Privacy Policy
Last updated: February 1, 2026
For Detailed Information
This Privacy Policy contains all essential information about how we handle your personal data. For additional technical details about our data processing infrastructure, you may also review our Data Processing Agreement (DPA).
View Data Processing AgreementOverview
Quack Foundry ("we," "us," or "our") is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, and protect your information when you use our platform for managing sports event photos.
Technology: Our system uses OCR (Optical Character Recognition) technology to identify bib numbers in photos. We do not use facial recognition or biometric technologies (Art. 9 GDPR).
Data Controller
Quack Foundry
Michał Żak, conducting unregistered business activity
(Details will be updated after company registration)
ul. Sienna 9, 70-542 Szczecin, Poland
Email: hello@quackfoundry.com
GDPR Compliance
We comply with the General Data Protection Regulation (GDPR) and Polish data protection law. We process personal data only where we have a legal basis to do so.
Information We Collect
We collect the following categories of personal data:
1. Account Information (Organizers)
- Email address
- Name (optional)
- Temporary authentication tokens (we do not store passwords)
2. Event Data
- Race participant information (name, surname, bib number, email address)
- Participant-event associations
Source: Data is uploaded exclusively by the Event Organizer. We do not source participant data from public registers or third parties independently.
3. Photos
- Race photos uploaded by Organizers
- Photo metadata (date, file location, bib number recognized by OCR)
4. Technical Data
- IP address
- Browser type and operating system
- Access logs (time, date, page)
- Cookies (session, authentication)
Processing Purposes and Legal Bases
| Processing Purpose | Legal Basis (GDPR) | Justification |
|---|---|---|
| Providing the Service (photo hosting, Organizer panel) | Contract performance (Art. 6(1)(b)) | Necessary to provide platform functionality |
| Matching photos to participants (bib number OCR) | Legitimate interest (Art. 6(1)(f)) | Our interest is to enable participants to easily find their photos without manually searching galleries. We assessed that this interest does not override participants' rights because: bib numbers are public and visible during the race; we do not process biometric data; photo access requires email authorization. You have the right to object to this processing (see "Your Rights" section). |
| Sending emails with access links | Contract performance (Art. 6(1)(b)) | Necessary for authentication |
| Ensuring security and fraud prevention | Legitimate interest (Art. 6(1)(f)) | Protecting infrastructure and data from unauthorized access |
| Fulfilling tax and accounting obligations | Legal obligation (Art. 6(1)(c)) | Requirements of Polish law (Accounting Act, Tax Ordinance) |
| Marketing (with your consent) | Consent (Art. 6(1)(a)) | Voluntary consent for newsletter |
How We Use Your Data
We use your personal data for the following purposes:
- Providing and maintaining the Service - photo hosting, account management, access authorization
- Matching photos to participants - automatic bib number recognition (OCR) and gallery indexing
- Communication - sending access links, event notifications, responding to inquiries
- Security - error monitoring, preventing unauthorized access
- Legal obligations - issuing invoices, maintaining accounting records
The system automatically matches photos to participants based on bib numbers (OCR). We do not use profiling (assessment of personal characteristics) or automated decisions that significantly affect your rights within the meaning of Art. 22 GDPR.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Category | Retention Period | Basis |
|---|---|---|
| Race photos | Up to 5 years from the event date | Statute of limitations (Art. 118 Civil Code) |
| Participant data (email, bib number, name) | Up to 5 years from the event date | Statute of limitations |
| Organizer accounts | Duration of account plus 6 years after deletion | Tax and accounting requirements |
| Technical logs (IP, browser) | Up to 90 days | Security and monitoring |
| Invoices and accounting documents | 6 years from end of fiscal year | Accounting Act |
Right to early deletion: You may request deletion of your data at any time (see "Your Rights" section).
Children's Privacy
Our Service is intended for general audiences and event organizers. We do not knowingly collect personal data directly from children under 16.
If the Event Data provided by the Organizer includes data of minors, the Organizer warrants that they have obtained appropriate consent from parents or legal guardians.
If we become aware that we have collected personal data from a child without parental consent verification, we will take steps to remove that information from our servers.
Data Recipients
We share your personal data with the following recipients (entities processing data on our behalf or as independent controllers):
Data Processors (Sub-processors)
We engage trusted sub-processors to provide the Service. The current list of sub-processors, including their locations, processing purposes, and applicable safeguards, is maintained in our Data Processing Agreement (DPA), Section 4 and Appendix — Sub-processors.
View the full sub-processor list in the DPAIndependent Controllers
| Recipient | Purpose | Basis |
|---|---|---|
| Event organizers | Managing their events and participant data | The Organizer is an independent Data Controller for participant data. Details in the DPA (Data Processing Agreement). |
| Government authorities (e.g., Tax Office, ZUS, UODO) | Fulfilling legal obligations | Art. 6(1)(c) GDPR (legal obligation) |
Additional information for Organizers: If you are an event organizer, the detailed terms of processing your participants' data are governed by the Data Processing Agreement (DPA). View Data Processing Agreement.
