Privacy Policy of mojapteczka.pl

Last updated: April 27, 2026

---

1. Data controller

The controller of personal data processed through the mojapteczka.pl service (hereinafter: the "Service") is:

mojApteczka ul. Jeleniogórska 1/3B, 60-179 Poznań NIP (Tax ID): 7842231011 Email: kontakt@mojapteczka.pl

(hereinafter: the "Controller").

2. Your data at a glance

Below is a clear overview of the data we process to keep the Service running:

Data category	Examples	Purpose	Shared?
Personal data	Name, email (from Google/Facebook or registration)	Account management, authentication	Google, Meta (authentication)
Photos	Medicine packaging photos (temporary)	Medicine recognition via AI	No — deleted after analysis
Medicine data	Names, dosages, expiry dates, notes	Home medicine cabinet inventory	No
Financial data	Transaction identifiers, payment statuses	Subscription management	PayPro S.A. (Przelewy24)
Technical data	IP address, browser type	Security, Service operation	No
Advertising data	Advertising identifier (Android Advertising ID)	Serving ads (free plan)	Google AdMob, mediation partners
Precise location (GPS)	Device GPS coordinates (pharmacy locator)	Finding the nearest pharmacy	No — processed locally on device
Approximate location	IP-derived approximate location	Analytics, ads (free plan)	Google Analytics, Google AdMob, mediation partners

• Your medical data (medicine list) is not sold or shared with third parties for advertising purposes.
• All data is stored within the EU (AWS Frankfurt, Germany).
• You can delete your account and all your data at any time (see section 8).

3. Legal Bases and Purposes of Processing

The Controller processes Users' personal data on the following legal bases:

1. Art. 6(1)(b) GDPR — processing necessary for the performance of a contract (provision of the Service):

   • managing the User's account,
   • storing the medicine inventory,
   • providing scanning, alerts, and substitute search features.

2. Art. 6(1)(c) GDPR — processing necessary for compliance with a legal obligation:

   • handling complaints and the right to withdraw from a contract,
   • maintaining accounting and tax documentation.

3. Art. 6(1)(f) GDPR — legitimate interests of the Controller:

   • ensuring security and preventing abuse,
   • analysing how the Service is used to improve service quality,
   • pursuing or defending legal claims.

4. Art. 6(1)(a) GDPR — User's consent:

   • processing data for marketing purposes (if the User has given consent).

4. Scope of Processed Data

The Controller processes the following categories of personal data:

• Identification data: first name, last name, email address (obtained from a Google account or Facebook account, or provided during registration).
• Account data: user identifier, account creation date, subscription plan.
• Medicine data: medicine information entered by the User (names, dosages, expiry dates, packaging photos).
• Transaction data: payment transaction identifiers, amounts, payment statuses (for paid plans).
• Technical data: IP address, browser type, operating system, device information — collected automatically to ensure the proper functioning of the Service.
• Advertising identifier: mobile device advertising identifier (Android Advertising ID) — collected only from users on the free plan to serve ads in the mobile application.
• Precise location (GPS): geographic coordinates of the mobile device — collected only after the User grants consent and used locally to find the nearest open pharmacies (pharmacy locator feature). Coordinates are not transmitted to mojapteczka.pl servers and are not shared with third parties as part of this feature.
• Approximate location: the User's approximate location derived from the IP address — collected automatically by Firebase Analytics and advertising partners (Google AdMob and mediation partners) for analytics and advertising purposes (applies only to users on the free plan).

5. Data recipients

Personal data may be disclosed to the following categories of recipients:

1. Amazon Web Services (AWS) — cloud infrastructure provider; data stored within the EU (region eu-central-1, Frankfurt, Germany).
2. Google Ireland Limited — for authentication via Google OAuth 2.0 and for serving ads via Google AdSense (website) and Google AdMob (mobile application). Ads apply only to users on the free plan.
3. Meta Platforms Ireland Limited — for authentication via Facebook Login and as an advertising mediation partner (Meta Audience Network) in the mobile application (applies only to users on the free plan).
4. AppLovin Corporation — as an advertising mediation partner in the mobile application (applies only to users on the free plan).
5. InMobi Pte Ltd — as an advertising mediation partner in the mobile application (applies only to users on the free plan).
6. PayPro S.A. Agent Rozliczeniowy (Przelewy24), ul. Pastelowa 8, 60-198 Poznań — for processing electronic payments.
7. Cybot A/S (Cookiebot), Havnegade 39, 1058 Copenhagen, Denmark — cookie consent management platform (Consent Management Platform).
8. Public authorities — in cases required by law.

Personal data is not transferred to third countries (outside the EEA) unless necessary for the operation of Google or Facebook authentication services, in which case the transfer is based on Standard Contractual Clauses (SCCs).

6. Data retention period

• Account and inventory data — for as long as the User uses the Service. After account deletion, data is removed within 30 days.
• Transaction data — for 5 years from the end of the tax year in which the transaction took place (tax obligation).
• Technical data (logs) — for 90 days.
• Data processed on the basis of consent — until consent is withdrawn.

7. User Rights

Under the GDPR, Users have the following rights:

1. Right of access (Art. 15 GDPR) — the right to obtain information about the data being processed.
2. Right to rectification (Art. 16 GDPR) — the right to correct inaccurate data.
3. Right to erasure (Art. 17 GDPR) — the "right to be forgotten."
4. Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of data processing.
5. Right to data portability (Art. 20 GDPR) — the right to receive data in a machine-readable format.
6. Right to object (Art. 21 GDPR) — the right to object to processing based on legitimate interests.
7. Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.
8. Right to lodge a complaint — with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland).

