Log in Register

Privacy policy

Date of last update: 27.01.2026

Version: 1.0

Important information: This Privacy Policy explains how we collect, process and protect your personal data on Altitrip.com. By using our service, you accept the rules described below, subject to the reservation that, where data processing is based on consent, you have the right to give consent, refuse to give it, or withdraw it in accordance with applicable laws.

1. Data Controller

Support Przemysław Otulakowski
ul. św. Wojciecha 9 of/8
59-220 Legnica
NIP: 692 242 81 81
E-mail: hello@altitrip.com

For matters related to the protection of personal data, please contact us at the above e-mail address.

2. Scope of processed data

2.1. Data collected during registration

  • e-mail address,
  • username (nickname),
  • password (stored in encrypted / hashed form),
  • date of birth (for the purpose of verifying an age of at least 16 years).

2.2. Optional profile data

  • first and last name,
  • profile photo,
  • country of origin,
  • profile description (bio),
  • travel preferences.

2.3. Data generated automatically

  • IP address,
  • browser type, browser version, operating system and device identification data,
  • User-Agent and other technical data transmitted by the browser or device as standard,
  • date and time of visits,
  • pages visited and activity within the service,
  • approximate location determined on the basis of the IP address,
  • technical data related to the session, security, error diagnostics and infrastructure logs.

2.4. Content added by the user

  • descriptions of places,
  • travel reports,
  • comments,
  • photos and videos,
  • ratings and reviews,
  • private messages – to the extent necessary for the functioning of the communication feature.

3. Purposes, legal bases and data retention periods

Purpose of processing Legal basis Example scope of data Retention period
Creation and maintenance of a user account Article 6(1)(b) GDPR (performance of a contract) e-mail, nickname, password, date of birth, profile data Until the account is deleted or the provision of services is terminated
Login, session maintenance and account security functions Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (the controller’s legitimate interest) session data, session identifier, timestamps, technical data For the duration of the session or for the period necessary for the “remember me” feature to function
Contact in administrative matters, handling notifications, complaints and GDPR requests Article 6(1)(b) GDPR and Article 6(1)(c) GDPR, and in appropriate cases also Article 6(1)(f) GDPR e-mail, content of correspondence, account identification data Until the matter is concluded, and then for the period necessary to defend claims or demonstrate compliance
Ensuring service security, maintaining technical logs, detecting abuse, preventing unauthorized access, incident analysis and infrastructure protection Article 6(1)(f) GDPR (the controller’s legitimate interest) IP address, User-Agent, browser and device technical data, session identifiers, server logs, timestamps, HTTP request data As a rule, up to 12 months, and in the event of an incident, abuse, claim or proceedings – until such matter is clarified, concluded or until claims become time-barred
Traffic analysis and service statistics Article 6(1)(a) GDPR (consent) – if analytical tools use cookies or similar technologies requiring consent; with regard to essential technical statistics also Article 6(1)(f) GDPR page view data, device data, traffic source data, interactions with the service In accordance with the retention period set in the given analytical tool or until consent is withdrawn
Displaying personalized advertisements, remarketing and measuring campaign effectiveness Article 6(1)(a) GDPR (consent) advertising identifiers, activity data, data related to marketing tags Until consent is withdrawn or in accordance with the settings of the given tool
Establishing, pursuing or defending claims, and cooperating with authorized authorities Article 6(1)(f) GDPR, and where the obligation arises by law – Article 6(1)(c) GDPR account data, logs, correspondence, data related to security incidents For the period necessary to achieve the purpose, no longer than until the expiry of the applicable limitation period or the conclusion of proceedings

Data such as IP address, User-Agent, technical identifiers, timestamps and server request data may be processed in technical and security logs exclusively for infrastructure, security, abuse detection, error diagnostics, preservation of evidence and – in cases provided for by law – provision of information to competent public authorities.

4. Analytical and marketing tools

Note: The tools listed below may use cookies and similar technologies to collect data about your behavior in the service. Analytical and marketing tools that are not necessary for the functioning of the service should be launched in accordance with the choice you make in the consent banner, if such a choice is required by law and implemented technically.

