1Identity of the Data Controller
The data controller responsible for processing your personal data is:
- Legal name: AS Dziadek sp. z o.o.
- Trading name: PBC Yacht Charter
- Registered address: Jasienica 30, 68-343 Brody, Poland
- Court of registration: District Court in Zielona Góra, 8th Commercial Division of the National Court Register
- KRS No.: 0001204166
- NIP (VAT ID): 9282118130
- REGON: 543189066
- Share capital: PLN 20,000 — fully paid up
- Website: https://pbcyachtcharter.com
- E-mail: info@pbcyachtcharter.com
- Phone / WhatsApp: +48 733 114 619
Where this Policy refers to "we", "us" or "our", it means PBC Yacht Charter. Where it refers to "you" or "your", it means any natural person whose personal data we process, including website visitors, enquirers, newsletter subscribers and clients.
2Scope & Definitions
Scope
This Privacy Policy applies to all personal data processing activities carried out by PBC Yacht Charter in connection with:
- the website at pbcyachtcharter.com and any subdomains;
- electronic communications (e-mail, WhatsApp, SMS, telephone);
- newsletter subscriptions and marketing communications;
- charter enquiries, quotations and booking agreements;
- any other services we provide directly to clients.
This Policy does not apply to the personal data practices of our charter partners, yacht owners, marina operators or any other third parties whose privacy policies govern their own services.
Key Definitions (Art. 4 GDPR)
- Personal data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
- Controller — the entity that determines the purposes and means of processing (i.e. us).
- Processor — a party that processes data on behalf of the controller (e.g. our e-mail service provider).
- Data subject — the identified or identifiable natural person whose data is processed (i.e. you).
- Consent — freely given, specific, informed and unambiguous indication of the data subject's wishes.
3What Personal Data We Collect
We collect personal data only to the minimum extent necessary for the specific purpose ("data minimisation" principle, Art. 5(1)(c) GDPR). The categories of data we process are:
3.1 Data You Provide Directly
- Contact form & enquiries: full name, e-mail address, phone number, preferred charter dates, destination preferences, group size, sailing licence information, and any additional details you voluntarily include in your message.
- Newsletter subscription: first name and e-mail address.
- Booking & contract: full legal name, date of birth (where required by the charter company), passport/ID details (forwarded to the bareboat operator as required by law), postal address, emergency contact information.
- Communications: content of e-mails, WhatsApp messages or any other direct messages you send us.
3.2 Data Collected Automatically
- Log data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, time spent on pages. This data is collected by our hosting provider (Netlify) and may be retained in server logs.
- Functional browser storage: your cookie-banner choice (
pbc_cookie) and a flag that stops the newsletter pop-up from reappearing during a visit (pbc_nl_shown), stored in your browser's local/session storage. See Section 6. - Technical data: device type, screen resolution, connection type. Used only in aggregate, anonymised form.
3.3 Data We Do NOT Collect
4Legal Bases for Processing
We process your personal data only where we have a valid legal basis under Article 6 GDPR. The applicable bases are:
- Art. 6(1)(a) — Consent: newsletter subscriptions. You can withdraw consent at any time (see Section 11). Withdrawal does not affect the lawfulness of processing prior to withdrawal.
- Art. 6(1)(b) — Performance of a contract: processing necessary to handle a booking enquiry, provide a quotation, enter into a charter agreement, or fulfil pre-contractual steps at your request.
- Art. 6(1)(c) — Legal obligation: where we are required to retain records (e.g. accounting, tax obligations under Polish law — ustawa o rachunkowości), respond to lawful requests from public authorities, or comply with anti-money-laundering regulations.
- Art. 6(1)(f) — Legitimate interests: improving our website and services, fraud prevention, ensuring network and information security, maintaining client relationship records after a booking (up to the retention limits in Section 10). We have assessed that these legitimate interests are not overridden by your fundamental rights and freedoms.
