Book Now
LEGAL

Privacy Policy

Effective date: 26 May 2026 · Last updated: 26 May 2026 · Governing law: Republic of Poland / GDPR

Last updated 26 May 2026 — Version 1.0
Plain-language summary (not a substitute for the full text below) We are PBC Yacht Charter, a Polish company. We collect only the personal data necessary to answer your charter enquiries, process bookings and send you newsletters you asked for. We do not sell your data to anyone. You can ask us to delete your data at any time. The binding legal text is everything that follows.

1Identity of the Data Controller

The data controller responsible for processing your personal data is:

  • Legal name: AS Dziadek sp. z o.o.
  • Trading name: PBC Yacht Charter
  • Registered address: Jasienica 30, 68-343 Brody, Poland
  • Court of registration: District Court in Zielona Góra, 8th Commercial Division of the National Court Register
  • KRS No.: 0001204166
  • NIP (VAT ID): 9282118130
  • REGON: 543189066
  • Share capital: PLN 20,000 — fully paid up
  • Website: https://pbcyachtcharter.com
  • E-mail: info@pbcyachtcharter.com
  • Phone / WhatsApp: +48 733 114 619

Where this Policy refers to "we", "us" or "our", it means PBC Yacht Charter. Where it refers to "you" or "your", it means any natural person whose personal data we process, including website visitors, enquirers, newsletter subscribers and clients.

No Data Protection Officer (DPO) required Under Article 37 GDPR, we are not obligated to appoint a DPO. All data-protection queries should be directed to the contact details above and will be handled by our designated privacy lead within the response times stated in Section 17.

2Scope & Definitions

Scope

This Privacy Policy applies to all personal data processing activities carried out by PBC Yacht Charter in connection with:

  • the website at pbcyachtcharter.com and any subdomains;
  • electronic communications (e-mail, WhatsApp, SMS, telephone);
  • newsletter subscriptions and marketing communications;
  • charter enquiries, quotations and booking agreements;
  • any other services we provide directly to clients.

This Policy does not apply to the personal data practices of our charter partners, yacht owners, marina operators or any other third parties whose privacy policies govern their own services.

Key Definitions (Art. 4 GDPR)

  • Personal data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
  • Controller — the entity that determines the purposes and means of processing (i.e. us).
  • Processor — a party that processes data on behalf of the controller (e.g. our e-mail service provider).
  • Data subject — the identified or identifiable natural person whose data is processed (i.e. you).
  • Consent — freely given, specific, informed and unambiguous indication of the data subject's wishes.

3What Personal Data We Collect

We collect personal data only to the minimum extent necessary for the specific purpose ("data minimisation" principle, Art. 5(1)(c) GDPR). The categories of data we process are:

3.1 Data You Provide Directly

  • Contact form & enquiries: full name, e-mail address, phone number, preferred charter dates, destination preferences, group size, sailing licence information, and any additional details you voluntarily include in your message.
  • Newsletter subscription: first name and e-mail address.
  • Booking & contract: full legal name, date of birth (where required by the charter company), passport/ID details (forwarded to the bareboat operator as required by law), postal address, emergency contact information.
  • Communications: content of e-mails, WhatsApp messages or any other direct messages you send us.

3.2 Data Collected Automatically

  • Log data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, time spent on pages. This data is collected by our hosting provider (Netlify) and may be retained in server logs.
  • Functional browser storage: your cookie-banner choice (pbc_cookie) and a flag that stops the newsletter pop-up from reappearing during a visit (pbc_nl_shown), stored in your browser's local/session storage. See Section 6.
  • Technical data: device type, screen resolution, connection type. Used only in aggregate, anonymised form.

3.3 Data We Do NOT Collect

We do not collect payment card numbers or bank account details directly — payments, where applicable, are processed exclusively by the relevant charter company or third-party payment processors under their own privacy frameworks. We do not collect biometric data, health data, or any other special categories of personal data (Art. 9 GDPR) unless you voluntarily disclose them in a written communication, in which case you are providing explicit consent to their processing for the sole purpose of serving your enquiry.

