GDPR · personal data
GDPR in practice
A matrix of processing purposes with legal bases (Art. 6 GDPR), retention periods, and step-by-step instructions for exercising the rights to access, erasure, objection, and data portability.
Purpose of this page
This page extends the privacy policy with specific information required by GDPR: the full list of processing purposes with legal bases, retention periods, and instructions for exercising data subject rights. If you're looking for "why we collect data" — see the privacy policy. If you're looking for "how to enforce my rights" — you're in the right place.
Purpose and legal basis matrix
| Processing purpose | Data category | Legal basis | Retention |
|---|---|---|---|
| Response to contact form | Name, email, phone, message | Art. 6(1)(b) (contract) + (f) (legitimate interest) | 36 months since last contact |
| Newsletter delivery | Email, language | Art. 6(1)(a) (consent) | Until consent withdrawn |
| Admin account management | Email, password hash, sessions | Art. 6(1)(b) (contractor agreement) | Until collaboration ends |
| Anti-spam and security | IP hash (SHA-256 + salt), User-Agent | Art. 6(1)(f) (Recital 49) | 30 days |
| Lead submission metadata | Fingerprint, geo-country | Art. 6(1)(f) | 90 days (auto-purge) |
| Visit analytics | Umami session cookies | Art. 6(1)(a) (consent) | Browser session |
| Accounting and invoicing | Invoice data | Art. 6(1)(c) (legal obligation) + Polish Accounting Act art. 74 | 5 years from end of fiscal year |
How to exercise data subject rights
You exercise each right with a single email to [email protected]. No PDF forms to fill in, no scanned ID required — it's enough that you write from an address we've previously corresponded with, or provide another identifier that lets us find you (e.g., the email submitted via the contact form).
Access and copy of data (Art. 15)
Write "Please send me a copy of my personal data." We respond with a JSON export within 14 business days. The export includes: form submissions, lead metadata from our logic (timestamps, IP hash — without de-anonymization capability), newsletter subscription record. The first request per year is free.
Rectification (Art. 16)
Indicate the field and new value — e.g., "please change surname from Smith to Jones, email X@Y." The change is made immediately and confirmed by reply.
Erasure / "right to be forgotten" (Art. 17)
Write "Please delete my data." We remove all identifying data within 14 business days. Exceptions — and we must list them — are data whose processing is required by law (e.g., accounting documents kept for 5 years) or necessary to establish claims (until the statute of limitations expires). In such cases you'll get a specific list of "what stays and why."
Restriction (Art. 18)
During the period of dispute review or data accuracy verification, you can request "freezing" of processing — data remains, but is not used for any operation beyond archiving.
Portability (Art. 20)
This right applies only to data processed on the basis of consent (a) or contract (b) — practically: your newsletter subscription and contents of form inquiries. JSON is the standard export format; we'll also prepare CSV on request.
Objection (Art. 21)
Applies to processing based on legitimate interest (f) — in our case: security logs and responses to inquiries not tied to our offer. We handle objections immediately; to deny one we'd have to demonstrate compelling legitimate grounds overriding your interests — and you'd receive that reasoning in writing.
Consent withdrawal (Art. 7(3))
Newsletter: click "unsubscribe" in any email. Analytics: cookie banner → "Settings" → turn off "Analytics" → "Save preferences." Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
No automated decision-making
We do not use profiling or automated decision-making that produces legal effects or significantly affects the user (Art. 22 GDPR). Every commercial proposal, refusal to collaborate, or scope decision is made by Kacper personally.
Transfers outside the EEA
One of our processors (Backblaze — file backups) operates in the USA. Transfers occur under the EU-U.S. Data Privacy Framework — the provider is certified. As a second layer of safeguard we also use Standard Contractual Clauses (SCC 2021/914). Our other processors (Hetzner hosting, Seohost mailbox) operate within the EEA.
Complaint to the supervisory authority
If you believe we violate GDPR, you have the right to lodge a complaint with:
President of the Polish Data Protection Authority (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
tel. (+48) 22 531 03 00
[email protected]
uodo.gov.pl
We encourage you to write to us first — in the vast majority of cases we're able to resolve the issue within 72 hours without involving UODO.