Language version notice
These legal documents were drafted in Polish. Other language versions may be machine translations and are provided for convenience only. In case of discrepancies, the Polish version prevails.
Medical disclaimer
SafeTripVax provides general information about diseases and vaccines. It does not provide medical advice, diagnosis, or treatment.
- Always consult a healthcare professional before making health decisions
- Information may not be complete or up-to-date for all regions
- Vaccine requirements change frequently - verify with official sources
GDPR & DPIA approach
We apply GDPR principles such as data minimization, access control, and privacy by design. For processing likely to result in high risk, we conduct a Data Protection Impact Assessment (DPIA).
- Data minimization - we only collect what is necessary
- Purpose limitation - data used only for stated purposes
- Storage limitation - data deleted when no longer needed
- Regular DPIA reviews when processing changes
Quick links
What data we collect
We collect account data (email, name), profile data (travel preferences, vaccination history), usage data (pages visited, features used), and communication data (messages, support requests).
Why we process data
To provide and improve our services, personalize your experience, ensure security, comply with legal obligations, and communicate with you about your account.
Your rights
You can access, rectify, erase, restrict, port your data, object to processing, and lodge complaints with supervisory authorities.
Legal basis for processing
| Purpose | Legal basis | Details |
|---|---|---|
| Account creation | Contract performance | Necessary to provide our services |
| Vaccination tracking | Consent | You explicitly opt-in to this feature |
| Analytics | Legitimate interest | To improve our services |
| Marketing emails | Consent | Only with your explicit permission |
| Security measures | Legitimate interest | To protect our platform and users |
| Legal compliance | Legal obligation | Required by applicable laws |
Recipients & retention periods
We share data with the following categories of recipients and retain it for the specified periods:
| Recipient | Purpose | Data shared | Retention |
|---|---|---|---|
| Supabase (hosting) | Platform infrastructure | All account data | Account lifetime + 5 years |
| Stripe (payments) | Payment processing | Payment details | 7 years (legal requirement) |
| Google Analytics | Usage analytics | Anonymized usage data | 26 months |
| Anthropic PBC (translations) | Content translation | Text content for translation | Processing time only |
| Vercel Inc. (hosting) | Application hosting | Request metadata, IP address | Server logs: 30 days |
| Clinics (your choice) | Appointment booking | Contact info, vaccination history | Until you revoke |
Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) in accordance with GDPR Art. 37. You can contact our DPO for any questions regarding the processing of your personal data or the exercise of your rights under GDPR:
Data Protection Officer
Email: dpo@safetripvax.com
EPKO SP. Z O.O., ul. Podleśna 2, 05-270 Marki, Poland
Data processors (Art. 28 GDPR)
We use the following data processors to provide our services. All processors are bound by Data Processing Agreements (DPA) in accordance with Art. 28 GDPR:
| Processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Supabase Inc. | Database, authentication, storage | AWS EU (Frankfurt) | SCC |
| Stripe Inc. | Payment processing | USA | SCC + EU-US DPF |
| Google LLC | Analytics, Maps | USA | SCC + EU-US DPF |
| Anthropic PBC | Content translation | USA (San Francisco) | SCC + EU-US DPF |
| Vercel Inc. | Application hosting (Next.js) | Edge (global) | SCC + EU-US DPF |
Data Controller
The data controller is EPKO SP. Z O.O., ul. Podleśna 2, 05-270 Marki, Poland. Contact: office@safetripvax.com
Security measures
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access controls with role-based permissions
- Regular security audits and penetration testing
- Multi-factor authentication available for all accounts
- Automated threat detection and monitoring
Security contact
To report security vulnerabilities, contact us at security@safetripvax.com. We follow responsible disclosure practices.
International transfers
Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission.
Google Privacy Policy: policies.google.com/privacy
EU Standard Contractual Clauses: commission.europa.eu/.../scc_en
Automated decision-making
We use automated processing to generate informational health summaries based on publicly available WHO data and your optional health profile. These summaries are for educational purposes only and do not constitute medical advice or clinical recommendations. You may request a manual review of any automated output by contacting us at <a href="mailto:dpo@safetripvax.com" class="underline hover:text-dark">dpo@safetripvax.com</a>. Any personalization is based on your explicit preferences and can be adjusted or deleted at any time.
