⚠ The Polish version is legally binding
This translation is provided for convenience only. Go to the Polish version.
Draft version — version 1.0.
This document is under legal review and may change.
Privacy Policy — FotoDoKarty
Effective date: 2026-05-22
§ 1. Data controller
The controller of personal data of users of fotodokarty.pl is Rodion Baronov, address: Aleja Solidarności 68/121, 00-240 Warszawa, Poland, NIP: 7011263818, REGON: 541925970, e-mail: kontakt@fotodokarty.pl (hereinafter “Controller”).
For matters relating to personal data protection, please contact us at: kontakt@fotodokarty.pl.
§ 2. Categories of data
The Controller may process the following categories of data:
- Identification and contact data — Telegram user identifier (user_id), first name/username (if shared by Telegram), preferred language, e-mail address;
- Transaction and order data — order number, amount, payment status, payment method, transaction reference;
- Files submitted by the user — selfie submitted for processing;
- Finished digital files — Service results (JPG files, print sheet);
- Technical and log data — IP address, user agent, timestamps, session identifier;
- Communication data — content of correspondence, contact history.
§ 3. Purposes and legal bases for processing
| Purpose | Legal basis |
|---|---|
| Providing the Service (photo processing, delivery of the result) | Art. 6(1)(b) GDPR — performance of a contract |
| Payment processing and order handling | Art. 6(1)(b) GDPR — performance of a contract |
| Fulfilment of tax and accounting obligations | Art. 6(1)(c) GDPR — legal obligation |
| Defence against claims and platform security | Art. 6(1)(f) GDPR — legitimate interest |
| Responding to enquiries unrelated to the contract | Art. 6(1)(f) GDPR — legitimate interest |
| Direct marketing (if applicable) | Art. 6(1)(a) GDPR — consent (separate, optional) |
§ 4. Processing of photos
- The selfie submitted by the user constitutes personal data.
- The Service processes the photo solely for the technical purpose of preparing the document photo file: cropping, background levelling, verification of face position and biometric parameters of MOS/ICAO 9303. The Service does not identify the user’s identity and does not build biometric templates for face matching or identity verification.
- Given the above scope of processing, operations on photos are carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract), not Art. 9 GDPR.
§ 5. Retention periods
| Data | Retention period |
|---|---|
| Selfie submitted by the user and finished result files | 24 hours from delivery of the result, then automatic deletion |
| Telegram user identifier and transaction data | Until claims become time-barred, no longer than required by tax law (5 years from the end of the tax year) |
| Technical logs | 12 months |
| Correspondence | Until the matter is concluded, no longer than the limitation period for claims |
§ 6. Recipients of data
Data may be transferred to entities providing services to the Controller:
- Telegram Messenger Inc. / Telegram FZ-LLC — communication and file delivery platform;
- Replicate, Inc. (USA) — artificial intelligence services (image processing, background removal). Transfer to the USA is made on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission;
- Cloudflare, Inc. (USA) — hosting, CDN, firewall, platform security. Cloudflare may process metadata outside the EEA; transfer is made on the basis of SCCs;
- PayPro S.A. / Przelewy24 — payment processing, when active. PayPro S.A. may act as a separate controller in the scope of its regulated payment activity;
- e-mail and technical support providers — to the extent necessary for service delivery.
§ 7. Transfers outside the EEA
The Controller seeks to limit transfers of data outside the European Economic Area. When using services of Replicate, Inc. and Cloudflare, Inc., data may be processed in the USA on the basis of Standard Contractual Clauses (SCCs, European Commission decision of 4 June 2021).
§ 8. Rights of data subjects
Users have the right to:
- access their data (contact: kontakt@fotodokarty.pl);
- rectification of inaccurate data;
- erasure of data (right to be forgotten);
- restriction of processing;
- portability of data;
- objection to processing based on legitimate interest;
- withdraw consent at any time — where processing is based on consent (withdrawal does not affect the lawfulness of processing carried out before withdrawal);
- lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl).
To exercise these rights, please contact: kontakt@fotodokarty.pl. The Controller will respond without undue delay, no later than one month from receipt of the request.
§ 9. Provision of data
Providing data is voluntary, but to the extent necessary for concluding and performing the contract (e-mail, selfie) — it is required in order to place and fulfil an order. Failure to provide the required data makes it impossible to conclude or fulfil the contract.
§ 10. Automated decision-making
The Service applies automatic technical verification of selfie quality (face position, sharpness, lighting). The result of this verification is auxiliary and technical in nature — it produces no legal effects outside the Service. Users may contact the Controller to request manual review.
§ 11. Security
The Controller applies appropriate technical and organisational measures commensurate with the risk, including transmission encryption (TLS), access control to production systems, and automatic deletion of photos upon expiry of the retention period.
§ 12. Cookies
The website fotodokarty.pl uses only strictly necessary cookies required for the operation of the service (security, Cloudflare session). We do not use analytical or marketing cookies. Details: Cookie Policy.