Privacy Policy

Effective from: April 2026 · Last updated: April 2026

1. What data we collect

We collect personal data only when you actively provide it to us, specifically:

• Contact form: name, email address, phone number, preferred date, number of guests, and any message you write
• WhatsApp / phone bookings: name, phone number, and booking details you share during the conversation
• Cookies: technical cookies required for the website to function, and analytics cookies (if you consent)

We do not collect payment data - all payments are made in person on the day of the tour.

2. How we use your data

Your data is used solely for the following purposes:

• Processing and confirming your tour or transfer booking
• Communicating with you before, during, and after your booking
• Answering enquiries submitted via the contact form
• Improving our website (aggregated, anonymised analytics only)

We do not use your data for marketing purposes without your explicit consent, and we do not sell or share your data with third parties for commercial purposes.

3. Legal basis for processing (GDPR)

• Contract performance (Art. 6(1)(b) GDPR): processing your booking and delivering the service
• Legitimate interests (Art. 6(1)(f) GDPR): responding to enquiries and improving our service
• Consent (Art. 6(1)(a) GDPR): analytics cookies - you can withdraw consent at any time via cookie settings

4. Cookies and consent

Our website uses two categories of cookies:

• Essential cookies - remember your language preference and your cookie consent choice. These are strictly necessary and cannot be disabled.
• Analytics cookies (Google Analytics 4) - used to understand how visitors use our website in aggregate. These are only loaded if you click "Accept all" in the cookie banner. If you click "Essential only" or have not yet made a choice, no analytics cookies are set and the Google Analytics script is not loaded at all.

Withdrawing consent: you can change your cookie choice at any time by clicking Cookie settings. You may also clear cookies via your browser settings, which will cause the consent banner to reappear on your next visit.

5. Data retention

We retain your personal data for as long as necessary to fulfil the purpose for which it was collected:

• Booking information: up to 3 years (for tax and accounting purposes under Polish law)
• Enquiry data (no booking made): up to 12 months
• Cookie data: as defined by each cookie's expiry (typically 1-2 years)

6. Your rights under GDPR

As a data subject, you have the following rights:

• Right of access: request a copy of the data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of your data ("right to be forgotten")
• Right to restriction: request that we limit how we use your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: withdraw cookie consent at any time without affecting prior processing

To exercise any of these rights, contact us at hello@yourkrakow.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

7. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. Our website uses HTTPS encryption for all data transmitted between your browser and our servers.

8. Third-party services

We use the following third-party services that may process your data:

• WhatsApp (Meta Platforms Ireland Ltd.) - used for booking communications and customer support. Subject to Meta's Privacy Policy.
• Google Fonts (Google LLC) - typography is loaded from Google's CDN. Subject to Google's Privacy Policy.
• Google Analytics 4 (Google Ireland Ltd. / Google LLC) - anonymised website analytics. Only loaded after you consent via the cookie banner. IP anonymisation is enabled by default. Subject to Google's Privacy Policy.

9. International data transfers (outside the EEA)

Some of the third-party services listed above are operated by companies headquartered in the United States. When you interact with those services, your data may be transferred outside the European Economic Area, including to the United States.

• Google LLC (Analytics, Fonts): certified under the EU-U.S. Data Privacy Framework. Transfers are also covered by the European Commission's Standard Contractual Clauses (SCCs).
• Meta Platforms (WhatsApp): covered by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

You have the right to obtain a copy of the safeguards that apply to these transfers - please contact us by email and we will provide them.

10. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available at yourkrakow.com/privacy-policy. Significant changes will be communicated on the website.

11. Contact

For any questions about this Privacy Policy or how we handle your data, please contact: