Privacy and Cookie Policy of the MountStory Application

This Privacy Policy sets out the rules for the processing and protection of personal data of users (i.e., you) using the MountStory mobile application (hereinafter, “the Application”). We administer data in accordance with the requirements of the GDPR and other applicable laws that protect the privacy of the Application users.

I. Administrator

The administrator of your personal data is: Mount Story Limited Liability Company with its registered office in Warsaw, at the following address: Stefana Batorego Street, No. 18/108, 02-591 Warsaw (Poland), entered in the register of entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number 0001181091, using NIP (Tax Identification Number): 7011267437 and REGON (National Business Registry Number): 542116875 (hereinafter, “the Administrator”). 

Any questions or comments regarding the Privacy Policy and cookies, as well as the processing of your data, can be sent to us at the following e-mail address: support@mountstory.com.

II. Scope, purposes, and legal basis for processing personal data

Below, we present what data we process within the Application, for what purpose, and on what legal basis.

  1. We process registration data (first name, last name, nationality, date of birth, email address, phone number, password) for the purpose of performing a service agreement (creating and maintaining an account, accessing the Application’s functionality), and the legal basis is: Article 6(1)(b) – necessary for the performance of a contract.
  2. We process additional data in the profile (photo, BIO note) in order to supplement additional information about the user at their request, and the legal basis is: Article 6(1)(a) – the user’s consent expressed by completing the information in the profile. 
  3. We process activity data (entered routes, summit archive, likes, summit verification) for the purpose of maintaining the account, providing the service in accordance with its intended purpose, maintaining social functionality, and the legal basis is: Article 6(1)(b) – necessary for the performance of a contract.
  4. We process geolocation/GPS data (route tracking) for the purpose of providing a service for tracking and recording mountain routes, and the legal basis is: Article 6(1)(a) – user consent (expressed at the operating system and the Application level).
  5. We process payment data (transaction number, date, payment status) for the purpose of providing and servicing paid services, financial and accounting settlements, and the legal basis is: Article 6(1)(b) – necessary for the performance of a contract.
  6. We process analytical/technical data (system logs, device data, errors) for the purpose of ensuring security, proper functioning of the Application, pursuing claims, protection against possible claims, and the legal basis is: Article 6(1)(f) – legitimate interest of the Administrator
  7. We process email addresses for the purpose of sending marketing information about the Administrator’s own products and services, and the legal basis is: Article 6(1)(f) – legitimate interest of the Administrator.
  8. We process your email address for the purpose of sending marketing information about the products and services of the Administrator’s partners, and the legal basis is: Article 6(1)(a) – user consent.

III. Data retention period

The Administrator stores the personal data of the Application users for the period necessary to achieve the purposes for which it was collected, in accordance with the following rules:

  1. data related to the conclusion of the contract and maintaining the profile: data processed for the purpose of performing the contract for the provision of access to the Application (i.e., maintaining the user’s profile, activity data in the Application) is stored for the entire period of having an active profile in the Application;
  2. data related to the pursuit of claims: after deleting the profile (termination of the contract), personal data will be deleted from the Application, but we will store it outside the Application for the period necessary to protect against or pursue any claims, which means the limitation period for claims under civil law (usually 3 or 6 years from the date of termination of the contract);
  3. settlement and accounting data: data relating to payments for paid services and settlements are stored for the period required by tax and accounting law, which is 5 years from the end of the calendar year in which the tax payment deadline expired;
  4. data processed on the basis of consent (geolocation, partner marketing): this data is stored until the user withdraws their consent; withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal; 
  5. data processed on the basis of the Administrator’s legitimate interest (own marketing, analytics): this data is stored until the user effectively objects to the processing;
  6. analytical and technical data: data collected automatically (system logs, technical data) is stored for up to 2 years to ensure the security and proper functioning of the service.

IV. User Rights

In connection with the processing of your personal data, you have a number of rights under the GDPR. To exercise these rights, please contact the Administrator using the addresses provided in this Privacy Policy.

