Privacy Policy
Last updated: February 2026 | Version 2.0
1. Data Controller
The Data Controller of your personal data is ITEON.pl Leszek Szpunar, based in Warsaw, Poland (hereinafter: 'Controller').
The Controller is not required to appoint a Data Protection Officer (DPO) under Art. 37(1) of the GDPR, as data processing does not constitute a core activity requiring regular and systematic monitoring of individuals on a large scale.
For privacy-related inquiries, please contact:
2. Purposes and Legal Basis of Processing
We process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). Below are the detailed processing purposes:
| Purpose | Data | Legal Basis | Retention |
|---|---|---|---|
| Contact Form | Name, email, phone, message content, IP address | Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) (legitimate interest - responding to inquiries) | Until correspondence is concluded + 3 years (limitation period for claims) |
| Newsletter | Email address | Art. 6(1)(a) GDPR (consent) in conjunction with Art. 10 of the Act on Electronic Services and Art. 172 of the Telecommunications Act | Until consent is withdrawn |
| Analytics (PostHog) | Behavioral data, IP address (anonymized), session data, device type | Art. 6(1)(a) GDPR (consent expressed via cookie banner) | 12 months |
| Error Monitoring (Sentry) | Stack traces, browser data, IP address | Art. 6(1)(f) GDPR (legitimate interest - service security and continuity) | 90 days |
| Client Panel (SSO) | Business email address, Microsoft Entra authentication data | Art. 6(1)(b) GDPR (contract performance) | Until account deletion |
| E-commerce / Invoicing | Company data, Tax ID, address, invoice details | Art. 6(1)(b) (contract performance) and Art. 6(1)(c) (legal obligation - Accounting Act) | 5 years (tax obligation) |
| Direct Marketing | Email address | Art. 6(1)(a) GDPR (consent) in conjunction with Art. 10 of the Act on Electronic Services and Art. 172 of the Telecommunications Act | Until consent is withdrawn |
| Establishment and defense of claims | All collected data to the extent necessary | Art. 6(1)(f) GDPR (legitimate interest) | Limitation period for claims (3-6 years) |
3. Data Recipients (Data Processors)
To deliver our services, we use trusted sub-contractors (Data Processors) with whom we have concluded Data Processing Agreements (DPA):
| Entity | Country | Data | Basis |
|---|---|---|---|
| PostHog Inc. | USA (hosted in EU, Frankfurt) | Product analytics, session recording | DPF + SCCs |
| Functional Software Inc. (Sentry) | USA | Error tracking, performance monitoring | DPF + SCCs |
| Resend Inc. | USA | Transactional and newsletter email delivery | DPF + SCCs |
| Upstash Inc. | USA (AWS EU infrastructure) | Rate limiting, request data (IP address) | SCCs |
| mydevil.net (Admin.net.pl Sp. z o.o.) | Poland (EU) | Hosting and server infrastructure - all data | GDPR (processing within EEA) |
| Microsoft Corporation (Azure / Entra ID) | Ireland / USA | Identity management (SSO), authentication | DPF + SCCs |
4. International Data Transfers
Some of our technology partners (Microsoft, Sentry, Resend, Upstash) may process data in the United States.
Transfers to the USA are based on the European Commission's Implementing Decision of 10 July 2023 establishing the EU-US Data Privacy Framework (DPF) as providing an adequate level of data protection.
For entities not certified under DPF, we apply Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with the CJEU ruling in Schrems II (Case C-311/18).
PostHog stores analytics data in the EU region (Frankfurt, Germany), meaning data does not leave the European Economic Area.
mydevil.net stores all data in Poland - no transfer outside the EEA.
You have the right to obtain a copy of the safeguards applied (SCCs) - please contact privacy@iteon.pl.
5. Data Subject Rights
Under Articles 15-21 of the GDPR, you have the following rights:
You may submit requests electronically to: privacy@iteon.pl or by post to the Controller's registered address. Deadline for fulfilling requests: 30 days (Art. 12(3) GDPR).
You also have the right to lodge a complaint with the President of the Office for Personal Data Protection (PUODO), ul. Stawki 2, 00-193 Warsaw, website: https://uodo.gov.pl
6. Profiling and Automated Decision-Making
The Service does NOT make automated decisions producing legal effects or similarly significantly affecting the User (Art. 22 GDPR).
PostHog creates behavioral profiles solely for statistical purposes and Service interface optimization.
PostHog Session Recording enables user session recording (mouse movements, clicks) solely to identify and fix UX issues. Recording occurs only after consent is given for the 'Analytics' category in the cookie banner. All input data is masked (maskAllInputs: true).
PostHog's Autocapture feature collects text from clicked interface elements for analytical purposes.
7. Data Security
We implement appropriate technical and organizational measures to protect personal data (Art. 32 GDPR):
- Transmission encryption: TLS 1.2+ (HTTPS) for all connections
- Content Security Policy (CSP) with dynamic nonce - XSS protection
- Rate limiting (Upstash Redis) - protection against brute-force and DDoS attacks
- Honeypot fields in forms - protection against bots and spam
- Input masking in PostHog session recordings
- Regular software and dependency updates
- Data access restricted exclusively to the Controller
- Sentry configured with IP address storage disabled
8. Changes to the Privacy Policy
The Controller reserves the right to update this Privacy Policy to reflect changes in legislation or technologies used.
Material changes will be communicated via email (to account holders, Newsletter subscribers) or through a notice on the Service website.
The current version of the Privacy Policy is always available at: iteon.pl/en/privacy-policy
Document change history is available upon request.
See also: Terms of Service | Cookie Policy