Privacy Policy and Cookies

§1. General Information

The data controller is Konrad Żelazny, NIP: 6762506379, Glanów 106B, 32-353 Trzyciąż, registered in the Central Register of Economic Activity (CEIDG).

Data processing is carried out in accordance with the GDPR Regulation.

The Administrator has not appointed a Data Protection Officer; matters concerning personal-data protection are handled by the Administrator at contact@ambermap.com.

§2. Purposes and Legal Bases for Data Processing

Personal data is processed for the following purposes:

• Contract performance (Art. 6(1)(b) GDPR)

  Account management, map access, subscription payment processing via Paddle (Merchant of Record), and subscription state management via RevenueCat.

• Marketing (Art. 6(1)(a) GDPR)

  Newsletter and amber deposit notifications – only based on voluntary consent.

• Analytics (Art. 6(1)(a) GDPR – Consent)

  Service optimization using Google Analytics and Microsoft Clarity – only based on voluntary consent, which can be granted or withdrawn at any time in the cookie settings.

• Sharing with partners (Art. 6(1)(a) GDPR)

  Sharing contact data with business partners (e.g. amber shops) – only after separate consent is given.

§3. Data Recipients

User data may be shared with the following entities:

• Paddle.com Market Limited (Ireland) – as Merchant of Record for subscription payment processing, invoicing, VAT collection, fraud prevention, and customer payment support; Paddle may engage sub-processors (e.g. payment infrastructure providers in the United States) bound by appropriate data-transfer safeguards.
• Google LLC and Microsoft Corporation – for analytical purposes.
• Vercel Inc. – as hosting infrastructure provider.
• Google Cloud (Firebase) – for secure storage of user data (database) and handling the authorization and login process.
• Business partners – only if the User has given marketing consent.
• RevenueCat, Inc. (USA) – for cross-platform subscription state management (entitlements, renewals, cancellations) on behalf of the Administrator.

§4. Your Rights

You have the right to: access your data, rectify it, delete it, restrict processing, data portability, and object to processing.

You have the right to withdraw any consent (e.g. for newsletter or data sharing with partners) at any time, which does not affect the lawfulness of processing before the withdrawal.

You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl).

Providing your email address is necessary to perform the contract for account services and Subscription. Providing additional data (e.g. display name) is voluntary; refusal may limit certain features. Payment data is required by Paddle to process the Subscription.

Personal data is not subject to automated decision-making within the meaning of Art. 22 GDPR, including profiling that produces legal effects or significantly affects the User.

To exercise any of the above rights, contact the Administrator at contact@ambermap.com. We will respond without undue delay and in any event within one month of receipt of the request, in accordance with Art. 12(3) GDPR.

§5. Data Transfers Outside the EEA

Due to the use of Google Cloud (Firebase) and RevenueCat services, User data may be transferred to a third country (USA). The Administrator ensures that these providers offer an adequate level of personal data protection through the use of Standard Contractual Clauses approved by the European Commission and, where applicable, participation in the EU-US Data Privacy Framework. Paddle.com Market Limited is established in Ireland (EU); processing by Paddle does not constitute a transfer outside the EEA, although Paddle may itself engage sub-processors outside the EEA under appropriate safeguards.

§6. Data Retention Periods

Personal data is retained for the following periods, depending on category:

• Account data — for the duration of the account, until deletion at the User's request.
• Subscription data — for the duration of the Subscription and an additional 6 years after termination, for tax and accounting purposes.
• Invoice and billing data — 5 years from the end of the calendar year in which the invoice was issued, in accordance with Polish accounting law (art. 74 of the Accounting Act).
• Marketing consent records — until consent is withdrawn or for 5 years from the last action, whichever comes first.
• Analytics data (Google Analytics, Microsoft Clarity) — according to the providers' default retention settings, typically 14 to 26 months.
• Complaint and dispute data — for 6 years from resolution, for the period of statutory limitation of claims.

§7. Invoice and Billing Data

For Premium Subscriptions, invoices are issued by Paddle.com Market Limited as Merchant of Record. Paddle collects: billing name, billing address, optionally tax identification number (e.g. NIP for Polish VAT invoices), and payment method information.

The Administrator receives only summary data (subscription status, payment confirmation timestamp) — full payment card details and other sensitive billing data are processed exclusively by Paddle and not shared with the Administrator.

Invoice data is retained for 5 years from the end of the calendar year of issuance, as required by Polish accounting law.

§8. Email Communications

The Administrator distinguishes two categories of email communications:

• Transactional emails — account verification, password reset, Subscription billing notifications (sent by Paddle), refund confirmations, and notices regarding changes to the Terms or Privacy Policy. These are necessary to perform the contract and do not require separate consent (art. 10 of the Polish Act on Provision of Electronic Services).
• Marketing emails — newsletters, amber-condition alerts, promotional content. These are sent only based on the User's voluntary consent (Art. 6(1)(a) GDPR), which can be withdrawn at any time.

§9. Minimum Age

The Service is restricted to Users aged 16 years or older, in accordance with art. 8 GDPR as implemented in Polish law.

If the Administrator becomes aware that an account has been created by a person under 16, the account will be removed and any associated personal data deleted.

§10. Data Breach Notification

In the event of a personal data breach posing a high risk to the rights and freedoms of the User, the Administrator will notify the User without undue delay, in accordance with Art. 34 GDPR.

All breaches are reported to the supervisory authority (PUODO) within 72 hours of becoming aware of them, where required by Art. 33 GDPR.

§11. Cookies

The Service uses cookies for technical purposes (login session) and analytical purposes. Detailed information about the categories of cookies, retention, and how to manage your preferences is available in our Cookie Policy.