Privacy Policy

1. Data Controller

The Controller of your personal data is Marcin Słomka, conducting unregistered business activity ("działalność nierejestrowana") under Article 5(1) of the Polish Entrepreneurs' Law Act of 6 March 2018, with the place of business in Opole, Poland (hereinafter "Controller").

Contact for personal data protection matters: [email protected] or [email protected].

We have not appointed a Data Protection Officer — it is not required at our scale (Art. 37 GDPR). All data protection matters are handled directly by the Controller at [email protected].

2. Purposes and legal bases of processing

We process your data for the following purposes:

• Provision of Service (displaying offers, search, basic navigation) — basis: Art. 6(1)(b) GDPR (performance of an electronic services contract).
• Affiliate tracking (recording clicks on partner store links to earn commission) — basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller — Service business model).
• Statistics and analytics (understanding how the Service is used, measuring effectiveness) — basis: Art. 6(1)(a) GDPR (consent).
• Newsletter (if you subscribed) — basis: Art. 6(1)(a) GDPR (consent).
• Fulfillment of legal obligations (incl. DSA, tax, accounting) — basis: Art. 6(1)(c) GDPR.

3. Categories of processed data

• Technical data: hashed IP address, approximate location (country), browser type, operating system.
• Behavioral data: visited pages, time spent, clicked offers.
• Contact data: email address (if you subscribed to the newsletter or contacted us).
• Cookies and affiliate tracking: details in the Cookie Policy.

4. Data recipients

Your data may be transferred to:

• Partner stores — when you click an affiliate link, the store receives information about the redirection (affiliate cookie, session identifier). The store applies its own privacy policy.
• Infrastructure providers — hosting (Hetzner / Contabo, EU), CDN (Cloudflare).
• Analytics providers (only with your consent):
  • Google Analytics 4 (Google LLC, USA) — pseudonymous traffic and conversion statistics. Data transfer to USA under the Data Privacy Framework (DPF). Full risk analysis in our Transfer Impact Assessment (TIA, available on request).
  • Microsoft Clarity (Microsoft Ireland Operations Limited, Ireland) — heatmaps and anonymous session recordings. EU infrastructure (Azure West/North Europe). All input fields are masked.
• Email provider — Resend (USA) — transactional emails only (verify-email, password reset, newsletter). DPA signed.
• State authorities — only in cases provided by law (e.g., court summons, criminal proceedings).

5. Data transfer outside EEA (Schrems II)

Some of our processors are based in the USA (Google, Resend). Data transfer to USA occurs under:

• EC Adequacy Decision of 10 July 2023 regarding entities certified under the EU-US Data Privacy Framework (DPF)
• Standard Contractual Clauses (SCC) as part of DPA with each processor

We apply additional protective measures: pseudonymization, data minimization, 2-month retention for GA4, Google Signals disabled, no Google Ads / remarketing. Risk analysis available in our Transfer Impact Assessment (TIA) — on request via [email protected].

6. Retention period

The periods below are maximum retention limits — we do not keep data longer:

• Server logs, technical data — up to 90 days.
• Google Analytics statistics (aggregated) — 2 months.
• Microsoft Clarity session recordings — 13 months(default, configurable).
• Newsletter subscription email — until unsubscribed (button in every email) or 3 years of inactivity.
• Correspondence (contact, complaints, DSA reports) — 5 years from last contact.
• Data required by law (accounting, taxes) — for the period required by regulations (usually 5 years).

Some data is deleted automatically once the period elapses (e.g. affiliate link click data — after 90 days, price history — after 730 days). Remaining categories are deleted during periodic review and immediately upon your request (section 7).

7. Your rights (Art. 15–22 GDPR)

In relation to your data, you have the right to:

• access to data and receive a copy;
• rectification of incorrect data or completion of incomplete data;
• erasure ("right to be forgotten") — in situations provided by law;
• restriction of processing;
• data portability;
• object to processing based on legitimate interest;
• withdraw consent at any time (does not affect the lawfulness of processing carried out before withdrawal);
• lodge a complaint with the President of the Polish Data Protection Authority (UODO) or the supervisory authority in your country of residence.

To exercise any right, write to [email protected]. We respond within 30 days.

8. Cookies and tracking

Detailed description of cookies (types, purpose, retention period) is in the Cookie Policy. You can change your preferences at any time by clicking "Manage consent" in the footer.

9. Data security

We apply technical and organizational data protection measures: transport encryption (HTTPS/TLS 1.3), hashed IP addresses in audit logs, hashed email identifiers in application logs, restricted access to backend systems, regular backups, vulnerability monitoring (CodeQL, Trivy, gitleaks), two-factor authentication for administrative accounts.

10. Profiling and automated decisions

We do not make automated decisions that produce legal effects on you or similarly significantly affect you within the meaning of Art. 22 GDPR. We do not use personalized pricing — all users see the same price at a given store at the same moment.

We may use behavioral data for anonymous statistical analysis (e.g., which games are popular, which search paths convert) — this is pseudonymized and does not create an individual user profile.

11. Age of users

The Service is intended for persons who have reached the age of 16 — this is the age of consent for processing personal data in information society services in Poland (Art. 8(1) GDPR). At registration we require confirmation of this condition.

If you are a parent or legal guardian and you discover that a person under 16 has created an account without your consent, write to [email protected] — we will delete the account immediately.

12. Reporting data protection violations

If you believe your personal data is being processed unlawfully, you may:

• Write to us at [email protected] — we respond within 30 days.
• File a complaint with the President of the Polish Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl) or the supervisory authority in your country of habitual residence.