Privacy Policy

1. WHO WE ARE

This Privacy Policy describes how CityAirLink (“CityAirLink”, “we”, “us”, or “our”) collects, uses, and protects personal data in connection with:

• our website,
• our luggage transport services,
• our operational activities,
• customer communications.

CityAirLink provides scheduled, capacity-limited luggage transport between designated hotels and airport-related locations in Kraków, Poland.

CityAirLink does not provide long-term luggage storage services.

We act as the data controller under Regulation (EU) 2016/679 (GDPR).

2. DATA CONTROLLER DETAILS

CityAirLink acts as the controller of personal data processed in connection with the service.

For privacy-related questions, please contact us using the contact details published on this website.

3. TYPES OF DATA WE COLLECT

3.1 Customer Identification Data

• First and last name
• Email address
• Telephone number

3.2 Order and Service Data

• Order ID
• Service date
• Direction (Hotel → Airport / Airport → Hotel)
• Number of bags
• Selected time window
• Hotel name
• Operational status history

3.3 Security Seal & Bag Tracking Data

Each bag is assigned a uniquely coded security seal. Seal codes are associated with an order and recorded in our operational system.

Seal codes identify a bag, not a person, but are linked to customer data within the booking.

3.4 Operational Documentation

• Photos of bags (if taken)
• Staff verification logs
• Event timestamps (e.g., picked up, at hub, released)

Photos are used strictly for:

• service verification,
• fraud prevention,
• claims handling,
• insurance documentation.

3.5 Payment Data

Payments are processed by Stripe.

We do not store:

• full payment card numbers,
• CVV codes,
• raw payment credentials.

We may store:

• transaction ID,
• payment status,
• partial card data provided by Stripe (e.g., last four digits).

Stripe acts as an independent data controller with respect to payment data. Stripe’s Privacy Policy applies to payment processing.

3.6 Technical & Usage Data

• IP address
• Device information
• Browser type
• Cookies
• Log files

4. PURPOSES OF PROCESSING

We process personal data to:

• perform and manage transport services,
• verify and validate security seals,
• coordinate operational logistics,
• activate bookings after payment,
• provide customer support,
• handle claims and disputes,
• prevent fraud and misuse,
• comply with tax and accounting obligations,
• improve our services.

5. LEGAL BASIS FOR PROCESSING

Under Article 6 GDPR, we rely on:

5.1 Contract Performance

Processing necessary to provide the booked service.

5.2 Legal Obligation

Compliance with tax, accounting, and regulatory requirements.

5.3 Legitimate Interest

Including:

• fraud prevention,
• operational security,
• protection against misuse,
• defense of legal claims,
• service improvement.

5.4 Consent

Where required (e.g., non-essential cookies).

6. DATA RETENTION PERIODS

We retain personal data only as long as necessary:

• Booking and operational data: 5 years from service completion (for accounting and claims purposes).
• Financial records: as required by Polish tax law (typically 5 years).
• Security seal and tracking logs: up to 5 years.
• Bag photos: typically 12 months, unless required for ongoing dispute or insurance claim.
• Technical logs: typically 12 months.

After retention periods expire, data is securely deleted or anonymized.

7. SHARING OF DATA

We may share personal data with:

• Stripe (payment processing),
• Hosting and cloud infrastructure providers,
• Email service providers,
• IT support providers,
• Contracted logistics personnel,
• Insurance providers (in case of claim),
• Public authorities where legally required.

We do not sell personal data.

8. INTERNATIONAL TRANSFERS

If personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission,
• Adequacy decisions where applicable.

9. SECURITY MEASURES

We implement appropriate technical and organizational measures, including:

• Encrypted HTTPS communication,
• Access control and role-based permissions,
• Secure database hosting,
• Payment tokenization via Stripe,
• Audit logs of operational actions,
• Limited access to bag tracking data.

10. FRAUD PREVENTION AND SECURITY

To protect customers and ensure safe release of luggage:

• Each security seal code is validated against our system.
• Duplicate or invalid codes are automatically flagged.
• Bookings become active only after successful payment.
• Order access links may be protected by secure tokens.
• PIN-based confirmation may be required for luggage release.

Fraud prevention measures are based on our legitimate interest in protecting customers and operations.

11. YOUR RIGHTS UNDER GDPR

You have the right to:

• Access your personal data,
• Rectify inaccurate data,
• Request erasure,
• Restrict processing,
• Object to processing,
• Request data portability,
• Withdraw consent (where applicable),
• Lodge a complaint with the Polish Data Protection Authority (UODO).

Requests may be submitted using the contact details published on this website.

We may require identity verification before fulfilling requests.

12. COOKIES

We use cookies to:

• enable essential site functionality,
• maintain session security,
• remember cookie preferences,
• analyze website usage where consent has been granted,
• support future marketing measurement where consent has been granted.

Non-essential cookies require prior consent where legally required. You can accept, reject, or manage them through the cookie banner and revisit your choice via "Cookie settings".

13. CHILDREN’S DATA

Our services are not intended for individuals under 16 years of age. We do not knowingly collect data from minors without lawful basis.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically. The updated version will be published on our website with the revised effective date.