Below is a summary of your rights:

  1. Right of access to data: you have the right to obtain confirmation as to whether we are processing your data and, if so, to obtain access to it and information about the purposes and methods of its processing;
  2. Right to rectification: you have the right to request the immediate rectification of your incorrect personal data or the completion of incomplete data;
  3. Right to erasure (“right to be forgotten”): you have the right to request the erasure of your data, especially when:
    1. the data is no longer necessary for the purposes for which it was collected;
    2. you have withdrawn your consent and there is no other legal basis for processing;
    3. you have effectively objected to the processing (Note: this right is not absolute and does not apply, for example, when the processing is necessary for the Administrator to comply with a legal obligation);
  4. Right to restriction of processing: you have the right to request restriction of processing, for example, when you contest the accuracy of personal data, for a period enabling the Administrator to verify its accuracy;
  5. Right to data portability:  you have the right to receive your data in a structured, commonly used, machine-readable format and you may request that it be sent to another Administrator; 
  6. Right to object: You have the right to object at any time to the processing of your personal data based on the legitimate interest of the Administrator (e.g., direct marketing of the Service Provider’s own products); 
  7. Right to withdraw consent: you have the right to withdraw your consent at any time if the processing is based on it (e.g., consent to geolocation, partner marketing); withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
  8. Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with the supervisory authority responsible for personal data protection in your country of residence or habitual residence if you believe that the processing of your personal data violates the provisions of the GDPR; in Poland, this will be: the President of the Personal Data Protection Office (PUODO)

V. Data recipients and transfer of personal data to third countries

  1. Your Personal Data may be disclosed to the following categories of recipients:
    1. processors: we use external entities that process data on our behalf (in accordance with our instructions) in order to provide the service; these include, in particular: hosting service providers, IT system providers, analytical tool providers (e.g., system logs), and entities handling PUSH communications; 
    2. payment service providers: in the case of paid services, transaction data is transferred to payment service providers and banks for the purpose of authorizing and settling transactions;
    3. business partners: your contact details (email, telephone number) may be transferred to travel agencies, solely at your express request to contact a given agency, for the purpose of concluding a travel contract; 
    4. advisors and auditors: entities providing us with legal, accounting, auditing, or IT services, to the extent necessary to fulfill our legal obligations or pursue claims.
  2. Due to the use of global technology providers and analytical tools, your personal data may be transferred outside the European Economic Area (EEA) to so-called third countries that do not directly provide the same level of protection as the GDPR (e.g., the US).
  3. Any transfer of data outside the EEA is based exclusively on the following mechanisms, which are compliant with the GDPR and ensure an adequate level of protection:
    1. a decision by the European Commission confirming an adequate level of protection (adequacy decision) for a given country (if applicable); 
  4. the use of standard contractual clauses (SCC) approved by the European Commission, with additional technical and organizational measures to secure the data.

VI. Cookies and other tracking technologies 

  1. The Application uses tracking technologies such as cookies, device identifiers, and analytics software to collect and process data about how you use the Application and the mobile device you are using.
  2. Technologies necessary to provide access to the Application (e.g., session maintenance, profile security) are used on the basis of the Administrator’s legitimate interest and do not require your consent.
  3. The use of technologies for analytical, marketing, and content personalization purposes (including retargeting) requires your explicit consent, which is collected via a consent banner or appropriate settings in the Application.
  4. Tracking technologies are used for the following purposes:
    1. analytics and optimization: collecting information about the number of users, the Application errors, time spent on individual screens, which allows for the optimization of the Application’s performance and the adjustment of its functionality; 
    2. personalization: adjusting the displayed content, including trip offers, to your preferences and activity history;
    3. marketing: displaying advertisements (our own and those of our partners) inside or outside the Application (contextual and retargeting advertising);
  5. You have the right to withdraw or change your settings for cookies and other identifiers at any time from the Application settings or privacy settings in your device’s operating system.

VII. PUSH notifications and geolocation

  1. The Application may send PUSH notifications (short messages displayed on the screen of your mobile device). To receive these notifications, your explicit consent is required at the device operating system level. You can withdraw this consent at any time by changing the notification settings on your device or in the Application.
  2. The route tracking feature (GPS) requires access to your precise location. Granting access to geolocation requires your explicit consent at the device operating system level. This data is processed solely for the purpose of providing a specific service and can be disabled at any time from your mobile device or App settings.

VIII. Final provisions

  1. This policy may be subject to changes driven by the development of Internet technology, amendments to the law regarding personal data protection, and the evolution of our Application.
  2. We will inform you about the content of changes to the Privacy Policy by means of an appropriate message in the Application or by e-mail to the e-mail address assigned to your user profile.