Privacy Policy
Last Updated: January 2026
1. Introduction
Welcome to kosciolotwarty.pl (Open Churches) ("we", "us", "our"). We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains what information we collect, how we use, store, and protect it, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
The controller of your personal data is:
Tomedio Tomasz Bajorek
Email: contact@tomedio.com
If you have any questions regarding the processing of your personal data, please contact us at the email address above.
3. Information We Collect
3.1 Account and Profile Data
When you create an account on our service, we collect:
- Full name
- Email address (used as primary identifier)
- Password (stored encrypted using bcrypt)
- Username (optional, for profile personalization)
- Location (optional, for better search results)
- Geographic coordinates (optional, if location provided)
- Avatar preference (option to use Gravatar)
- Profile picture (optional, URL or uploaded image)
- User role (USER, MANAGER, EDITOR, ADMIN)
3.2 Authentication Data
When logging in through OAuth providers, we collect:
- OAuth identifiers (Google, Facebook)
- Access tokens (access_token, refresh_token)
- ID tokens (id_token)
- Token expiration times
- Permission scope (scope)
- Session state (session_state)
3.3 Location Data
We collect location data to show you nearby churches:
- Browser location (requires your permission)
- Saved location (stored in cookie for 30 days)
- Geographic coordinates (latitude and longitude)
- Address (obtained through reverse geocoding)
- Location fetch time (for cache management)
Legal basis: Consent (Art. 6(1)(a) GDPR)
3.4 User Activity and Preferences
We collect information about your preferences and activity:
- Favorite churches (saved for quick access)
- Issue reports (reports about incorrect information)
- Managed parishes (if you have a manager role)
- Access permissions (for managing specific entities)
- Blog posts (if you create content)
3.5 Technical and Usage Data
We automatically collect:
- Access logs (date and time of visits)
- Browser information (type, version, language)
- IP address (for security and analytics)
- Search parameters (queries, filters)
- Page path (visited URLs)
- URL parameters (search, serviceType, date)
3.6 Behavioral Data (Security)
To detect bots and ensure security, we anonymously track:
- Mouse movements (number of movements)
- Time on page (milliseconds)
- Click delays (timer between actions)
This data is not permanently stored and serves solely to protect against automated attacks.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
3.7 Newsletter Data
If you subscribe to our newsletter:
- Email address
- First name (optional)
- Last name (optional)
- Subscription date
- Subscription status (SUBSCRIBED/UNSUBSCRIBED)
4. How We Use Your Information
We use collected data to:
4.1 Provide Services
- Create and manage your account
- Authenticate and authorize access
- Display personalized search results
- Save your favorite churches
- Enable content management (for managers/editors)
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
4.2 Communication
- Send verification emails
- Reset passwords
- Send newsletters (only with consent)
- Respond to issue reports
Legal basis: Contract performance (Art. 6(1)(b) GDPR) or Consent (Art. 6(1)(a) GDPR)
4.3 Improve User Experience
- Analyze service usage
- Optimize functionality
- Identify bugs and technical issues
- Develop new features
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
4.4 Security
- Protect against unauthorized access
- Detect and prevent abuse
- Identify and block bots
- Ensure data integrity
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
5. Third-Party Services
We use the following third-party services:
5.1 Google Services
- Google OAuth 2.0 - login via Google account
- Google Analytics (GA4) - website analytics (only with cookie consent)
Google Privacy Policy
5.2 Facebook OAuth
- Facebook Login - login via Facebook account
Facebook Data Policy
5.3 EmailOctopus
- Newsletter management - subscription handling and newsletter delivery
EmailOctopus Privacy Policy
5.4 Nominatim (OpenStreetMap)
- Reverse geocoding - conversion of coordinates to addresses
- Service does not store personal data
Nominatim Usage Policy
5.5 Email Service Provider
- Transactional emails - verification, password reset, notifications
Important: These services have their own privacy policies. We encourage you to review them through the links above.
6. Cookies and Similar Technologies
6.1 Types of Cookies
We use the following types of cookies:
Essential Cookies (Required)
- Consent cookie (
cookie_consent) - stores your cookie acceptance decision (validity: 1 year)
- Session cookie (
next-auth.session-token) - maintains logged-in user session (validity: 30 days)
- CSRF token - protection against CSRF attacks
Functional Cookies (Optional)
- Location cookie (
user_location) - stores your location (validity: 30 days, cache: 30 minutes)
Analytics Cookies (Require Consent)
- Google Analytics (
_ga, _gid, _gat) - traffic and user behavior analysis
- Tracks: pageviews, search queries, filter usage, route changes
6.2 Cookie Management
For non-logged users: We display a modal requesting cookie consent. You can accept or decline.