4Legal Bases for Processing

We process your personal data only where we have a valid legal basis under Article 6 GDPR. The applicable bases are:

  • Art. 6(1)(a) — Consent: newsletter subscriptions. You can withdraw consent at any time (see Section 11). Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Art. 6(1)(b) — Performance of a contract: processing necessary to handle a booking enquiry, provide a quotation, enter into a charter agreement, or fulfil pre-contractual steps at your request.
  • Art. 6(1)(c) — Legal obligation: where we are required to retain records (e.g. accounting, tax obligations under Polish law — ustawa o rachunkowości), respond to lawful requests from public authorities, or comply with anti-money-laundering regulations.
  • Art. 6(1)(f) — Legitimate interests: improving our website and services, fraud prevention, ensuring network and information security, maintaining client relationship records after a booking (up to the retention limits in Section 10). We have assessed that these legitimate interests are not overridden by your fundamental rights and freedoms.
Legitimate interests Where we rely on legitimate interests, we weigh those interests against your rights and freedoms before relying on this basis. If you would like more detail about this assessment for a specific activity, contact us at info@pbcyachtcharter.com.

5How We Use Your Personal Data

The table below maps each processing activity to its purpose and legal basis:

Activity Purpose Legal Basis
Responding to enquiries Provide charter advice, quotations, and pre-sales support Art. 6(1)(b) — contract / pre-contractual
Processing bookings Arrange and manage your charter, liaise with operators Art. 6(1)(b) — contract performance
Newsletter Send sailing tips, promotions, destination guides Art. 6(1)(a) — consent
Legal & accounting records Comply with Polish tax and accounting law Art. 6(1)(c) — legal obligation
Website operation Display pages, remember language preference, basic functionality Art. 6(1)(f) — legitimate interests
Security & fraud prevention Detect and prevent malicious activity, protect systems Art. 6(1)(f) — legitimate interests
Legal claims Establish, exercise or defend legal claims Art. 6(1)(f) — legitimate interests / Art. 9(2)(f)

We will never use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR) without your explicit consent and without providing appropriate safeguards.

6Cookies & Tracking Technologies

We keep data collection to a minimum. Our website does not use advertising, marketing or third-party analytics cookies, and we do not track your behaviour across other websites. We only use a small amount of functional browser storage needed to make the site work and to remember your choices, as listed below.

6.1 Cookies We Use

6.2 Third-Party Content

We host our fonts locally, so loading our pages does not send any data to Google Fonts. Some pages still load content from the third parties below, which may receive your IP address and set their own cookies when that content loads:

  • Unsplash (images.unsplash.com) — some photographs are served from Unsplash; Unsplash may log request data per their Privacy Policy.
  • Instagram / Meta (instagram.com) — our home and gallery pages embed Instagram posts; when these load, Meta Platforms Ireland Ltd. may receive your IP address and set cookies per their Privacy Policy.

6.3 Managing Cookies

You can clear the functional storage we use at any time via your browser settings (clear site data / local storage); this will also make the cookie banner appear again. You may also block or delete cookies set by the third-party content listed above — note that blocking some storage may affect how parts of the site work. For general guidance, visit aboutcookies.org.

7Newsletter & Marketing Communications

We operate a free sailing newsletter ("The PBC Insider"). Subscribing is entirely voluntary and constitutes freely given, specific and informed consent under Art. 6(1)(a) GDPR and Art. 10 of the Polish Act on Providing Electronic Services (ustawa o świadczeniu usług drogą elektroniczną).

7.1 What We Send

Newsletter content may include: seasonal sailing guides, destination highlights, fleet updates, exclusive promotional offers, regulatory updates relevant to sailors (e.g. licensing changes), and charter availability notifications. We do not sell advertising space in our newsletter to third parties.

7.2 Your Right to Unsubscribe

Every marketing e-mail we send contains a prominent, one-click unsubscribe link. You can also unsubscribe at any time by e-mailing info@pbcyachtcharter.com with the subject line "Unsubscribe." We will process your unsubscribe request within 5 business days. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

7.3 Retention After Unsubscribe

Following unsubscription, we retain a minimal suppression record (e-mail address only, flagged as unsubscribed) for up to 3 years. This is a legitimate interest measure to ensure we do not accidentally re-add you to our list through a future interaction.

8Sharing & Disclosure of Personal Data

We do not sell, rent or trade your personal data. We share your data only where strictly necessary to deliver services you requested, to comply with legal obligations, or to protect our legitimate interests.

8.1 Charter Partners & Operators

When you proceed to a booking, we share only the personal data required by the charter company (typically: full name, passport/ID scan, sailing licence details, emergency contact). This sharing is necessary for the performance of the contract you enter into. Charter companies in our network are independently responsible data controllers for their own processing activities. We recommend reviewing their privacy policies before confirming a booking.

