Privacy Policy

Last updated: 19 May 2026

I. General Provisions and Controller Information

This Policy sets out the rules for processing and protecting the personal data of users of the Galeria Weselna website available at www.galeriaweselna.pl (the "Service").

1. Personal Data Controller

The controller of personal data is Krzysztof Kucharski, a natural person operating as an unregistered sole trader, pursuant to Article 5(1) of the Polish Entrepreneurs' Law.

Controller contact details:

2. Key Definitions

TermDefinition
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
OrganiserA natural person who creates an account in the Service and sets up a gallery. The legal basis for processing is performance of a contract (Art. 6(1)(b) GDPR).
GuestA natural person who uploads multimedia files to a gallery created by an Organiser, gaining access via a previously received QR code or gallery link without the need for other login methods. The legal basis for processing is consent (Art. 6(1)(a) GDPR).
EEAEuropean Economic Area.

II. Scope, Purposes and Legal Bases for Processing

Personal data are processed solely for the purpose of providing the Service, ensuring its security, managing Organiser accounts and processing payments.

Data CategoryPurpose of ProcessingLegal Basis (GDPR)
Organiser Data
(Email address, gallery name, gallery identifier, gallery password, multimedia files)
Registration, authentication, technical communication, email communication, gallery management and service provision.Art. 6(1)(b) (Necessary for performance of a contract).
Payment Data
(processed by Stripe)
Processing payment transactions and fulfilling accounting and tax obligations.Art. 6(1)(b) (Performance of a contract) and Art. 6(1)(c) (Legal obligation).
Photos / Video
(may contain images of individuals)
Creating and displaying galleries to the Organiser and Guests of the Service.Art. 6(1)(a) (Consent) – given at the time of uploading content.
Technical Data
(IP address, User Agent, date/time of operation)
System logs, network security and diagnostics.Art. 6(1)(f) (Legitimate interest of the Controller – security and proper functioning of the Service).

3. Processing of Third-Party Images

A Guest uploading a photo represents that they hold all required permissions, including consents of third parties (where required in the context of the event), to share the photo and to process the images of persons appearing in it for publication within the Service. The Controller is not liable for infringement of third-party rights resulting from a false statement by the Guest.

4. Source of Personal Data

Personal data are obtained directly from the data subjects (Organisers and Guests) at the time of account registration, uploading multimedia files or using the Service.

III. Data Retention Period

Data are stored only for the period necessary to fulfil the purposes of processing:

  • Photos and Video: 365 days from the date of purchase. After this period, data, including backup copies, are automatically and permanently deleted.
  • Organiser Account: Organiser data (email, identifiers) are stored until the Organiser independently deletes the account. After account deletion, data are permanently removed from the system.
  • Payment data and accounting records: Stored for the period required by tax and accounting law (up to 5 years from the end of the tax year, in accordance with the Accounting Act and the Tax Ordinance).
  • System Logs: Stored for no longer than 12 months, unless required for pursuing claims or necessary for security purposes.

IV. Data Recipients (Processors)

To ensure the proper functioning of the Service, your data may be shared with the following categories of external entities that process data under a data processing agreement:

  • Hosting and server service providers – hosting of backend infrastructure, databases and storage of multimedia files (location: European Union).
  • CDN and content delivery providers – faster access to photos and video, protection against DDoS attacks (location: European Union and global infrastructure for protection services).
  • Email service providers – sending email notifications and communicating with users (location: European Union).
  • Authentication service providers – managing Organiser accounts and secure login (Google Ireland Limited / Google LLC – mainly EEA, possible transfer to the USA, see Section V).
  • Payment service providers – handling and processing payment transactions (Stripe, Inc. – mainly EEA, possible transfer to the USA, see Section V).
  • Google Analytics 4 (Google Ireland Limited / Google LLC) — visit statistics, traffic sources and how the Service is used (including events such as navigation between subpages, viewing sections of the homepage and clicks on selected buttons). Activated only after consent to analytics cookies. Possible transfer to the USA; legal basis: Art. 6(1)(a) GDPR (consent). More information: policies.google.com/privacy.
  • Sentry (Functional Software, Inc.) — detection and analysis of application errors to improve Service stability. Activated only after consent to analytics cookies. Data may be processed on infrastructure in the United States; legal basis: Art. 6(1)(a) GDPR (consent). More information: sentry.io/privacy.

All entities processing data operate under data processing agreements (DPAs) in accordance with GDPR requirements. For Google Analytics 4 and Sentry, we have entered into appropriate processing agreements; for transfers outside the EEA, Standard Contractual Clauses (SCCs) approved by the European Commission are used.

V. Transfers of Data Outside the EEA

Data processing takes place mainly within the European Economic Area (EEA).