For logged-in users: Login is treated as consent for essential and functional cookies.
Withdrawing consent: You can clear cookies in browser settings. Google Analytics only runs after consent.
6.3 Third-Party Tracking
Google Analytics:
- Tracks route changes
- Records searches and filters
- Does not track admin panel pages (/panel)
- Complies with GDPR and requires consent
7. Data Security
We have implemented comprehensive security measures:
7.1 Encryption
- Passwords: Hashed using bcrypt (with salt)
- Connections: HTTPS/TLS only
- Tokens: JWT with cryptographic signature
7.2 Access Control
- Authentication: NextAuth.js with multi-level verification
- Authorization: Role-based system (RBAC) - USER, MANAGER, EDITOR, ADMIN
- Permission hierarchy: Access management at diocese/deanery/parish/church level
7.3 Additional Measures
- Regular security audits
- Monitoring of unauthorized access attempts
- Bot detection (behavioral tracking)
- CSRF and XSS protection
- API rate limiting
7.4 Data Storage
- PostgreSQL database on secure servers
- Regular backups
- Encryption at rest
- Access only for authorized personnel
8. Data Retention Periods
8.1 Account Data
- Active accounts: Throughout account lifetime
- Inactive accounts: May be deleted after 3 years of inactivity (with notification)
- Deleted accounts: Immediately, except data required by law (e.g., invoices - 5 years)
8.2 Sessions and Authentication
- Session cookies: 30 days or until logout
- Verification tokens: Deleted after use or expiration
- Password reset tokens: Deleted after use or expiration
8.3 Location Data
- Location cookie: 30 days (renewed with each use)
- Location cache: 30 minutes
8.4 Logs and Analytics
- Server logs: 90 days
- Google Analytics: According to Google's policy (default 26 months)
8.5 Newsletter
- Active subscriptions: Until unsubscribed
- Cancelled subscriptions: Email stored to prevent re-subscription (opt-out list)
9. Your Rights (GDPR)
Under GDPR, you have the following rights:
9.1 Right of Access (Art. 15)
You can obtain confirmation whether we process your data and receive a copy.
9.2 Right to Rectification (Art. 16)
You can correct inaccurate or incomplete personal data.
How to exercise: Log in → Profile → Edit data
9.3 Right to Erasure (Art. 17)
You can request deletion of your data ("right to be forgotten").
How to exercise: Log in → Settings → Delete account
9.4 Right to Restriction of Processing (Art. 18)
You can request restriction of processing your data in certain situations.
9.5 Right to Data Portability (Art. 20)
You can receive your data in a structured format (JSON/CSV) and transfer it to another provider.
How to exercise: Write to us at contact@tomedio.com requesting data export
9.6 Right to Object (Art. 21)
You can object to processing of your data for marketing purposes or based on legitimate interest.
9.7 Right to Withdraw Consent (Art. 7(3))
If processing is based on consent, you can withdraw it at any time.
How to exercise:
- Newsletter: "Unsubscribe" link in email
- Cookies: Clear cookies in browser settings
- Location: Delete in profile settings
9.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority:
Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Email: kancelaria@uodo.gov.pl
Tel: +48 22 531 03 00
10. International Data Transfers
Some of our third-party services may process data outside the European Economic Area (EEA):
- Google (USA): Complies with EU Standard Contractual Clauses and Data Privacy Framework
- Facebook (USA): Complies with EU Standard Contractual Clauses
- EmailOctopus (UK): Post-Brexit, applies appropriate safeguards
We ensure all data transfers are protected by appropriate measures compliant with GDPR.
11. Children's Privacy
Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you learn that a child has provided us with personal data without parental/guardian consent, please contact us and we will delete such data.
12. Changes to Privacy Policy
We may periodically update this Privacy Policy. We will notify you of significant changes through:
- Updating the "Last Updated" date at the top of the document
- Email (for significant changes)
- Website notification (for significant changes)
We recommend regularly checking this page to stay informed about current privacy practices.
13. Contact
If you have questions, comments, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
Email: contact@tomedio.com
Response time: Within 30 days (as required by GDPR)
Thank you for trusting and using kosciolotwarty.pl (Open Churches)!
Last updated: January 2026