5How We Use Your Personal Data
The table below maps each processing activity to its purpose and legal basis:
| Activity | Purpose | Legal Basis |
|---|---|---|
| Responding to enquiries | Provide charter advice, quotations, and pre-sales support | Art. 6(1)(b) — contract / pre-contractual |
| Processing bookings | Arrange and manage your charter, liaise with operators | Art. 6(1)(b) — contract performance |
| Newsletter | Send sailing tips, promotions, destination guides | Art. 6(1)(a) — consent |
| Legal & accounting records | Comply with Polish tax and accounting law | Art. 6(1)(c) — legal obligation |
| Website operation | Display pages, remember language preference, basic functionality | Art. 6(1)(f) — legitimate interests |
| Security & fraud prevention | Detect and prevent malicious activity, protect systems | Art. 6(1)(f) — legitimate interests |
| Legal claims | Establish, exercise or defend legal claims | Art. 6(1)(f) — legitimate interests / Art. 9(2)(f) |
We will never use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR) without your explicit consent and without providing appropriate safeguards.
6Cookies & Tracking Technologies
We keep data collection to a minimum. Our website does not use advertising, marketing or third-party analytics cookies, and we do not track your behaviour across other websites. We only use a small amount of functional browser storage needed to make the site work and to remember your choices, as listed below.
6.1 Cookies We Use
| Cookie Name | Type | Duration | Purpose |
|---|---|---|---|
pbc_cookie |
Local storage (until cleared) | Remembers that you have answered the cookie banner, so it is not shown on every visit. | |
pbc_nl_shown |
Session | Prevents the newsletter pop-up from appearing repeatedly during the same visit. |
6.2 Third-Party Content
We host our fonts locally, so loading our pages does not send any data to Google Fonts. Some pages still load content from the third parties below, which may receive your IP address and set their own cookies when that content loads:
- Unsplash (images.unsplash.com) — some photographs are served from Unsplash; Unsplash may log request data per their Privacy Policy.
- Instagram / Meta (instagram.com) — our home and gallery pages embed Instagram posts; when these load, Meta Platforms Ireland Ltd. may receive your IP address and set cookies per their Privacy Policy.
6.3 Managing Cookies
You can clear the functional storage we use at any time via your browser settings (clear site data / local storage); this will also make the cookie banner appear again. You may also block or delete cookies set by the third-party content listed above — note that blocking some storage may affect how parts of the site work. For general guidance, visit aboutcookies.org.
7Newsletter & Marketing Communications
We operate a free sailing newsletter ("The PBC Insider"). Subscribing is entirely voluntary and constitutes freely given, specific and informed consent under Art. 6(1)(a) GDPR and Art. 10 of the Polish Act on Providing Electronic Services (ustawa o świadczeniu usług drogą elektroniczną).
7.1 What We Send
Newsletter content may include: seasonal sailing guides, destination highlights, fleet updates, exclusive promotional offers, regulatory updates relevant to sailors (e.g. licensing changes), and charter availability notifications. We do not sell advertising space in our newsletter to third parties.
7.2 Your Right to Unsubscribe
7.3 Retention After Unsubscribe
Following unsubscription, we retain a minimal suppression record (e-mail address only, flagged as unsubscribed) for up to 3 years. This is a legitimate interest measure to ensure we do not accidentally re-add you to our list through a future interaction.
8Sharing & Disclosure of Personal Data
8.1 Charter Partners & Operators
When you proceed to a booking, we share only the personal data required by the charter company (typically: full name, passport/ID scan, sailing licence details, emergency contact). This sharing is necessary for the performance of the contract you enter into. Charter companies in our network are independently responsible data controllers for their own processing activities. We recommend reviewing their privacy policies before confirming a booking.
8.2 Service Providers (Processors)
We engage third-party service providers acting as data processors on our behalf. Each processor is bound by a written Data Processing Agreement (DPA) ensuring GDPR-compliant handling. Processor categories include:
- E-mail service providers (for contact form responses and newsletters);
- Web hosting provider (Netlify, Inc. — see Section 9 on international transfers);
- Cloud document storage (for booking files);
- Accounting software (for invoicing and legal compliance).
We do not disclose the identities of specific sub-processors in this public document, but a list is available on written request.
