CJakCiasteczko
Get started
Legal

Privacy Policy

Last updated: 2026-05-03

⚠ Draft. Written in good faith based on GDPR and Polish UODO. Will be reviewed by external counsel before production launch.

1. Controller

The controller of personal data processed in connection with the CJakCiasteczko service is aveneo Dawid Morzyński, a Polish sole proprietorship established in Poland. Contact: cjakciasteczko@aveneo.pl.

For visitors to our customers' websites (using the CJakCiasteczko script), aveneo acts as a processor under Article 28 GDPR. Full terms in the DPA.

2. Data we collect

  • Account data — name, email, password hash. Art. 6(1)(b) GDPR (contract).
  • Configuration — domains, banner settings, snippet. Contract.
  • Billing — invoice address, VAT ID, Stripe IDs. We do not store card numbers; Stripe does. Art. 6(1)(b)/(c).
  • Technical / logs — IPs, sessions, user agents, errors. Art. 6(1)(f) — legitimate interest.
  • Cookie scan results — outputs from scanning your domains.
  • Visitor consent records — aveneo as processor only.

3. Retention

  • Account — duration of agreement + 30 days.
  • Billing — 5 years from year-end (Polish accounting law).
  • Technical logs — up to 12 months.
  • Visitor consent records — 12 months default, up to 7 years on Enterprise.

4. Sub-processors

  • Stripe Payments Europe Ltd. (Ireland) — payment processing.
  • Hetzner Online GmbH (Germany) — application hosting + database.
  • Resend (USA, SCC) — transactional email.
  • Cloudflare (USA, SCC) — CDN, DDoS protection, optional GeoIP.
  • Sentry (USA, SCC) — application error telemetry.

For US providers we use SCCs plus encryption at rest and in transit.

5. Your rights

  • Access (Art. 15), rectification (Art. 16), erasure (Art. 17),
  • Restriction (Art. 18), portability (Art. 20),
  • Objection (Art. 21) for legitimate-interest processing,
  • Withdrawal of consent any time (Art. 7(3)),
  • Complaint to the Polish DPA (uodo.gov.pl).

Email cjakciasteczko@aveneo.pl or use your dashboard. We respond within 30 days.

6. Cookies on cjakciasteczko.pl

We use the CJakCiasteczko banner ourselves. Only strictly necessary cookies set by default; analytics and marketing only after your consent.

7. Social profiles

LinkedIn and X (Twitter) operate as independent controllers — read their policies before visiting our profiles.

8. Security

TLS 1.3 in transit, AES-256 at rest, keys via AWS KMS / Hetzner Vault. Production access engineering-only and audit-logged for 12 months.

9. Changes

We update this policy periodically. Material changes communicated to active customers by email at least 30 days in advance.

10. Contact

Privacy: cjakciasteczko@aveneo.pl. General: cjakciasteczko@aveneo.pl.