Health profile data processing
If you choose to create a health profile, we process the following data to generate informational travel health summaries. This processing is based on your explicit consent (GDPR Art. 9(2)(a)) and is for educational purposes only:
- Data processed: Age group, pregnancy status, immunosuppression status, chronic conditions, allergies, blood type (all optional)
- How it works: Your profile data is combined with publicly available WHO health indicators to generate informational summaries about commonly required vaccinations for your destination
- Transparency: The methodology is based on WHO International Travel and Health recommendations. Score thresholds and data sources are documented on each country page
- Right to opt out: You can delete your health profile at any time in Settings → Privacy. This will immediately remove all health-related data and disable personalized summaries
- No clinical decisions: Outputs are informational only and must not replace consultation with a qualified healthcare professional
Data breach notification
In the event of a personal data breach, we follow GDPR Art. 33 and Art. 34 procedures:
- Supervisory authority notification: We will notify PUODO (the Polish Data Protection Authority) within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms
- User notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email and a prominent notice on our website
- Notification content: We will describe the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and contact details of our DPO
- Documentation: We maintain a register of all data breaches, including their effects and remedial actions taken, regardless of whether they are reportable
Supervisory authority
You have the right to lodge a complaint with the supervisory authority responsible for data protection. The competent authority for SafeTripVax is:
Prezes Urzędu Ochrony Danych Osobowych (PUODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Tel.: +48 22 531 03 00
Website: www.uodo.gov.pl
Email: kancelaria@uodo.gov.pl
Exercising your rights
- 1Log in to your account and go to Settings → Privacy
- 2Select the action you want to perform (access, download, delete, etc.)
- 3For complex requests, contact our DPO at dpo@safetripvax.com
- 4We will respond within 30 days (extendable by 60 days for complex requests)
- 5You can lodge a complaint with PUODO at any time (see Supervisory Authority section above)
Children's privacy
Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately and we will delete it.
§1. General provisions
This Privacy Policy describes how EPKO SP. Z O.O. ("we", "us", "SafeTripVax") processes your personal data.
We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable Polish law.
By using our services, you acknowledge that you have read and understood this Privacy Policy.
§2. Scope of data processing
We process personal data that you provide directly (registration, forms, communication).
We collect technical data automatically (IP address, browser type, device information).
We may receive data from third parties (social login providers, payment processors).
Health-related data (vaccination history) is processed only with your explicit consent.
§3. Types of data collected
Account data: email address, name, password (hashed), profile picture
Profile data: travel preferences, vaccination history, health conditions (optional)
Usage data: pages visited, features used, time spent, device information
Communication data: messages, support tickets, feedback
Transaction data: payment history, subscription status
§4. Recipients of data
Hosting and infrastructure providers (Supabase, Vercel)
Payment processors (Stripe) - for premium services
Analytics services (Google Analytics) - anonymized data only
Clinics - only when you explicitly choose to share your data for appointment booking
Legal authorities - when required by law or court order
§5. International transfers
Some service providers are located outside the EEA (primarily USA).
We ensure adequate protection through EU-approved Standard Contractual Clauses.
We only use providers that comply with GDPR requirements or equivalent standards.
§6. Your rights
- Right of access - obtain a copy of your personal data
- Right to rectification - correct inaccurate data
- Right to erasure - delete your data ("right to be forgotten")
- Right to restriction - limit how we process your data
- Right to data portability - receive your data in a machine-readable format
- Right to object - object to processing based on legitimate interests
- Right to withdraw consent - withdraw consent at any time
- Right to complain - lodge a complaint with your supervisory authority (PUODO in Poland)
§7. Retention periods
Account data: retained while your account is active, plus 5 years after deletion for legal compliance
Transaction data: 7 years (Polish tax law requirement)
Analytics data: anonymized after 26 months
Communication data: 3 years after last contact
You can request deletion at any time, subject to legal retention requirements
§8. Security measures
We implement technical and organizational measures to protect your data.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
We conduct regular security audits and penetration testing.
Access to personal data is limited to authorized personnel only.
We maintain incident response procedures for data breaches.
§9. Changes to this policy
We may update this Privacy Policy from time to time.
Significant changes will be communicated via email or prominent website notice.
Continued use of our services after changes constitutes acceptance.
Previous versions are archived and available upon request.