8.3 Legal & Regulatory Disclosure
We may disclose personal data to public authorities, courts, or law enforcement agencies where required by applicable law, a binding court order, or to protect the vital interests of you or another person. Where permitted by law, we will notify you before any such disclosure.
8.4 Business Transfers
In the event of a merger, acquisition, asset sale, or restructuring of PBC Yacht Charter, personal data held by us may form part of the transferred assets. In such an event, the acquiring entity will be bound by obligations no less protective than those in this Policy, and we will notify affected data subjects at the earliest practicable opportunity, as required by GDPR.
9International Data Transfers
Our primary operations are based in Poland (European Economic Area). Some of our service providers are established outside the EEA, most notably:
- Netlify, Inc. (United States) — web hosting and deployment. Netlify participates in the EU–U.S. Data Privacy Framework (DPF), an adequacy mechanism approved by the European Commission pursuant to Art. 45 GDPR. Data transfers to Netlify are therefore lawful without additional safeguards.
- Unsplash (United States) and Meta Platforms / Instagram — where our pages load Unsplash images or embedded Instagram posts, your IP address may be transferred outside the EEA under the relevant provider's safeguards (e.g. the EU–U.S. Data Privacy Framework or Standard Contractual Clauses).
For any other international transfers, we apply one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914/EU);
- An adequacy decision by the European Commission (Art. 45 GDPR);
- Binding Corporate Rules (Art. 47 GDPR), where applicable.
You may request copies of the relevant transfer safeguards by contacting us at info@pbcyachtcharter.com.
10Data Retention
We retain personal data for no longer than is necessary for the purpose for which it was collected, in accordance with Art. 5(1)(e) GDPR ("storage limitation"). The specific retention periods are:
| Data Category | Retention Period | Reason |
|---|---|---|
| Enquiry / contact form data (no booking concluded) | 24 months from last contact | Legitimate interest: follow-up service, potential conversion |
| Booking & contract data | 5 years after trip completion | Legal obligation: Polish accounting law (5-year minimum); statute of limitations for civil claims (3–6 years) |
| Invoices & financial records | 5 years (Art. 74 of the Polish Accounting Act) | Legal obligation |
| Newsletter subscriber data (active) | Until unsubscription + 30 days to process removal | Consent-based; withdrawn on unsubscribe |
| Suppression list (unsubscribed) | 3 years from unsubscription | Legitimate interest: prevent accidental re-subscription |
| Server / access logs | 90 days | Security, fraud prevention, hosting-provider SLA |
| Cookie-banner choice | Until cleared in your browser | Remembering your choice (Prawo komunikacji elektronicznej / ePrivacy) |
| Legal claim-related data | Duration of proceedings + 1 year | Legitimate interest / legal obligation to preserve evidence |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where deletion is not technically possible (e.g. backup media), data is placed in restricted access until deletion at the next backup rotation cycle.
11Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. You may exercise any of these rights free of charge by contacting us at info@pbcyachtcharter.com. We will respond within one calendar month (Art. 12 GDPR). In complex cases we may extend this by a further two months, notifying you of the extension within the first month.
Right of Access (Art. 15)
Obtain confirmation of whether we process your data and receive a copy of it.
Right to Rectification (Art. 16)
Have inaccurate or incomplete personal data corrected without undue delay.
Right to Erasure (Art. 17)
"Right to be forgotten." Request deletion where no overriding legitimate basis exists for continued processing.
Right to Restriction (Art. 18)
Restrict processing (e.g. while accuracy is contested or an objection is being assessed).
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format (applies to consent- or contract-based processing).
Right to Object (Art. 21)
Object at any time to processing based on legitimate interests or for direct marketing purposes. Marketing objections are absolute; all others are subject to a balancing assessment.
Right re: Automated Decisions (Art. 22)
Not to be subject to solely automated decisions (including profiling) producing significant effects, without human review.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time for consent-based processing (e.g. newsletter). Withdrawal does not affect past lawful processing.
Identification Requirements
To protect your data from unauthorised access, we may ask you to provide reasonable proof of identity before processing your request. We will not use identity verification as a mechanism to discourage requests.
