to the key role of this function for the proper functioning of the Service, objecting is equivalent to the need to delete the User's account.
    • Retention period: Data are stored until the objection is lodged or the account is deleted from the Service.

  • 4.9. Enabling login and registration via social media accounts

    • Data: User identifier at the social media service provider, first name, last name, email, profile picture, other data shared by the provider.
    • Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (execution of the contract).
    • Purpose: Enabling quick and convenient registration and login to the Service via existing User accounts at external social media service providers (e.g., Google, Facebook).
    • Consent is obtained by the User's explicit action consisting of choosing the login/registration option via a given social media service provider.
    • Retention period: Data are stored for the duration of the User's active account or until the withdrawal of consent for processing data for this purpose.

  • 4.10. Protection against abuse and spam (reCAPTCHA v3)

    • Data: Data related to the use of reCAPTCHA v3 service (e.g., user interactions with the website, device technical data, software data).
    • Legal basis: Art. 6(1)(f) GDPR (legitimately justified interest of the Controller - protection against abuse of the Service).
    • Purpose: Verifying whether interactions in the Service (e.g., login, registration, password reset) are performed by humans, not by automated bots, in order to prevent spam and abuse.
    • Retention period: Data are processed by Google in accordance with their privacy policy.

  • 4.11. Displaying and interacting with maps (Mapbox)

    • Data: Data related to the use of Mapbox service (e.g., map interactions, device location data, device technical data, software data).
    • Legal basis: Art. 6(1)(b) GDPR (execution of the contract - map display service) or Art. 6(1)(a) GDPR (consent - for geolocation data).
    • Purpose: Enabling interactive map display, marking points, searching for locations, and providing geolocation-related functions in the Service.
    • Retention period: Data are processed by Mapbox in accordance with their privacy policy.

  • 4.12. Monitoring errors and application performance (Sentry)

    • Data: Data related to the use of Sentry service (e.g., error information, application performance, device and browser data at the time of error occurrence).
    • Legal basis: Art. 6(1)(f) GDPR (legitimately justified interest of the Controller - ensuring proper functioning and optimization of the Service).
    • Purpose: Monitoring and diagnosing errors in Service operation and optimizing its performance in order to ensure stable and efficient operation.
    • Retention period: Data are processed by Sentry in accordance with their privacy policy.

  • 4.13. Contact Form

    • Data: Full name, email address, subject, and message content.
    • Legal basis: Art. 6(1)(a) GDPR (consent expressed by ticking the checkbox in the form).
    • Purpose: To respond to the inquiry submitted via the contact form.

5. Data retention period

  • 5.1. User account data

    • Active account: for the entire period of the User's active account.
    • Deleted account: personal data enabling identification will be deleted or anonymized within 30 days from the date of account deletion. Content published by the User, which do not contain personal data or have been successfully anonymized (e.g., camping place descriptions, reviews, comments, photos), may be kept in the Service as community knowledge base elements.
    • Inactive account: after 3 years from the last activity on the account.

  • 5.2. Marketing and newsletter data

    • Data are stored until the consent is withdrawn. After withdrawal of consent, these data will be deleted or anonymized within 30 days.

  • 5.3. Analytical data

    • Google Analytics: 26 months from the date of the last interaction.
    • Server logs: 12 months from the date of their generation.

  • 5.4. Legal data

    • Invoices and documents: for the period required by tax law (5 years).
    • Correspondence: for 3 years from the date of correspondence termination.

6. Transferring personal data

  • 6.1. Third countries

    Personal data may be transferred to countries outside the European Economic Area (EEA), in particular to Google LLC (USA) for the purpose of providing analytical services and protection against abuse (reCAPTCHA v3), to Mapbox Inc. (USA) for map services, and to Sentry (Functional Software, Inc.) with its seat in the USA for error monitoring and application performance.

    • Data transfer is based on a decision by the European Commission confirming an appropriate level of protection or standard contractual clauses approved by the European Commission.
    • Users have the right to withdraw consent for data transfer to third countries at any time (if technically possible).

  • 6.2. Third parties in Poland

    Personal data may be transferred to the following categories of third parties:

    • IT and hosting service providers
    • Payment service providers
    • Courier service providers
    • Public authorities and other entities entitled on the basis of applicable legal provisions.

7. User rights

  • Right of access (Art. 15 GDPR) - obtaining confirmation of whether personal data are being processed, and if so, obtaining access to such data and information regarding the purposes of processing, categories of processed data, data recipients, and planned retention period.
  • Right to rectification (Art. 16 GDPR) - requesting immediate rectification of incorrect personal data concerning the User.
  • Right to deletion (Art. 17 GDPR) - requesting immediate deletion of personal data (so-called "right to be forgotten"), in the event that the data are no longer necessary for the purposes for which they were collected, the consent was withdrawn, or the processing is unlawful.
  • Right to restriction of processing (Art. 18 GDPR) - requesting restriction of personal data processing, in situations provided for in Art. 18 GDPR.
  • Right to data portability (Art. 20 GDPR) - receiving personal data in a structured, commonly used, machine-readable format and the right to transmit these data to another controller.
  • Right to object (Art. 21 GDPR) - objecting to the processing of personal data for marketing purposes or on the basis of a legitimately justified interest of the Controller.
  • Right to withdraw consent - revocation of the consent granted for the processing of personal data at any time, without affecting the legality of the processing carried out on the basis of consent prior to its revocation.
  • Right to lodge a complaint - lodging a complaint with the supervisory authority, i.e., the President of the Personal Data Protection Office (PUODO).

8. Data security

  • 8.1. Technical measures

    • Encryption of communication (SSL/TLS) to ensure confidentiality and integrity of transmitted data.
    • Encryption of data at rest.
    • Regular creation of data backups.
    • Continuous monitoring of systems for security.
    • Strict access control to systems and data.

  • 8.2. Organizational measures

    • Regular training of employees in the field of personal data protection.
    • Implementation of internal security policies and procedures.
    • Development and implementation of incident response procedures for data security incidents.
    • Entering confidentiality agreements with employees and subcontractors.

9. Automated decision-making

The Controller does not make decisions based solely on automated processing, including profiling, which would result in legal consequences for the User or would significantly affect him in a similar manner. Any profiling activities for marketing purposes require prior, explicit consent from the User.

10. Personal data of minors

Services provided within the Service are aimed at persons who have reached 16 years of age. The Controller consciously does not collect personal data of persons who have not reached 16 years of age. In the event that it is found that a User account was created by a person who has not reached 16 years of age, such data will be immediately blocked and deleted.

11. Changes to the privacy policy

Any updates to this Policy will be communicated via:

  • Displaying a relevant informational banner in the Service.
  • Sending an email message to the email address provided in the User's account.

12. Contact

13. Final provisions

This Policy comes into force on 30-08-2025 and replaces all previous versions. In case of any discrepancies between the Polish version and translations into other languages, the binding version is the Polish version.