Privacy Policy

This Privacy Policy describes how Michał Paśko (the 'Controller') processes personal data of visitors to paskomichal.pl and persons contacting the Controller via the contact form.

The Controller is established in Poland and is subject to Polish data-protection law implementing GDPR (EU Regulation 2016/679). The Polish supervisory authority (UODO) is the lead authority. EU/EEA data subjects retain all rights under GDPR and may, where applicable, benefit from the EDPB One-Stop-Shop mechanism for cross-border complaints.

If you have any questions about this Policy or about how your data is processed, please contact the Controller at kontakt@paskomichal.pl.

1. Data Controller

Controller: Michał Paśko, Wrocław, Polska.

Privacy contact: kontakt@paskomichal.pl.

The Controller has not appointed a Data Protection Officer (DPO). Privacy inquiries should be directed to the Controller at the e-mail address above.

2. Categories of Personal Data

Depending on how you interact with this website, the Controller may process the following categories of personal data:

• Contact data submitted via the contact form: full name, e-mail address, phone number (optional), and free-text message.
• Technical data collected automatically: IP address (held in-memory for 60 seconds only by the rate-limiting mechanism, not persisted to disk), browser type, operating system, and server-log metadata generated by the Vercel hosting infrastructure.
• Analytics data (Google Analytics 4): pseudonymised client ID, pages viewed, events, truncated IP address, and device/browser metadata — CURRENTLY DISABLED; will only be activated after a consent management platform (CMP) is deployed.
• PWA cache data: URL paths and server responses stored locally in the visitor's browser by the Service Worker; no transmission to the Controller.

3. Purposes and Lawful Basis

The Controller processes personal data only for specific, legitimate purposes, relying on one of the following lawful bases under GDPR:

• Handling contact-form enquiries and providing pre-contractual information — lawful basis: Art. 6(1)(b) GDPR (processing necessary for steps taken at the data subject's request prior to entering into a contract).
• Protecting the service against spam and abuse via an IP-based rate-limiting mechanism — lawful basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller in securing the service); data deleted after 60 seconds.
• Operating and monitoring the website (Vercel server logs) — lawful basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller).
• Traffic analysis and conversion measurement (Google Analytics 4) — lawful basis: Art. 6(1)(a) GDPR (consent); tool CURRENTLY DISABLED pending CMP deployment.
• Compliance with legal obligations including tax and accounting requirements — lawful basis: Art. 6(1)(c) GDPR.

4. Recipients and Processors

The Controller uses third-party service providers who process personal data on the Controller's behalf or receive data as independent controllers, strictly as necessary to achieve the purposes set out in this Policy:

• SMTP provider: SMTP email service provider (hosting operator) — category: processor; full sub-processor list available on request at kontakt@paskomichal.pl — a data processor responsible for transmitting e-mails sent through the contact form.
• Vercel Inc. — hosting and server infrastructure provider; headquarters in the USA, edge infrastructure in the EU; transfer basis for USA: Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the provider's additional technical and organisational measures.
• Google Analytics 4 (Google Ireland Ltd / Google LLC) — analytics tool CURRENTLY DISABLED; will only be activated upon obtaining explicit user consent via a CMP.
• WhatsApp / Meta Platforms Ireland Ltd — optional external redirect initiated solely by the user's active click on the chat button; the Controller does not independently transmit data to Meta.

5. Retention Periods

Personal data is retained for no longer than necessary to fulfil the purposes for which it was collected:

• Contact-form correspondence: up to 12 months from the end of correspondence (default 12 months, aligned with the statutory limitation period for service-contract claims).
• IP address in the rate-limiting mechanism: 60 seconds — held exclusively in server RAM, not written to persistent storage.
• Vercel server logs: in accordance with the hosting provider's (Vercel Inc.) retention policy — up to 30 days.
• PWA browser cache on the visitor's device: in accordance with the TTL values configured in next.config.ts (24 hours to 1 year depending on asset type).

6. Your Rights

Every data subject has the following rights under GDPR. To exercise your rights, contact the Controller at kontakt@paskomichal.pl. The Controller will respond without undue delay and in any event within one month of receiving the request.

• Right of access (Art. 15 GDPR) — obtain confirmation of whether data is processed and receive a copy.
• Right to rectification (Art. 16 GDPR) — request correction of inaccurate or completion of incomplete data.
• Right to erasure ('right to be forgotten') (Art. 17 GDPR) — request deletion when data is no longer necessary or processing is unlawful.
• Right to restriction of processing (Art. 18 GDPR) — request that certain processing operations be suspended.
• Right to data portability (Art. 20 GDPR) — receive data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — object to processing based on the Controller's legitimate interest.
• Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint — with the lead supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl/. EU/EEA data subjects may also contact their local supervisory authority under the EDPB One-Stop-Shop mechanism.

7. Cookies and Similar Technologies

The paskomichal.pl website uses cookies and PWA Service Worker caching. The following categories apply:

• Strictly necessary (session, light/dark theme preference) — no consent required; these are necessary to provide the service requested by the user (Art. 5(3) ePrivacy Directive as implemented in Polish law).
• PWA Service Worker — browser-side caching technology enabling offline functionality and faster loading; no data transmitted to third parties; basis: technical necessity / legitimate interest.
• Analytics (Google Analytics 4, ID: G-GMVSETKEB4) — CURRENTLY DISABLED; will only be activated after explicit user consent is obtained via a CMP; lawful basis upon activation: Art. 6(1)(a) GDPR.

8. Transfers Outside the EEA

Some services used by the Controller involve transfers of personal data to countries outside the European Economic Area (EEA), in particular to the United States.

The legal basis for such transfers is the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU of 4 June 2021), supplemented by the additional technical and organisational measures applied by each provider.

To obtain further information about the safeguards applied to international data transfers or a copy of the applicable SCC documents, please contact the Controller at kontakt@paskomichal.pl.

9. Changes to This Policy

This Privacy Policy may be updated in response to changes in applicable law, technology used on the website, or the scope of services provided.

Each update results in a new date being shown in the 'Last updated' field at the top of this page. We encourage periodic review of this Policy.

Previous versions of the Policy are available on request by writing to kontakt@paskomichal.pl.

10. Privacy Contact

For all personal-data matters, please contact the Controller: kontakt@paskomichal.pl.

The Controller has not appointed a Data Protection Officer (DPO) — contact the Controller directly.

Complaint to the supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO) — https://uodo.gov.pl/.