Photo Manager # Privacy Policy

1. General Information

1. This Privacy Policy defines the principles of personal data processing by AGR Mateusz Dąbrowski (Data Controller).

2. Data Controller contact details:

• Name: AGR Mateusz Dąbrowski

• Tax ID: 5862264231

• REGON: 382289190

• Address: ul. Dąbrowskiego 4/2a, 81-417 Gdynia, Poland

3. The Controller ensures personal data security in accordance with GDPR.

4. Data protection contact: through the contact form in the application.

2. Types of Processed Data

1. Registration data: first name, last name, email address, password (in hashed form).

2. Technical data: IP address, browser information, system logs.

3. Google Drive access tokens: encrypted API keys enabling access to Google drives.

4. Photo metadata: file names, creation dates, sizes (without content access).

5. Usage data: information about application activity, statistics.

6. LEGAL NOTE: Google Drive tokens are specially protected and encrypted with AES-256 algorithm.

3. Legal Basis for Processing

1. Consent (Art. 6(1)(a) GDPR):

• Account registration and application use

• Google Drive connection and access token storage

• Marketing communication (optional)

2. Necessity for contract performance (Art. 6(1)(b) GDPR):

• Providing application services

• Photo gallery management

3. Legitimate interest (Art. 6(1)(f) GDPR):

• Ensuring system security

• Usage statistics analysis

• Defense against cybersecurity threats

4. Special Rules for Google Drive Tokens

1. KEY LEGAL INFORMATION:

2. Processing purpose: Tokens are used exclusively to access galleries specified by the User.

3. Security:

• AES-256 encryption in database

• Transmission via secure SSL/TLS connections

• Access only for authorized application processes

4. Access scope: Application has access only to gallery folders, not the entire drive.

5. User control:

• Ability to revoke access at any time

• Automatic token deletion after account deletion

• Ability to change permissions in Google settings

6. Storage: Tokens are stored until consent withdrawal or account deletion.

7. Sharing: Tokens are NEVER shared with third parties.

5. Data Processing Purposes

1. Providing application services:

• Managing user accounts

• Gallery synchronization with Google Drive

• People tagging in photos

2. Security:

• Protection against unauthorized access

• Suspicious activity monitoring

• Data backup and recovery

3. Communication:

• Notifications about important changes

• Responses to user inquiries

• Security breach information

4. Service improvement:

• Application usage analysis

• New functionality development

• Performance optimization

6. Data Sharing

1. General rule: Personal data is not sold or shared with third parties.

2. Exceptions (only to necessary extent):

• Technical service providers (hosting, backup) - confidentiality agreements

• Google LLC - to the extent necessary for Google Drive integration

• State authorities - based on applicable legal provisions

3. GOOGLE TOKENS: Are accessible exclusively to the application, never to third parties.

4. Processing location: All data is processed in the European Union.

5. Transfer outside EU: May occur only with appropriate safeguards (standard clauses).

7. Data Retention Period

1. Account data: Until account deletion by the User.

2. Google Drive tokens:

• Until consent withdrawal for Google Drive integration

• Until user account deletion

• Maximum 30 days after last login (inactive accounts)

3. System logs: Maximum 12 months from creation.

4. Data for legal purposes: For the period specified by law.

5. Backup: Data in backups is deleted within maximum 90 days.

8. User Rights

1. Right of access: Ability to obtain information about processed data.

2. Right to rectification: Correcting incorrect data.

3. Right to erasure ("right to be forgotten"):

• Account deletion removes all personal data

• Immediate deletion of Google Drive tokens

4. Right to restriction of processing: Suspension of certain operations.

5. Right to data portability: Receiving data in structured format.

6. Right to object: To processing based on legitimate interest.

7. Right to withdraw consent:

• Withdrawal of processing consent (at any time)

• Withdrawal of Google Drive access (immediate effect)

8. Right to lodge a complaint: To the President of the Personal Data Protection Office.

9. Data Security

1. Technical measures:

• Database encryption (AES-256)

• Secure SSL/TLS connections

• Regular security updates

• Two-factor authentication (optional)

2. Organizational measures:

• System access control

• Regular security audits

• Staff training

• Incident response procedures

3. Special Google token security:

• Additional encryption layer

• Token access monitoring

• Automatic encryption key rotation

4. In case of breach:

• Immediate user notification

• Report to supervisory authority (within 72h)

• Remedial and preventive actions

10. Cookies and Tracking Technologies

1. Types of cookies:

• Necessary - for application functionality

• Functional - remembering preferences

• Analytical - usage statistics (anonymous)

2. Cookie management: Configuration possible in browser settings.

3. Retention period: From session to 12 months (depending on type).

4. Purpose of use: Ensuring application functionality and security.

11. Privacy Policy Changes

1. The Controller reserves the right to update this Policy.

2. Users will be notified of significant changes 30 days in advance.

3. Changes regarding Google Drive tokens require renewed consent.

4. Current version is always available in the application.

5. Continued use means acceptance of changes.

12. Contact

1. For matters concerning personal data protection, please contact:

2. Email: through the contact form in the application

3. Correspondence address:

AGR Mateusz Dąbrowski

ul. Dąbrowskiego 4/2a

81-417 Gdynia, Poland

4. Response time: Maximum 30 days from receiving the inquiry.

5. Personal Data Protection Office:

ul. Stawki 2, 00-193 Warsaw, Poland

Phone: +48 22 531 03 00