Kajpa

Privacy policy

Privacy policy

Short, concrete, no legalese. Who we are, what data we process, on what legal basis and for how long — plus how to exercise every right granted by GDPR.

Last updated: June 13, 2026Version: v1.1

Who the controller is

The controller of your personal data is Kacper Popko, operating a sole proprietorship under the trade name "Kajpa" (NIP 9662222951), registered office at ul. Zastawie I 37, 16-070 Choroszcz, Poland. For any matter regarding the processing of your data, contact: [email protected].

We have not appointed a formal Data Protection Officer — our operation's scale does not trigger the obligation under Art. 37 GDPR. Instead, contact with the controller is direct: you email the address above and the person actually responsible for your data replies.

What data we process and on what legal basis

We process only the data you provide yourself — no profiles bought from third parties, no cross-site tracking.

Contact form and briefing

We collect: full name, email address, optional phone number, message content. Basis: Art. 6(1)(b) GDPR — steps taken prior to entering into a contract — and (f) (legitimate interest: responding to inquiries not directly tied to our offer). We keep the data for 36 months from last contact, after which contact details are anonymized and the conversation is kept in an archive marked "archival conversation without link to a person."

Newsletter

We collect: email address, correspondence language. Basis: Art. 6(1)(a) GDPR — consent expressed by clicking the confirmation link (double opt-in). Every email contains an "unsubscribe" link — clicking it halts processing immediately, and your email is removed from the active list within 24 hours.

Server logs and anti-spam

For service stability and bot protection we store: anonymized hash of the IP address (SHA-256 with salt rotated every 24h), User-Agent header, request timestamp. Basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring service security (Recital 49). Technical logs are retained 30 days, lead submission metadata 90 days, after which they are removed automatically by a scheduled job.

Analytics (with your consent)

If you granted analytics consent in the cookie banner, we use Umami Analytics self-hosted on our own infrastructure in Germany (Hetzner). Umami does not use persistent identifiers, does not track across websites, and does not build user profiles. We collect: page URL, referrer, browser language, screen resolution, country (derived from IP, we do not store the IP itself). Basis: Art. 6(1)(a) GDPR. You can withdraw consent at any time via the cookie banner (footer icon).

With whom we share data

Data goes exclusively to technical processors required to operate the service:

  • Hetzner Online GmbH (Germany/Finland) — application and database hosting. Data Processing Agreement based on Hetzner's standard contractual clauses.
  • Seohost Sp. z o.o. (Poland, Poznań) — mailbox hosting and transactional email delivery (confirmations, newsletter, form replies) over SMTP. Data stays within the EEA — no third-country transfer.
  • Backblaze B2 (USA, EU-Central region) — file backups. Transfer under the Data Privacy Framework and SCCs.

We never sell data and never share it with marketing partners.

Your rights

Under GDPR you have the right to:

  • access your data and receive a copy (Art. 15),
  • rectify inaccurate or outdated data (Art. 16),
  • erasure ("right to be forgotten," Art. 17),
  • restrict processing (Art. 18),
  • data portability in JSON or CSV format (Art. 20),
  • object to processing based on legitimate interest (Art. 21),
  • withdraw consent at any time, without affecting the lawfulness of prior processing (Art. 7(3)),
  • lodge a complaint with the Polish Data Protection Authority (UODO) — ul. Stawki 2, 00-193 Warsaw, Poland.

To exercise any of these rights, email [email protected]. We respond within 14 business days. We require no specific form — an email is enough.

Cookies and similar technologies

We use cookies in three categories. Details and management: see the GDPR page or click "Cookie settings" in the bottom banner.

  • Necessary (always on): kajpa-consent (12 months), NEXTAUTH.SESSION-TOKEN (30 days for admin), NEXT_LOCALE (1 year).
  • Analytics (with consent): Umami session cookies (expire at session end).
  • Marketing: currently unused, reserved slot in the banner.

Changes to this policy

The policy is versioned. Last update date is visible in the page header. Material changes — in particular adding new processing purposes or new recipients — will be communicated 30 days in advance via newsletter (if you're subscribed) or an informational banner on the home page.