4.1. Google Tag Manager

We use Google Tag Manager to manage tags (scripts) on the website. Google Tag Manager itself is not used for independent profiling of the user, but it enables the launching of other analytical, marketing or technical tools in accordance with the adopted configuration.

4.2. Google Analytics 4

Google Analytics 4 may be used to analyze statistics on the use of the service, in particular with regard to:

  • time spent on the website,
  • visited subpages,
  • traffic sources,
  • used devices and browsers,
  • approximate location.

Within GA4, the mechanism should not be described as “IP masking” in the old Universal Analytics meaning. For users from the EU, Google indicates that IP addresses are not logged or stored in Google Analytics 4.

4.3. Meta Pixel (Facebook Pixel)

Meta Pixel may be used for:

  • measuring advertising effectiveness,
  • retargeting users who have visited the service,
  • creating audiences with similar characteristics,
  • analyzing actions taken in the service, such as registration or user activity.

Depending on the configuration of the tool and the consents granted, Meta may receive information about visiting the website, events occurring in the service, technical browser or device data, and identifiers assigned by Meta tools.

4.4. TikTok Pixel

TikTok Pixel may be used for:

  • tracking conversions,
  • retargeting users,
  • optimizing advertising campaigns,
  • measuring actions taken by users in the service.

4.5. Google Ads

Google Ads may be used for:

  • tracking conversions,
  • retargeting,
  • analyzing the effectiveness of advertisements and marketing campaigns.

5. Cookies, sessions and similar technologies

5.1. What cookies and similar technologies are

Cookies are small text files stored on the user’s end device. Alongside cookies, we may also use other storage mechanisms on the browser side, such as localStorage. Not every such mechanism is a cookie, but it may also affect the user’s privacy, which is why we describe it in this policy.

5.2. Types of technologies used

  • Necessary – enable the operation of the service, login, session maintenance, security and language selection.
  • Functional – remember preferences, e.g. language.
  • Analytical – are used for statistics and optimization of the service’s functioning.
  • Marketing – are used for campaign measurement, remarketing and ad personalization.
  • Third-party technologies – may be set by external tools, e.g. Google, Meta or TikTok, after the appropriate consent has been given.

5.3. Our own HTTP cookies (Set-Cookie)

Name Purpose Nature Example storage period
altitrip_locale Remembering the preferred language of the website Functional / necessary for convenience of use Approximately 365 days
ci_session User session identifier in the CodeIgniter-based application Necessary According to the session configuration; by default, the session lifetime is 7200 seconds
remember Handling the “remember me” feature during login Functional / related to login Depending on the login mechanism configuration

Under the current security configuration, the CSRF token is stored in the session rather than in a separate cookie. This means that, as a rule, the user does not receive a separate CSRF cookie under the current session-based protection setting.

5.4. Session data on the server side

Apart from the ci_session cookie itself, data associated with the session may be stored on the server side, in particular:

  • information about the user being logged in,
  • data related to CSRF protection,
  • data used during external login / OAuth, such as, for example, the login process state, redirect, language or security parameters,
  • data necessary for the operation of application mechanisms, e.g. flash messages, ad rotation or temporary session settings.

These are not separate cookie names – this is the content of the session on the application side.

5.5. localStorage and other mechanisms on the browser side

Key Purpose Nature
altitrip_cookie_consent_v1 Recording the user’s choices in the consent banner, including the selection of consent categories and the timestamp Technical / related to consent management
altitrip_recent_search Remembering recent searches in the header Functional
altitrip_locale Mirror storage of the language choice on the JavaScript side Functional

5.6. Third-party cookies and technologies

After analytics or marketing is enabled through the consent banner and after the relevant tags are launched, cookies and similar identifiers from external providers, such as Google, Meta or TikTok, may also appear. Their scope, names and storage duration may depend on the specific configuration of the tools, the versions of the tags and the consent given by the user.

