Privacy Policy

This Privacy Policy sets out the rules for processing personal data by CLEVER AGENT SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, with its registered office in Kleosin (the "Controller"), in connection with providing services through the CookiePilot platform.

1. Data controller

2. Scope of data collected

The Controller collects the following categories of personal data:

2.1 Data of CookiePilot platform Users

• Email address (required for registration)
• First and last name or company name
• VAT ID (for business customers)
• Billing address
• Payment data (processed by Stripe)
• IP address and device data
• Login and Panel activity history

2.2 End-user data (visitors to customers' websites)

As part of providing the CMP service, we process on behalf of our customers (as a processor):

• Consent identifier (anonymous hash)
• Scope of consent granted (cookie categories)
• Date and time of consent
• Banner version
• IP address (in anonymized form)
• Browser identifier (User Agent)

2.3 Automatically collected data

• Server logs (IP address, browser type, access time)
• Analytics data (via Google Analytics 4)
• Error and performance information

3. Purposes of processing

Personal data is processed for the following purposes:

4. Legal bases for processing

We process personal data on the basis of:

• Art. 6(1)(a) GDPR — consent to processing (e.g. newsletter, marketing cookies)
• Art. 6(1)(b) GDPR — necessity to perform a contract or to take steps before entering into one
• Art. 6(1)(c) GDPR — compliance with a legal obligation (accounting, storing consents)
• Art. 6(1)(f) GDPR — the Controller's legitimate interest (analytics, security, direct marketing)

5. Data recipients

Personal data may be shared with the following categories of recipients:

5.1 Processors

• Stripe — payment processing (Stripe, Inc., USA — SCC)
• Google Cloud Platform — hosting and data storage (Google LLC, USA — SCC)
• Google Analytics — analytics (Google LLC, USA — SCC)
• Resend / Mailgun — transactional email delivery
• Sentry — error monitoring

5.2 Public authorities

Data may be shared with state authorities (e.g. the tax office, the data protection authority) on the basis of applicable law.

5.3 Advisors and auditors

In justified cases, data may be shared with law firms, statutory auditors or audit firms.

6. Transfers to third countries

1. Some personal data may be transferred to the USA in connection with the use of Google and Stripe services.
2. Transfers take place on the basis of:
   • Standard Contractual Clauses (SCC) approved by the European Commission
   • European Commission adequacy decisions (the EU-US Data Privacy Framework)
3. The Controller applies additional safeguards, such as encryption and pseudonymization of data.

7. Data retention period

We retain personal data for the following periods:

• Account data — for the term of the contract and 5 years after it ends
• Billing data — 5 years from the end of the tax year in which the invoice was issued
• Consent records — 5-6 years in line with EDPB recommendations and the limitation period for claims
• Analytics data — 14 months (Google Analytics)
• Server logs — 90 days
• Marketing data — until consent is withdrawn or an objection is raised

8. Rights of data subjects

Under the GDPR you have the following rights:

8.1 Right of access (Art. 15 GDPR)

You can find out whether we process your data and obtain a copy of it.

8.2 Right to rectification (Art. 16 GDPR)

You can request correction of inaccurate data or completion of incomplete data.

8.3 Right to erasure — "right to be forgotten" (Art. 17 GDPR)

You can request erasure of data if there is no legal basis for further processing.

8.4 Right to restriction of processing (Art. 18 GDPR)

You can request restriction of data processing in certain situations.

8.5 Right to data portability (Art. 20 GDPR)

You can receive your data in a structured format (JSON, CSV) and transfer it to another controller.

8.6 Right to object (Art. 21 GDPR)

You can object to processing based on legitimate interest, including direct marketing.

8.7 Right to withdraw consent (Art. 7(3) GDPR)

You can withdraw your consent to data processing at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

8.8 Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority — the President of the Polish Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw. You may also contact your own national data protection authority.

To exercise these rights, contact us at kontakt@cookiepilot.io. We will respond within 30 days.

9. Cookies and similar technologies

9.1 What are cookies?

Cookies are small text files saved on a user's device when visiting a website. They are used to remember preferences and improve how the site works.

9.2 Types of cookies used on cookiepilot.io

9.3 Managing cookies

You can manage cookie settings in several ways:

• Through the cookie banner displayed on the site
• In your browser settings
• By clicking the "Manage consent" link in the site footer

9.4 Google Consent Mode v2

We use Google Consent Mode v2, which passes consent information to Google services. As a result:

• Google scripts are blocked until consent is given
• After consent is given, the ad_storage, analytics_storage, ad_user_data and ad_personalization parameters are updated
• Without consent, Google applies data modeling (Consent Mode modeling)

10. Google Analytics

1. We use Google Analytics 4 to analyze site traffic and improve our services.
2. Google Analytics collects data such as: IP address (anonymized), device type, browser, geographic location (country/region), pages visited, and visit duration.
3. Data is stored for 14 months and may be transferred to Google servers in the USA.
4. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out browser add-on.

11. Data security

We apply appropriate technical and organizational measures to protect personal data:

• Encryption — all connections are encrypted with TLS 1.3
• Password hashing — passwords are stored hashed (bcrypt)
• Access control — only authorized persons have access to data
• Regular backups — data is archived regularly
• Security monitoring — continuous monitoring of threats and incidents
• Security audits — regular reviews and penetration tests

12. Changes to the Privacy Policy

1. The Controller reserves the right to change this Privacy Policy in the event of changes in the law, market practices or the scope of services provided.
2. Users will be notified of significant changes by email or via a message in the Panel.
3. The current version of the Privacy Policy is always available at https://cookiepilot.io/polityka-prywatnosci.

13. Contact

For matters related to the protection of personal data, you can contact us:

• Email: kontakt@cookiepilot.io
• Postal address: Józefa Ignacego Kraszewskiego 1 / 16, 16-001 Kleosin, Polska
• Contact form: https://cookiepilot.io/en/contact

We make every effort to respond to inquiries regarding personal data within 30 days of receiving the request.