8.2 Service Providers (Processors)

We engage third-party service providers acting as data processors on our behalf. Each processor is bound by a written Data Processing Agreement (DPA) ensuring GDPR-compliant handling. Processor categories include:

  • E-mail service providers (for contact form responses and newsletters);
  • Web hosting provider (Netlify, Inc. — see Section 9 on international transfers);
  • Cloud document storage (for booking files);
  • Accounting software (for invoicing and legal compliance).

We do not disclose the identities of specific sub-processors in this public document, but a list is available on written request.

8.3 Legal & Regulatory Disclosure

We may disclose personal data to public authorities, courts, or law enforcement agencies where required by applicable law, a binding court order, or to protect the vital interests of you or another person. Where permitted by law, we will notify you before any such disclosure.

8.4 Business Transfers

In the event of a merger, acquisition, asset sale, or restructuring of PBC Yacht Charter, personal data held by us may form part of the transferred assets. In such an event, the acquiring entity will be bound by obligations no less protective than those in this Policy, and we will notify affected data subjects at the earliest practicable opportunity, as required by GDPR.

9International Data Transfers

Our primary operations are based in Poland (European Economic Area). Some of our service providers are established outside the EEA, most notably:

  • Netlify, Inc. (United States) — web hosting and deployment. Netlify participates in the EU–U.S. Data Privacy Framework (DPF), an adequacy mechanism approved by the European Commission pursuant to Art. 45 GDPR. Data transfers to Netlify are therefore lawful without additional safeguards.
  • Unsplash (United States) and Meta Platforms / Instagram — where our pages load Unsplash images or embedded Instagram posts, your IP address may be transferred outside the EEA under the relevant provider's safeguards (e.g. the EU–U.S. Data Privacy Framework or Standard Contractual Clauses).

For any other international transfers, we apply one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914/EU);
  • An adequacy decision by the European Commission (Art. 45 GDPR);
  • Binding Corporate Rules (Art. 47 GDPR), where applicable.

You may request copies of the relevant transfer safeguards by contacting us at info@pbcyachtcharter.com.

10Data Retention

We retain personal data for no longer than is necessary for the purpose for which it was collected, in accordance with Art. 5(1)(e) GDPR ("storage limitation"). The specific retention periods are:

Data Category Retention Period Reason
Enquiry / contact form data (no booking concluded) 24 months from last contact Legitimate interest: follow-up service, potential conversion
Booking & contract data 5 years after trip completion Legal obligation: Polish accounting law (5-year minimum); statute of limitations for civil claims (3–6 years)
Invoices & financial records 5 years (Art. 74 of the Polish Accounting Act) Legal obligation
Newsletter subscriber data (active) Until unsubscription + 30 days to process removal Consent-based; withdrawn on unsubscribe
Suppression list (unsubscribed) 3 years from unsubscription Legitimate interest: prevent accidental re-subscription
Server / access logs 90 days Security, fraud prevention, hosting-provider SLA
Cookie-banner choice Until cleared in your browser Remembering your choice (Prawo komunikacji elektronicznej / ePrivacy)
Legal claim-related data Duration of proceedings + 1 year Legitimate interest / legal obligation to preserve evidence

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where deletion is not technically possible (e.g. backup media), data is placed in restricted access until deletion at the next backup rotation cycle.

11Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. You may exercise any of these rights free of charge by contacting us at info@pbcyachtcharter.com. We will respond within one calendar month (Art. 12 GDPR). In complex cases we may extend this by a further two months, notifying you of the extension within the first month.

🔍

Right of Access (Art. 15)

Obtain confirmation of whether we process your data and receive a copy of it.

✏️

Right to Rectification (Art. 16)

Have inaccurate or incomplete personal data corrected without undue delay.

🗑️

Right to Erasure (Art. 17)

"Right to be forgotten." Request deletion where no overriding legitimate basis exists for continued processing.

⏸️

Right to Restriction (Art. 18)

Restrict processing (e.g. while accuracy is contested or an objection is being assessed).

📦

Right to Portability (Art. 20)

Receive your data in a structured, machine-readable format (applies to consent- or contract-based processing).

🚫

Right to Object (Art. 21)

Object at any time to processing based on legitimate interests or for direct marketing purposes. Marketing objections are absolute; all others are subject to a balancing assessment.

🤖

Right re: Automated Decisions (Art. 22)

Not to be subject to solely automated decisions (including profiling) producing significant effects, without human review.

↩️

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time for consent-based processing (e.g. newsletter). Withdrawal does not affect past lawful processing.

Identification Requirements

To protect your data from unauthorised access, we may ask you to provide reasonable proof of identity before processing your request. We will not use identity verification as a mechanism to discourage requests.