Data Transfers Outside the European Economic Area (EEA)
We may transfer personal data outside the EEA in connection with providing the Service. Details regarding international data transfers, including the specific recipients, transfer mechanisms, and safeguards applied, are set out in Section 10 of our Data Processing Agreement (DPA).
The majority of data processing takes place within the EEA.
Your Privacy Rights
Under GDPR, you have the following rights:
1. Right of Access (Art. 15 GDPR)
View a copy of your personal data. We will respond within 30 days of receiving your request.
2. Right to Rectification (Art. 16 GDPR)
Correction of inaccurate or incomplete data.
3. Right to Erasure (Art. 17 GDPR)
Request deletion of your data if: it is no longer necessary for the purposes for which it was collected; you have withdrawn consent; you have raised a justified objection; data was processed unlawfully. Exceptions: We cannot delete data required by law (e.g., invoices - 6 years).
4. Right to Restriction of Processing (Art. 18 GDPR)
Request suspension of data processing (e.g., while verifying data accuracy).
5. Right to Data Portability (Art. 20 GDPR)
Receive your data in a machine-readable format (e.g., CSV, JSON) and transfer it to another controller.
6. Right to Object (Art. 21 GDPR)
You may object to processing based on legitimate interest (Art. 6(1)(f)), in particular: photo matching based on OCR bib number recognition; data processing for security purposes. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds.
7. Right to Withdraw Consent (Art. 7(3) GDPR)
If we process data based on your consent (e.g., newsletter), you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
8. Right to Lodge a Complaint (Art. 77 GDPR)
File a complaint with the Office for Personal Data Protection (UODO), ul. Stawki 2, 00-193 Warsaw, Poland. Phone: +48 22 531 03 00, Email: kancelaria@uodo.gov.pl
How to Exercise Your Rights?
To exercise the above rights, contact us:
Email: hello@quackfoundry.com
Address: Quack Foundry, ul. Sienna 9, 70-542 Szczecin, Poland
We will respond within 30 days (or 60 days in complex cases, with notification of the extension).
Identity verification: To protect your data, we may ask you to verify your identity.
Obligation to Provide Data
| Data | Required/Voluntary | Consequences of Not Providing |
|---|---|---|
| Email address (Participant) | Required | Unable to receive access link to photos |
| Email address (Organizer) | Required | Unable to create an account and use the Service |
| Participant data (provided by Organizer) | Required for matching | Unable to automatically assign photos |
| Newsletter consent | Voluntary | No marketing communications (does not affect Service use) |
Data Security
We have implemented appropriate technical and organizational measures to protect your data against unauthorized access, loss, or misuse:
Technical measures:
- Transmission encryption: TLS 1.3 (HTTPS)
- Storage encryption: All stored data encrypted at rest with AES-256
- Passwordless authentication: One-time access codes (OTP) sent via email - eliminating the risk of weak/stolen passwords
- Monitoring: Automatic detection of unauthorized access attempts and error tracking
- Backup: Daily data backups
Organizational measures:
- Access to personal data limited to authorized employees/contractors
- Data processing agreements with processors (Art. 28 GDPR)
- Data breach notification procedure
No system is 100% secure. In the event of a data breach affecting your rights, we will notify you in accordance with Art. 34 GDPR (within 72 hours of discovery).
For a comprehensive description of technical and organizational security measures, see Appendix 1 of our Data Processing Agreement (DPA). View Data Processing Agreement.
Cookies
We use cookies exclusively for essential and functional purposes necessary for the operation of the Service. We do not use analytics, marketing, or tracking cookies.
For a complete list of cookies used, including their names, purposes, and retention periods, please refer to our Cookie Policy.
You can manage cookies in your browser settings. Disabling cookies may limit site functionality (e.g., inability to log in).
View Cookie PolicyChanges to This Policy
We may update this Privacy Policy from time to time (e.g., due to changes in functionality or regulations).
We will notify you of significant changes by:
- Updating the date at the top of this document
- Sending an email notification (for Organizers with accounts)
- Displaying a notice on the homepage (for Participants)
We recommend regularly reviewing this Policy to stay informed about how we protect your data.
Contact Information
For privacy inquiries, please contact:
Quack Foundry
Michał Żak, conducting unregistered business activity
ul. Sienna 9, 70-542 Szczecin, Poland
Email: hello@quackfoundry.com
For Organizers: Detailed technical information about data processing infrastructure (sub-processors, AWS regions, security certificates) is available in the Data Processing Agreement (DPA). View Data Processing Agreement.
© 2026 Quack Runners. We facilitate event management.