Back to homepage

CosyCamp

Privacy Policy

Version:
0.1 (draft)
Last updated:
2026-04-28

This Privacy Policy explains what personal data we collect in the CosyCamp app, for what purpose, on what legal basis, and to whom we entrust it. The document is prepared in accordance with Regulation (EU) 2016/679 (GDPR).

1. Data controller

The data controller is the entity operating the Service (the “Controller”). Full registration details are listed on the main page and in the footer of documents issued by the Payment Operator. The Controller can be contacted at [email protected].

2. What data we process

Category Examples Purpose
Parent / Guardian data first/last name, email, phone, authentication provider ID (Clerk) account creation, contact, contract performance
Child (Participant) data first/last name, date of birth, medical and dietary information — only data voluntarily provided by the Parent / Guardian to ensure a safe stay enrolment and child safety during the camp
Reservation data camp offer, dates, location, agreed terms (Agreement Card) performance of the service contract
Payment data Stripe customer/transaction IDs, last 4 digits of the card, payment status (full card numbers and CVC never reach us) processing payments, settlements, tax/accounting obligations
Communication chat message content (Parent–Operator-camp) communication in organisational matters
Technical data IP address, device/OS type, app install ID, error logs security, diagnostics, quality improvements

3. Special category data (children's health)

Some data provided during enrolment (e.g. allergies, chronic conditions, medication, diets) may constitute special category data within the meaning of Art. 9 GDPR. Such data is processed only:

  • based on the explicit consent of the Parent / Guardian (Art. 9(2)(a) GDPR),
  • to ensure the child's safety during the camp and to share necessary information with the Operator-camp,
  • to the minimum extent necessary and only for the duration of the camp session.

After the session ends, medical data is deleted or anonymized unless retention is required by law.

4. Purposes and legal bases

  • performance of a contract (Art. 6(1)(b) GDPR) — account creation, reservations, support;
  • legal obligations (Art. 6(1)(c) GDPR) — accounting documents;
  • legitimate interests (Art. 6(1)(f) GDPR) — Service security, defending claims, app analytics;
  • consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) — processing of children's medical data, optional marketing notifications.

5. Recipients (processors)

  • Clerk Inc. — authentication and account management,
  • Stripe Payments Europe, Ltd. — payment processing and Customer Portal,
  • Sentry — application error monitoring,
  • cloud hosting and infrastructure providers (EU/EEA),
  • email and push notification providers,
  • Operators-camp — to the extent necessary to deliver the reservation (they act as independent controllers of the child's data once enrolment is completed).

6. Retention

  • Account and reservation data — for as long as the Service is used and until a deletion request is submitted.
  • Children's medical data — until the end of the camp session, after which it is deleted or anonymized.
  • Financial data — for the period required by tax law (typically 5 years).
  • System logs — generally up to 30 days.
  • Chat messages — until account deletion or expiry of limitation periods.

7. Your rights

Each data subject (Parent / Guardian and — on their behalf — the child) has the right to:

  • access the data and obtain a copy thereof,
  • rectify inaccurate or incomplete data,
  • erase data (“right to be forgotten”),
  • restrict processing,
  • data portability,
  • object to processing based on legitimate interest,
  • withdraw consent at any time (without affecting prior processing),
  • file a complaint with the supervisory authority — in Poland: the President of the Office for Personal Data Protection (uodo.gov.pl).

To exercise your rights, please contact us at [email protected].

8. Data security

  • all communication uses TLS encryption,
  • sensitive data (card data, passwords) is not processed on our infrastructure — Stripe and Clerk are responsible for it,
  • the database is access-controlled and backed up regularly,
  • logs are automatically sanitized of personally identifying data,
  • only authorized administrators can access production data.

9. Cookies and analytics

The CosyCamp website uses only cookies strictly necessary for the operation of the Service (session cookies). Any analytics or marketing cookies introduced in the future will require prior consent via a cookie banner.

10. Children

The CosyCamp app is intended for adults (Parents and Guardians). Accounts for children are not created, and children do not use the App on their own. Data about children is provided exclusively by the Parent / Guardian, on their consent and only to the extent necessary for the child's safe participation in the camp.

11. Changes

Material changes will be communicated at least 14 days in advance via the App or by email. The current version is always available at this URL.