Limitations

The right to erasure and the right to object may be limited where processing is necessary for compliance with a legal obligation (Art. 6(1)(c)), for the performance of a task carried out in the public interest, or for the establishment, exercise or defence of legal claims (Art. 17(3) GDPR).

12Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access — consistent with Art. 25 GDPR ("data protection by design and by default") and Art. 32 GDPR. Our current measures include, but are not limited to:

  • Encryption in transit: all data transmitted between your browser and our website is encrypted using HTTPS (TLS).
  • Access controls: access to personal data is limited to the people who operate PBC Yacht Charter, on a strict need-to-know basis.
  • Secure hosting: our website is hosted on Netlify's infrastructure, which provides industry-standard security controls, DDoS protection and HTTPS by default.
  • Data minimisation: we collect only the data we need, which limits the impact of any potential incident.
  • Regular review: we review our security measures regularly and whenever our processing activities change significantly.
Security disclaimer No method of transmission over the internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach affecting your rights and freedoms, we will notify the President of the Polish Personal Data Protection Office (UODO) within 72 hours (Art. 33 GDPR), and where required, notify you directly without undue delay (Art. 34 GDPR).

13Children's Privacy

Our website and services are not directed at children under the age of 16 years. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at info@pbcyachtcharter.com and we will take steps to delete such data promptly.

Where minors are included as guests on a charter booking, their personal data (where required by the charter operator, e.g. for documentation) is provided by and processed under the responsibility of the adult party who makes the booking, who warrants that they have the legal authority to provide that data.

14Third-Party Links & Services

Our website may contain links to third-party websites, services, or embedded content (including, but not limited to, Google Maps, Google Reviews, social media platforms, and charter operator websites). This Privacy Policy applies solely to our website and services. We have no control over and assume no responsibility for the content, privacy policies, or data practices of any third-party site.

We strongly encourage you to review the privacy policy of every third-party site you visit. The presence of a link or embedded content on our website does not constitute our endorsement or warranty of that site's privacy practices.

In particular, if you follow a link to submit a review on Google or click a WhatsApp button, you are subject to Google LLC's and Meta Platforms Ireland Ltd.'s respective privacy policies from the moment you access their services.

15Limitation of Liability

To the fullest extent permitted by applicable law:

  • We are not liable for any loss or damage arising from your use of, or inability to use, our website, including data loss caused by events outside our reasonable control (force majeure), including but not limited to cyber-attacks, telecommunications failures, acts of God, war, or government action.
  • We are not liable for the data practices of charter operators, third-party websites, or other controllers to whom data may be transferred in accordance with this Policy.
  • We are not liable for any failure by you to keep your login credentials (if applicable) confidential or to notify us promptly of any unauthorised use.
  • Our aggregate liability to you in connection with the processing of your personal data shall not exceed the amount actually paid by you to us in the twelve (12) months preceding the event giving rise to the claim, or €500 (whichever is greater), except where such limitation is prohibited by applicable law (e.g. in cases of wilful misconduct or gross negligence).

Nothing in this section limits rights you have under mandatory consumer protection law or under GDPR that cannot be contractually excluded.

16Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or operational requirements. When we do so, we will:

  • Update the "Last updated" date at the top of this page;
  • Post a notice on our homepage for at least 30 days where changes are material;
  • Where required by GDPR (e.g. where processing purpose changes), seek fresh consent or provide direct notification by e-mail to affected data subjects.

We recommend that you review this Policy periodically. Your continued use of our website and services after any changes constitutes acknowledgment of the revised Policy, to the extent permitted by law.

Prior versions of this Policy are archived and available on written request.

17Contact & Complaints

How to Exercise Your Rights or Ask Questions

For any privacy-related enquiries, rights requests or complaints, please contact our privacy lead:

We aim to respond to all privacy requests within 30 calendar days of receipt. For complex requests, we may extend this period by a further 60 days, notifying you of the extension within the initial 30-day period and explaining the reasons for the delay.

Right to Lodge a Complaint with the Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent data protection supervisory authority in your EEA member state of habitual residence, place of work or place of the alleged infringement.

As a Polish company, our lead supervisory authority is:

Urząd Ochrony Danych Osobowych (UODO)
Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa, Polska
Phone: +48 22 531 03 00 | Website: uodo.gov.pl | E-mail: kancelaria@uodo.gov.pl

We respectfully request that you contact us first before lodging a complaint with UODO, as many issues can be resolved swiftly and informally at the controller level.