However, due to the global nature of the infrastructure of certain service providers (in particular authentication, payment, analytics and error monitoring services), data may be transferred outside the EEA, including to the United States (USA).

Google Analytics 4 processes data mainly within Google Ireland Limited. Sentry may process technical error data (e.g. error type, URL, browser version) on infrastructure in the United States.

In cases of transfer of data outside the EEA, the Controller ensures an adequate level of protection by implementing safeguards compliant with the GDPR, in particular Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Art. 46 GDPR.

VI. Security Measures

The Controller applies appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of processed data, including:

  • Data transmission encryption (HTTPS): Securing communication between your device and the server.
  • Secure file uploads: Use of temporary, authorised links for uploading photos and video that expire automatically.
  • Time limits: Automatic deletion of galleries and all files after 365 days.
  • Attack protection: Safeguards against excessive requests and DDoS attacks.

VII. Cookies and Tracking Technologies

The Service uses cookies and similar technologies. On your first visit, we display a consent banner where you can accept all cookies, reject optional cookies or customise your choice. You can manage your settings at any time using the "Cookie settings" link in the Service footer.

CategoryPurposeLegal basis
EssentialLogin (Firebase), saving language preferences, access to password-protected galleries (gw_gallery_access_* on the API domain), remembering your consent settings.Art. 6(1)(b) GDPR (performance of a contract / provision of the service) and Art. 6(1)(f) GDPR (legitimate interest — security and operation of the Service).
AnalyticsGoogle Analytics 4 (Google Ireland Limited) — visit statistics, traffic sources, how the Service is used (including navigation between subpages, viewing sections of the homepage and clicks on selected buttons); Sentry — detection and analysis of application errors to improve Service stability.Art. 6(1)(a) GDPR (consent). These tools are activated only after consent is given in the cookie banner.

Google Analytics 4 may store cookies (e.g. _ga, _ga_*) on the user's device for up to 2 years. If you reject analytics cookies, GA4 will not collect data about your activity in the Service (we use Google Consent Mode).

After consent to analytics cookies is given, Google Analytics 4 may record events describing how the Service's marketing pages are used. We do not send form input content to Google Analytics (e.g. email address, password or gallery code).

Sentryprocesses technical error information (e.g. error type, URL, browser version). We do not send users' personal data to Sentry without consent to analytics cookies.

The gw_gallery_access_* cookie is set only after correctly entering the password for a protected gallery, operates for a maximum of 30 days and is necessary to use this feature — it does not require separate marketing consent.

Rejecting analytics cookies does not limit your ability to use the Service: login, creating galleries, browsing and uploading photos and videos remain available.

You may also block Google Analytics using a browser add-on: tools.google.com/dlpage/gaoptout.

VIII. Rights of Data Subjects

In connection with the processing of your personal data, you have the following rights under the GDPR:

GDPR RightDescription
Right of accessObtaining information about the scope of processed data.
Right to rectificationRequesting correction or completion of incomplete data.
Right to erasureThe right to be forgotten, unless there is a legal basis for further processing.
Right to restriction of processingRestricting processing to storage only.
Right to data portabilityReceiving data in a structured, commonly used format.
Right to objectObjecting to processing based on the Controller's legitimate interest (Art. 6(1)(f) GDPR).
Right to withdraw consentWithdrawing consent at any time (does not affect the lawfulness of processing before withdrawal).
Right to lodge a complaintLodging a complaint with the President of the Personal Data Protection Office (PUODO) if processing is non-compliant with the GDPR.

To exercise your rights, please contact the Controller at the email address provided: [email protected]. The Controller responds to requests within one month of receipt. In justified cases, this period may be extended by a further two months — in such cases the Controller will inform you of the reasons for the delay.

Right to lodge a complaint: If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw.

IX. Voluntary Nature of Data Provision and Consequences of Non-Provision

  • Organiser: Providing an email address is a statutory or contractual requirement necessary to enter into an agreement. Failure to provide an email address prevents registration and use of the Service.
  • Guest: Uploading photos is voluntary and requires consent to the processing of images. Without consent, a photo cannot be shared in the gallery, but this does not affect the ability to browse the gallery.
  • Payment data: Providing payment data is necessary to complete a transaction and purchase the service. Failure to provide this data prevents payment.

X. Automated Decision-Making and Profiling

The Service does not use automated decision-making, including profiling within the meaning of Art. 22(1) and (4) GDPR, that produces legal effects or similarly significantly affects users.

XI. Final Provisions

The Controller reserves the right to update and amend this Policy. Users will be informed of any material changes via a notice in the Service and electronically (in the case of Organisers).

This Policy complies with the requirements of Regulation (EU) 2016/679 (GDPR) and the Act of 10 May 2018 on the protection of personal data.

Polish version