Limitations
The right to erasure and the right to object may be limited where processing is necessary for compliance with a legal obligation (Art. 6(1)(c)), for the performance of a task carried out in the public interest, or for the establishment, exercise or defence of legal claims (Art. 17(3) GDPR).
12Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access — consistent with Art. 25 GDPR ("data protection by design and by default") and Art. 32 GDPR. Our current measures include, but are not limited to:
- Encryption in transit: all data transmitted between your browser and our website is encrypted using HTTPS (TLS).
- Access controls: access to personal data is limited to the people who operate PBC Yacht Charter, on a strict need-to-know basis.
- Secure hosting: our website is hosted on Netlify's infrastructure, which provides industry-standard security controls, DDoS protection and HTTPS by default.
- Data minimisation: we collect only the data we need, which limits the impact of any potential incident.
- Regular review: we review our security measures regularly and whenever our processing activities change significantly.
13Children's Privacy
Our website and services are not directed at children under the age of 16 years. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at info@pbcyachtcharter.com and we will take steps to delete such data promptly.
Where minors are included as guests on a charter booking, their personal data (where required by the charter operator, e.g. for documentation) is provided by and processed under the responsibility of the adult party who makes the booking, who warrants that they have the legal authority to provide that data.
14Third-Party Links & Services
Our website may contain links to third-party websites, services, or embedded content (including, but not limited to, Google Maps, Google Reviews, social media platforms, and charter operator websites). This Privacy Policy applies solely to our website and services. We have no control over and assume no responsibility for the content, privacy policies, or data practices of any third-party site.
We strongly encourage you to review the privacy policy of every third-party site you visit. The presence of a link or embedded content on our website does not constitute our endorsement or warranty of that site's privacy practices.
In particular, if you follow a link to submit a review on Google or click a WhatsApp button, you are subject to Google LLC's and Meta Platforms Ireland Ltd.'s respective privacy policies from the moment you access their services.
15Limitation of Liability
To the fullest extent permitted by applicable law:
- We are not liable for any loss or damage arising from your use of, or inability to use, our website, including data loss caused by events outside our reasonable control (force majeure), including but not limited to cyber-attacks, telecommunications failures, acts of God, war, or government action.
- We are not liable for the data practices of charter operators, third-party websites, or other controllers to whom data may be transferred in accordance with this Policy.
- We are not liable for any failure by you to keep your login credentials (if applicable) confidential or to notify us promptly of any unauthorised use.
- Our aggregate liability to you in connection with the processing of your personal data shall not exceed the amount actually paid by you to us in the twelve (12) months preceding the event giving rise to the claim, or €500 (whichever is greater), except where such limitation is prohibited by applicable law (e.g. in cases of wilful misconduct or gross negligence).
Nothing in this section limits rights you have under mandatory consumer protection law or under GDPR that cannot be contractually excluded.
16Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or operational requirements. When we do so, we will:
- Update the "Last updated" date at the top of this page;
- Post a notice on our homepage for at least 30 days where changes are material;
- Where required by GDPR (e.g. where processing purpose changes), seek fresh consent or provide direct notification by e-mail to affected data subjects.
We recommend that you review this Policy periodically. Your continued use of our website and services after any changes constitutes acknowledgment of the revised Policy, to the extent permitted by law.
Prior versions of this Policy are archived and available on written request.
17Contact & Complaints
How to Exercise Your Rights or Ask Questions
For any privacy-related enquiries, rights requests or complaints, please contact our privacy lead:
We aim to respond to all privacy requests within 30 calendar days of receipt. For complex requests, we may extend this period by a further 60 days, notifying you of the extension within the initial 30-day period and explaining the reasons for the delay.
Right to Lodge a Complaint with the Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent data protection supervisory authority in your EEA member state of habitual residence, place of work or place of the alleged infringement.
As a Polish company, our lead supervisory authority is:
Prezes Urzędu Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warszawa, Polska
Phone: +48 22 531 03 00 | Website: uodo.gov.pl | E-mail: kancelaria@uodo.gov.pl
We respectfully request that you contact us first before lodging a complaint with UODO, as many issues can be resolved swiftly and informally at the controller level.