Privacy Policy
Effective from: 2026-05-29 · Version 1.0
This document describes how personal data is processed in the PackPlan service (pack.sniegula.com) in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Polish Act on Provision of Electronic Services. The Polish version at /prywatnosc is the binding version; this English translation is provided for convenience.
1. Data controller
Sławomir Śnieguła, doing business as Sniegula Expeditions, ul. Czarnieckiego 5, 88-400 Żnin, Poland, Polish tax ID (NIP) 5213392848.
Data protection contact: kontakt@sniegula.com.
The Controller has not appointed a Data Protection Officer — the scope of processing does not require one under GDPR Art. 37.
2. What data we process and why
| Category | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Email, username, password (bcrypt) | Account creation and login | Art. 6(1)(b) — contract performance | Until Account deletion + 30 days backup |
| Content (packs, items, notes) | Providing the planning service | Art. 6(1)(b) — contract performance | Until Account deletion + 30 days backup |
| IP address (SHA-256 hashed), user agent | Security, abuse detection | Art. 6(1)(f) — legitimate interest | 90 days |
| Affiliate clicks (hashed IP + product ID) | Conversion statistics, partner reconciliation | Art. 6(1)(f) — legitimate interest | 24 months (aggregates indefinitely) |
| Public packs (content + slug) | Display under public link | Art. 6(1)(a) — consent | Until consent withdrawn |
3. Cookies
The Service uses only cookies essential for operation (session, CSRF token, language preference). No third-party marketing, advertising or analytics cookies are used (no Google Analytics, no Google Ads, no Facebook Pixel, no Hotjar, etc.).
laravel_session— session, 2 h lifetimeXSRF-TOKEN— CSRF protection, 2 h lifetimesniegula_locale— language preference, 1 year lifetime, domain .sniegula.com (shared with sniegula.com)
4. Data recipients
We transfer data to the following categories of recipients:
- Hetzner Online GmbH (Germany / EU) — infrastructure hosting (data processing agreement in place)
- Apple Inc. (USA) — iOS users only: In-App Purchase handling (card details never reach the Operator)
- Google LLC (USA) — Android users only: Google Play Billing (card details never reach the Operator)
- Partner shops (e.g. Skalnik, 8a.pl, Fjellsport, Bergfreunde) — receive only a product identifier in the UTM parameter, no User personal data
We do not sell personal data. We do not share it with data brokers.
5. International transfers
Data is processed within the EEA (Hetzner — Germany). Apple and Google process payment data in the United States — this is based on the European Commission's adequacy decision of 10 July 2023 (EU-US Data Privacy Framework) and on Standard Contractual Clauses (SCC).
6. What we do NOT do
- We do not sell personal data and do not share it with brokers.
- We do not send marketing newsletters from pack.sniegula.com (the sniegula.com newsletter signup is a separate, voluntary action).
- We do not use third-party advertising or analytics trackers.
- We do not profile Users for advertising and do not make automated decisions with legal effects (no profiling within the meaning of GDPR Art. 22).
7. Your rights
Under GDPR you have:
- Right of access (Art. 15) — you may request an export of your data
- Right to rectification (Art. 16) — edit your data directly in the app or by email
- Right to erasure ("right to be forgotten", Art. 17) — Account and data deletion within 7 business days
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — pack export in JSON / CSV format
- Right to object (Art. 21) — to processing based on legitimate interest
- Right to withdraw consent (Art. 7) — e.g. by making a public pack private
- Right to lodge a complaint — with the Polish data protection authority: President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl). EU residents may also contact their local supervisory authority.
We respond to all requests within 30 days of receipt; in complex cases this may be extended by an additional 60 days with notice.
8. Security
We apply the following technical and organisational measures: password hashing with bcrypt and per-user salt, transmission only over HTTPS (TLS 1.3, Let's Encrypt certificate), session tokens in HttpOnly cookies with SameSite=Lax, SQLite database with file permissions restricted to the application process, encrypted backups with 30-day retention, security updates of dependencies at least monthly.
9. Children's data
The Service is not directed at children under 16. Persons under 16 may use the Service only with the consent and under the supervision of a legal guardian (GDPR Art. 8). If we discover that an Account belongs to a child without guardian consent, we delete it without delay.
10. Mobile application
PackPlan is also available as a mobile app on Google Play (Android) and the App Store (iOS). It uses the same data as the web version.
The mobile app does not collect: location, contacts, calendar, microphone, camera (unless you manually pick a photo — then only the selected file reaches us), advertising identifiers (Advertising ID).
The app may store a session token in local device storage (Android Keystore / iOS Keychain) to keep you logged in.
In-app payments (where available) are handled by Google Play Billing or Apple App Store. The Operator receives only the active subscription entitlement; card data is processed by Google or Apple under their respective privacy policies.
11. Partner shops
When you click an affiliate link from the Library you are taken to an external shop. The shop's privacy policy applies from that point. The Operator transfers to the shop only the product identifier in the UTM parameter, no User personal data.
12. Changes to this policy
Material changes are announced 14 days in advance by email and in-app notice. The current version is always available at pack.sniegula.com/en/privacy (PL: /prywatnosc).
13. Contact
Privacy questions and data subject requests: kontakt@sniegula.com. We respond within 7 business days (GDPR requests: within 30 days).