5.7. How to manage cookies and similar technologies

  • You can manage cookies through your browser settings – you can block or delete them.
  • You can use our consent banner – selecting which categories you accept, provided that such a mechanism is active.
  • You can use opt-out tools or privacy settings of external providers such as Google, Meta or TikTok.

6. Hosting and data processors

6.1. Hosting provider

Dhosting.pl

Our server is located in Poland. Dhosting.pl processes data solely as a processor on our behalf, in accordance with the data processing agreement concluded with it or another appropriate legal basis for cooperation.

6.2. Other processors or recipients of data

Entity Purpose Registered office / area of operation Notes regarding data protection
Google Ireland Ltd. and Google affiliated entities Analytics, ads, tag management Ireland / possible transfers outside the EEA Processing in accordance with Google documentation and appropriate data transfer mechanisms
Meta Platforms Ireland Ltd. and Meta affiliated entities Marketing, analytics, remarketing Ireland / possible transfers outside the EEA Processing in accordance with Meta documentation and appropriate data transfer mechanisms
TikTok Technology Ltd. and TikTok affiliated entities Marketing, analytics, campaign measurement Ireland / possible transfers outside the EEA Processing in accordance with TikTok documentation and appropriate data transfer mechanisms

7. User rights

In accordance with the GDPR, you have the right to:

  • access to data – you may request a copy of your data,
  • rectification – you may correct inaccurate data,
  • erasure – you may request deletion of your account and data (“right to be forgotten”),
  • restriction of processing – you may request restriction of processing in certain situations,
  • data portability – you may receive your data in a structured format,
  • objection – you may object to processing based on the controller’s legitimate interest, including processing for marketing purposes,
  • withdrawal of consent – you may withdraw consent to processing based on consent at any time, without affecting the lawfulness of processing carried out before its withdrawal,
  • lodging a complaint – with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).

7.1. How to exercise your rights

To exercise any of the above rights, send a message to: hello@altitrip.com.

We will respond within 30 days, unless the law allows this period to be extended. We may request additional information in order to verify your identity.

8. Data security

  • SSL/HTTPS encryption – all data transmissions are encrypted.
  • Encrypted passwords – we store passwords only in hashed form.
  • Regular updates – the system is updated as needed for security and maintenance purposes.
  • Restricted access – only authorized persons have access to the data.
  • Backups – we regularly create backup copies.
  • Monitoring – the infrastructure may be monitored for attacks, abuse and security incidents.
  • Technical logs – we keep logs necessary for maintaining security, diagnosing errors and possible cooperation with authorized authorities.

9. Transfers of data outside the EU/EEA

Some of the tools we use may involve transfers of data outside the European Economic Area.

In such cases, the data is transferred with the application of appropriate safeguards required by Chapter V of the GDPR, in particular on the basis of:

  • an adequacy decision,
  • standard contractual clauses,
  • other legally permissible data transfer mechanisms used by the given provider.

The current transfer mechanism may depend on the specific provider, the type of service, the location of the recipient and the provider’s current legal and contractual documentation.

10. Children’s data

The Altitrip.com service is not directed to children under 16 years of age. We do not knowingly collect data of children under 16 years of age.

If you are under 16 years of age, do not create an account without the consent of your parents or legal guardians.

If you are a parent or guardian and believe that your child has shared data with us, please contact us at: hello@altitrip.com.

11. Changes to the Privacy Policy

We reserve the right to amend this Privacy Policy.

We will inform you of all significant changes by means of:

  • a notice in the service,
  • an e-mail to registered users – if the change is significant and if we have the relevant contact address,
  • an update of the “last updated” date.

Continued use of the service after changes means their acceptance to the extent permitted by law. If you do not accept the changes, you may stop using the service and delete your account.

12. Contact

You may direct any questions regarding the protection of personal data to:

Support Przemysław Otulakowski
ul. św. Wojciecha 9 of/8
59-220 Legnica
E-mail: hello@altitrip.com

Data Protection Officer: Not required for our activity.

For GDPR matters, contact is made directly with the Controller.