Legal
Privacy Policy
A plain-English account of every category of personal data we process, the legal grounds we rely on, who has access to it, and exactly how you can exercise your rights under the GDPR.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Polish Act on the Protection of Personal Data of 10 May 2018.
1. Controller of your data
The controller of your personal data is:
Damian Marusarz, a natural person not conducting registered business activity, Address: ul. Starokrakowska 109, 34-400 Nowy Targ, Poland, Contact e-mail: damianmarusarz@outlook.com
We have not appointed a Data Protection Officer. You may contact us directly at the e-mail above in any matter relating to your personal data.
2. What data we process
2.1 Account data
- e-mail address (always),
- first name and last name (always, from the registration form or from the identity provider),
- a hashed password (only if you register with e-mail and password),
- the identity provider used (e-mail/password, Google, Microsoft) and the corresponding external identifier returned by that provider.
2.2 Usage data tied to your account
Quantitative learning data that we need to operate the Service and show your progress, such as:
- number of completed flashcards and practice tests,
- correct/incorrect answer counts,
- time spent learning, response times,
- progress metrics derived from the above.
We do not track “favourite” items, free-text notes, or anything beyond what is needed to operate the learning features.
2.3 Technical data
- HTTP request metadata (IP address, user agent, timestamps, referring page) recorded in our infrastructure and authentication provider logs, used for security, abuse prevention and debugging.
2.4 Communication data
- the content of e-mails you send us (complaints, account deletion requests, support questions) and our replies.
We do not use analytics tools (such as Google Analytics), advertising trackers, pixels, heatmaps or session-recording tools. We do not run a newsletter.
3. Why we process your data and on what legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and operating your account, providing the Service to you | Art. 6(1)(b) — performance of a contract (the Terms of Service) |
| Verifying your e-mail address | Art. 6(1)(b) — performance of a contract |
| Authenticating you via Google or Microsoft | Art. 6(1)(b) — performance of a contract |
| Storing and presenting your learning progress | Art. 6(1)(b) — performance of a contract |
| Security, abuse prevention, debugging, audit logs | Art. 6(1)(f) — our legitimate interest in keeping the Service safe and operational |
| Handling complaints and other inquiries | Art. 6(1)(b) and Art. 6(1)(c) — performance of a contract and legal obligation under the Polish Act on Provision of Electronic Services |
| Sending transactional e-mails (account verification, password reset, important Service notices) | Art. 6(1)(b) — performance of a contract |
| Sending occasional product-quality surveys to active users of the Service | Art. 6(1)(f) — our legitimate interest in improving the Service (recital 47 GDPR) |
| Defending against and pursuing legal claims | Art. 6(1)(f) — our legitimate interest |
| Complying with legal obligations binding on us | Art. 6(1)(c) |
You may object to processing based on legitimate interest (Art. 21 GDPR) — see Section 7.
4. Who we share your data with (processors and recipients)
We work with the following external service providers acting as our processors. Each is bound by a data processing agreement.
| Provider | Role | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, server-side functions, e-mail verification messages | Project hosted in the European Union |
| Vercel Inc. | Application hosting, CDN, edge runtime, server logs | United States (with global edge presence); EU data may be processed in the US |
| Google LLC | Identity provider when you sign in with Google | United States |
| Microsoft Corporation | Identity provider when you sign in with Microsoft / Azure | United States / EU, depending on the user’s tenant |
We do not sell, rent or trade your personal data. We do not share it with third parties for their own marketing purposes.
We may disclose data to competent authorities where required by law (e.g. lawful requests from courts, prosecutors, police), and to professional advisers (e.g. lawyers) acting under confidentiality, where strictly necessary.
5. International transfers
When using providers based in the United States (Vercel, Google, Microsoft), your personal data may be transferred outside the European Economic Area (EEA). Such transfers are protected by:
- the EU-U.S. Data Privacy Framework (where the provider is certified), and/or
- the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), and
- additional safeguards as recommended by the European Data Protection Board.
On request, we will provide a copy of the safeguards in place for a specific transfer.
6. How long we keep your data
| Category | Retention |
|---|---|
| Account data and learning data | For the entire duration of your account; deleted within 30 days of an account deletion request (Section 9), except where longer retention is legally required |
| Server access logs and security logs | Up to 12 months, after which they are rotated or anonymised |
| E-mail correspondence (complaints, requests, support) | Up to 3 years from the end of the matter, for evidentiary purposes and limitation periods |
| Data needed for the establishment, exercise or defence of legal claims | Until the limitation period elapses under Polish law (generally up to 6 years) |
| Data we are obliged to retain by law | For the period required by the applicable law |
After the applicable period, data is deleted or irreversibly anonymised.
7. Your rights
Under the GDPR you have the right to:
- access your data (Art. 15) and obtain a copy of it;
- rectify inaccurate or incomplete data (Art. 16);
- erase your data (“right to be forgotten”) (Art. 17), subject to the exceptions in that article;
- restrict processing in certain situations (Art. 18);
- portability — receive your data in a structured, commonly used, machine-readable format (Art. 20), where applicable;
- object to processing based on legitimate interest (Art. 21), including objection to product-quality surveys;
- withdraw consent at any time, where processing is based on consent (we do not currently rely on consent for processing — but if that changes, withdrawal will not affect the lawfulness of prior processing);
- lodge a complaint with the supervisory authority — in Poland: President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl.
To exercise any of these rights, write to damianmarusarz@outlook.com from the e-mail associated with your account. We will respond without undue delay and no later than within one month of receiving the request, with a possible extension of up to two further months for complex requests (Art. 12(3) GDPR).
We may ask for additional information to confirm your identity before acting on a request, where we have reasonable doubts as to the identity of the requester (Art. 12(6) GDPR).
8. Automated decision-making and profiling
We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you (Art. 22 GDPR).
9. Account deletion
You may delete your account at any time by sending an e-mail to damianmarusarz@outlook.com from the address associated with the account, with the subject line “Account deletion”.
After verification, your account and associated learning data will be deleted within 30 days. We may retain:
- minimal records necessary to demonstrate that the deletion took place,
- data needed for the establishment, exercise or defence of legal claims, for as long as the applicable limitation periods run,
- data we are obliged to retain by law,
- copies on encrypted backups, until those backups are rotated out (typically within 90 days), during which time the data is not actively used.
10. Security
We apply appropriate technical and organisational measures to protect your data, including:
- encryption in transit (HTTPS/TLS),
- encryption at rest at the database and storage level (provided by Supabase and Vercel),
- access controls and the principle of least privilege,
- separation of production data and non-production environments,
- regular updates of dependencies,
- audit logs of administrative access.
No system is completely secure. We cannot guarantee absolute security and accept no liability for incidents resulting from causes beyond our reasonable control (e.g. third-party breaches at our processors, force majeure).
11. Children
The Service is not intended for users under 16 years of age. We do not knowingly process personal data of children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us so we can delete it.
12. Cookies and similar technologies
See our separate Cookie Notice for details. In short: we use only strictly necessary cookies required to operate authentication and the application session. We do not use analytics, advertising or tracking cookies, and therefore no cookie consent banner is required for the current scope of the Service.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered Users by e-mail and/or by an in-product notice at least 14 days in advance. The “Effective date” at the top reflects the latest version. Previous versions are kept on file and made available on request.
14. Contact
For any questions about this Privacy Policy or about how your personal data is processed: damianmarusarz@outlook.com.
Last updated: 11 May 2026