Privacy Policy
Version 1.0 | Last updated: April 2026
This Privacy Policy describes the rules for processing personal data in connection with the use of the buddypilot website, contact via the contact form, and the provision of website maintenance services.
01. Data Controller
The data controller for your personal data is buddypilot, i.e. Dominik Kawula conducting business activity registered under NIP: 8732876718, ul. Chmieleniec 12/48, 30-348 Kraków, contact email hello@buddypilot.pl.
For all matters related to personal data protection, you can contact us directly at the above email address. The GDPR controller obligations are fulfilled directly by the business owner.
02. What Data We Collect and Why
We process personal data only to the extent necessary for a specific purpose. The table below describes individual processing categories.
| Data Category | Processing Purpose | Legal Basis |
|---|---|---|
| First name, email address, message content (contact form) | Responding to inquiries, establishing cooperation | Art. 6(1)(f) GDPR |
| Data provided in email correspondence | Business relationship management | Art. 6(1)(b) and (f) GDPR |
| First name, last name, email address, billing address, VAT number, email, phone (buddypilot Hub account) | Creating and maintaining an account, performing the service agreement | Art. 6(1)(b) GDPR |
| Client's hosting access data (all provided access, API keys, technical credentials) | Providing maintenance services: management, updates, backups, support | Art. 6(1)(b) GDPR |
| Billing and payment data | Issuing invoices, processing payments, managing receivables | Art. 6(1)(b) and (c) GDPR |
| Technical logs: IP address, user-agent, access time | Website security, error diagnostics, protection against abuse | Art. 6(1)(f) GDPR |
| Email address (operational communication with Clients) | Customer service, notifications regarding the agreement and services | Art. 6(1)(b) GDPR |
| Analytics data collected by Google Analytics 4 (cookie identifier, anonymized IP address, on-site behavior) | Website traffic analysis, improving service quality | Art. 6(1)(a) GDPR |
03. buddypilot as a Data Processor
When providing website maintenance services for Clients, buddypilot acts as a data processor within the meaning of Art. 28 GDPR. The Client is the data controller for personal data of their website users: visitors, shop customers, comment authors, and other individuals whose data is processed by the client's website.
In this model:
- The Client (Controller) decides on the purposes and methods of data processing on their website,
- buddypilot (Processor) has access to data only to the extent necessary to perform the contract: maintenance, updates, monitoring, backups, technical support,
- buddypilot does not use the entrusted data for its own marketing or analytical purposes.
The detailed rules for data processing entrustment (including the catalogue of entrusted data, obligations of the parties, sub-processors, data breach procedures, and audit rules) are described in a separate document: Data Processing Agreement (DPA), which forms an integral part of every buddypilot service agreement.
04. Data Retention
| Data Category | Retention Period |
|---|---|
| Contact form data and email correspondence | Until an effective objection is filed |
| buddypilot Hub account data | As per the Terms of Cooperation |
| Billing data and invoices | 5 years from the end of the calendar year in which the tax obligation arose, in accordance with the Accounting Act |
| Technical logs (IP, user-agent) | Until an effective objection is filed |
| Analytics data (Google Analytics 4) | 14 months (retention period configured in GA4) |
| Data entrusted by clients (processor role) | As per the Data Processing Agreement (DPA) |
05. Data Recipients
Your data may be shared only with entities providing services on our behalf, based on data processing agreements in accordance with Art. 28 GDPR. We do not sell or share personal data with third parties for marketing purposes.
| Entity | Role | Location |
|---|---|---|
| Smarthost sp. z o.o. | Website hosting | Poland (EU) |
| Cyberfolks sp. z o.o. | Infrastructure hosting | Poland (EU) |
| Amazon Web Services EMEA SARL | Storage of service data and client backups (Amazon S3, servers in EEA) | Luxembourg (EU) |
| Google LLC | Client email correspondence, website traffic analytics, only with user consent | USA (transfer based on SCC, see section 6) |
| Payment operator | Subscription payment processing | Poland (EU) |
06. Data Transfers Outside the European Economic Area (EEA)
Most of our providers are based in Poland or the EU and do not involve data transfers outside the EEA. The exception is Google LLC, based in the USA. Data transfers are based on Standard Contractual Clauses of the European Commission (SCC) adopted by decision of 4 June 2021, ensuring an adequate level of protection in accordance with Art. 46(2)(c) GDPR. More information about Google's data protection rules can be found at: policies.google.com/privacy.
07. Cookies and Analytical Tools
The website uses cookies in the following categories:
| Category | Name / provider | Purpose | Validity | Requires consent |
|---|---|---|---|---|
| Necessary | wordpress_*, wp-settings-* (WordPress) | Session management, admin panel, contact form | Session / up to 1 year | No |
| Analytics | _ga, _ga_*, _gid (Google Analytics 4) | Traffic analysis: number of visits, traffic sources, user behavior | _ga: 2 years; _gid: 24h | Yes |
Google Analytics 4 analytical cookies are set only after the user has given consent. You can withdraw your consent at any time by changing your consent settings or browser settings.
Google Analytics 4 is configured with IP address anonymization. The collected data is transferred to Google LLC (USA) based on SCC (details in section 6).
08. Profiling and Automated Decision-Making
We do not use profiling or automated decision-making within the meaning of Art. 22 GDPR. No decision producing legal effects or similarly significantly affecting you is made solely by automated means. Data collected by Google Analytics 4 is used solely to create aggregated statistics, not to profile individual users on our part.
09. Your Rights
If we process your data based on legitimate interest (Art. 6(1)(f) GDPR), you have the right to object at any time – simply send us a message at hello@buddypilot.pl.
Under GDPR, you have the following rights:
- Access (Art. 15 GDPR): the right to obtain confirmation of whether we process your data, and to receive a copy of it along with information about the purposes and legal bases for processing.
- Rectification (Art. 16 GDPR): the right to correct inaccurate or complete incomplete data.
- Erasure (Art. 17 GDPR): the right to request deletion of data ('right to be forgotten') when there is no legal basis for further processing.
- Restriction of processing (Art. 18 GDPR): the right to request suspension of certain processing operations, e.g. pending verification of data accuracy.
- Data portability (Art. 20 GDPR): the right to receive data in a structured, commonly used, machine-readable format (applies to processing based on consent or contract, carried out by automated means).
- Objection (Art. 21 GDPR): the right to object to processing based on legitimate interest (Art. 6(1)(f) GDPR).
- Withdrawal of consent: if processing is based on consent (e.g. analytics cookies), you have the right to withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
How to exercise your rights? Send a message to hello@buddypilot.pl. We will respond without undue delay, no later than 30 days from receipt of the request (Art. 12(3) GDPR). In exceptional cases, the deadline may be extended by a further 60 days; we will inform you of any such extension with reasons.
Right to lodge a complaint: If you believe that the processing of your data violates GDPR, you have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
10. External Links
The website may contain links to external websites. We are not responsible for the privacy policies applied by the owners of those websites. We recommend reviewing the privacy policy of each external website you visit.
11. Changes to the Privacy Policy
The policy is regularly reviewed and updated.
Version 1.0 | Last updated: April 2026