Privacy Policy

Last updated: February 2026 | Version 2.0

1. Data Controller

The Data Controller of your personal data is ITEON.pl Leszek Szpunar, based in Warsaw, Poland (hereinafter: 'Controller').

The Controller is not required to appoint a Data Protection Officer (DPO) under Art. 37(1) of the GDPR, as data processing does not constitute a core activity requiring regular and systematic monitoring of individuals on a large scale.

For privacy-related inquiries, please contact:

ul. Szamocka 12/136, 01-748 Warsaw, Poland

NIP: 815 173 84 17

REGON: 180452188

+48 603 892 927

privacy@iteon.pl

2. Purposes and Legal Basis of Processing

We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). Below are the detailed processing purposes:

Purpose	Data	Legal Basis	Retention
Contact Form	Name, email, phone, message content, IP address	Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) (legitimate interest - responding to inquiries)	Until correspondence is concluded + 3 years (limitation period for claims)
Newsletter	Email address	Art. 6(1)(a) GDPR (consent) in conjunction with Art. 10 of the Act on Electronic Services and Art. 172 of the Telecommunications Act	Until consent is withdrawn
Analytics (PostHog)	Behavioral data, IP address (anonymized), session data, device type	Art. 6(1)(a) GDPR (consent expressed via cookie banner)	12 months
Error Monitoring (Sentry)	Stack traces, browser data, IP address	Art. 6(1)(f) GDPR (legitimate interest - service security and continuity)	90 days
Client Panel (SSO)	Business email address, Microsoft Entra authentication data	Art. 6(1)(b) GDPR (contract performance)	Until account deletion
E-commerce / Invoicing	Company data, Tax ID, address, invoice details	Art. 6(1)(b) (contract performance) and Art. 6(1)(c) (legal obligation - Accounting Act)	5 years (tax obligation)
Direct Marketing	Email address	Art. 6(1)(a) GDPR (consent) in conjunction with Art. 10 of the Act on Electronic Services and Art. 172 of the Telecommunications Act	Until consent is withdrawn
Establishment and defense of claims	All collected data to the extent necessary	Art. 6(1)(f) GDPR (legitimate interest)	Limitation period for claims (3-6 years)

3. Data Recipients (Data Processors)

To deliver our services, we use trusted sub-contractors (Data Processors) with whom we have concluded Data Processing Agreements (DPA):

Entity	Country	Data	Basis
PostHog Inc.	USA (hosted in EU, Frankfurt)	Product analytics, session recording	DPF + SCCs
Functional Software Inc. (Sentry)	USA	Error tracking, performance monitoring	DPF + SCCs
Resend Inc.	USA	Transactional and newsletter email delivery	DPF + SCCs
Upstash Inc.	USA (AWS EU infrastructure)	Rate limiting, request data (IP address)	SCCs
mydevil.net (Admin.net.pl Sp. z o.o.)	Poland (EU)	Hosting and server infrastructure - all data	GDPR (processing within EEA)
Microsoft Corporation (Azure / Entra ID)	Ireland / USA	Identity management (SSO), authentication	DPF + SCCs

4. International Data Transfers

Some of our technology partners (Microsoft, Sentry, Resend, Upstash) may process data in the United States.

Transfers to the USA are based on the European Commission's Implementing Decision of 10 July 2023 establishing the EU-US Data Privacy Framework (DPF) as providing an adequate level of data protection.

For entities not certified under DPF, we apply Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with the CJEU ruling in Schrems II (Case C-311/18).

PostHog stores analytics data in the EU region (Frankfurt, Germany), meaning data does not leave the European Economic Area.

mydevil.net stores all data in Poland - no transfer outside the EEA.

You have the right to obtain a copy of the safeguards applied (SCCs) - please contact privacy@iteon.pl.

5. Data Subject Rights

Under Articles 15-21 of the GDPR, you have the following rights:

Right of Access (Art. 15 GDPR) - You have the right to obtain confirmation of whether we process your data and to receive a copy of that data.

Right to Rectification (Art. 16 GDPR) - You have the right to request correction of inaccurate or completion of incomplete data.

Right to Erasure (Art. 17 GDPR) - You have the right to request deletion of data ('right to be forgotten'), except where processing is necessary for compliance with a legal obligation or for the establishment/defense of legal claims.

Right to Restriction of Processing (Art. 18 GDPR) - You have the right to request restriction of processing in specified circumstances.

Right to Data Portability (Art. 20 GDPR) - You have the right to receive your data in a structured, machine-readable format (JSON/CSV).

Right to Object (Art. 21 GDPR) - You have the right to object to processing based on legitimate interest. Objection to direct marketing is absolute.

Right to Withdraw Consent (Art. 7(3) GDPR) - You may withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

You may submit requests electronically to: privacy@iteon.pl or by post to the Controller's registered address. Deadline for fulfilling requests: 30 days (Art. 12(3) GDPR).

You also have the right to lodge a complaint with the President of the Office for Personal Data Protection (PUODO), ul. Stawki 2, 00-193 Warsaw, website: https://uodo.gov.pl

6. Profiling and Automated Decision-Making

The Service does NOT make automated decisions producing legal effects or similarly significantly affecting the User (Art. 22 GDPR).

PostHog creates behavioral profiles solely for statistical purposes and Service interface optimization.

PostHog Session Recording enables user session recording (mouse movements, clicks) solely to identify and fix UX issues. Recording occurs only after consent is given for the 'Analytics' category in the cookie banner. All input data is masked (maskAllInputs: true).

PostHog's Autocapture feature collects text from clicked interface elements for analytical purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect personal data (Art. 32 GDPR):

Transmission encryption: TLS 1.2+ (HTTPS) for all connections
Content Security Policy (CSP) with dynamic nonce - XSS protection
Rate limiting (Upstash Redis) - protection against brute-force and DDoS attacks
Honeypot fields in forms - protection against bots and spam
Input masking in PostHog session recordings
Regular software and dependency updates
Data access restricted exclusively to the Controller
Sentry configured with IP address storage disabled

8. Changes to the Privacy Policy

The Controller reserves the right to update this Privacy Policy to reflect changes in legislation or technologies used.

Material changes will be communicated via email (to account holders, Newsletter subscribers) or through a notice on the Service website.

The current version of the Privacy Policy is always available at: iteon.pl/en/privacy-policy

Document change history is available upon request.

See also: Terms of Service | Cookie Policy