To exercise the above rights, please contact us at: kontakt@mojapteczka.pl.

8. User data deletion

The User has the right to request deletion of their data from the Service at any time. The available methods are described below:

8.1. Deleting individual data

1. Medicines — the User can independently delete medicine entries from the inventory using the "Delete" button next to each medicine.
2. Medicine cabinets — the User can delete a home medicine cabinet together with its contents in the cabinet settings.

8.2. Deleting Account and All Data

To completely delete an account and all associated data, the User should send an email to kontakt@mojapteczka.pl with the subject "Account deletion" and provide the email address associated with the account.

After receiving the request, the Controller will:

1. Verify the User's identity.
2. Delete the User's account from Amazon Cognito.
3. Delete all User data from the Service databases, including the medicine inventory, cabinets, invitations, and profile data.
4. The process will be completed within 30 days of receiving the request.

8.3. Data that may be retained

In accordance with applicable law, the Controller may retain:

• Transaction data — for 5 years from the end of the tax year (tax obligation).
• Data necessary for the pursuit of claims — for the limitation period resulting from the Polish Civil Code.

8.4. Users Signing In via Facebook

Users who signed in to the Service using a Facebook account can additionally manage the application's access to their data in Facebook privacy settings. Revoking access in Facebook settings does not automatically delete data from the Service — to delete data from the Service, please contact the Controller in accordance with the procedure described in section 8.2.

9. Cookies, advertisements, and tracking technologies

9.1. Website (mojapteczka.pl)

1. The Service uses cookies necessary for proper operation (session, authentication).
2. The Service uses Cookiebot CMP (provider: Cybot A/S) to manage cookie consent in compliance with GDPR and the ePrivacy Directive. On their first visit, Users are presented with a consent banner where they can choose which cookie categories to accept.
3. Marketing/advertising cookies (Google AdSense) are loaded only after the User gives explicit consent via the Cookiebot banner. Ads are shown only to users on the free plan — users on paid plans do not see ads and do not receive marketing cookies.
4. Users can withdraw or change their cookie consent at any time in Settings > Privacy or by clicking the Cookiebot icon in the Service.
5. Users can also manage cookies directly in their web browser settings.

9.2. Mobile Application (Android)

1. The mojApteczka mobile application displays ads via Google AdMob only to users on the free plan. Users on paid plans (Standard, Pro) do not see any ads.
2. Consent for personalised ads in the mobile application is managed through the Google User Messaging Platform (UMP), in compliance with GDPR and IAB TCF 2.0 framework requirements. On first launch, the User is presented with a consent form where they can accept or decline personalised ads.
3. The mobile application uses mediation partners (Meta Audience Network, AppLovin, InMobi), which may serve ads alongside Google AdMob. Mediation partners are subject to the same consent rules — personalised ads require the User's explicit consent.
4. As part of ad serving, the device advertising identifier (Android Advertising ID) may be processed. The User can reset or disable the advertising identifier in Android system settings (Settings → Privacy → Ads).
5. The User can change their ad consent in the mobile application at any time in Settings → Privacy (within the app).

9.3. Location data (pharmacy locator)

1. Precise location (GPS): The mojApteczka mobile application provides a pharmacy locator feature that helps the User find the nearest open pharmacy. This feature requires the User's consent to access the device's precise location (the Android ACCESS_FINE_LOCATION system permission).
2. The User's location is used exclusively on-device — the search for the nearest pharmacy runs in the application's memory, and geographic coordinates are not transmitted to mojapteczka.pl servers and are not shared with third parties as part of this feature.
3. Consent is optional — the User may decline consent or revoke it at any time in the Android system settings (Settings → Apps → mojApteczka → Permissions → Location). Without consent for precise location, the pharmacy locator feature is unavailable.
4. Approximate location for ads and analytics: Independently of the pharmacy locator feature, advertising networks (Google AdMob and mediation partners: Meta Audience Network, AppLovin, InMobi) and Firebase Analytics may collect the User's approximate location (derived from the device's IP address) for analytics and advertising purposes. This data is shared with the listed entities in accordance with section 5. It applies only to users on the free plan.
5. No background location collection — the application does not read location in the background or after the User leaves the pharmacy locator screen.

9.4. Health data protection

Health/medicine data (medicine list, dosage information, expiry dates) is never shared with advertising networks or used for ad personalisation — this applies to both the website and the mobile application.

10. Data Security

The Controller implements appropriate technical and organisational measures to protect personal data, including:

• encryption of data at rest and in transit (TLS 1.2+),
• authentication via Amazon Cognito, Google OAuth 2.0, and Facebook Login,
• cloud infrastructure with ISO 27001 and SOC 2 certifications (AWS),
• regular access permission reviews.

11. Changes to the Privacy Policy

1. The Controller reserves the right to update this Privacy Policy.
2. Users will be notified of significant changes through the Service.
3. The current version of the Privacy Policy is always available at mojapteczka.pl/privacy.

12. Contact

For matters related to personal data protection, please contact:

• Email: kontakt@mojapteczka.pl
• Address: mojApteczka, ul. Jeleniogórska 1/3B, 60-179 Poznań

---

© 2026 mojapteczka.pl. All rights reserved.