PRIVACY POLICY

Chojrak Development Last updated: 15 March 2026

§ 1. General Provisions

This Privacy Policy defines the rules for the processing and protection of personal data provided by Users in connection with their use of services provided by Chojrak Development.

The controller of personal data is Chojrak Development Norbert Dudziak, registered at ul. Jana Pawła II 13/15, 75-452 Koszalin, Poland, VAT ID (NIP): 6692589548, REGON: 543475286 (hereinafter: "Controller").

The Controller takes particular care to protect the interests of data subjects, and in particular ensures that data collected by the Controller is: processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; adequate, relevant, and limited to what is necessary for the purposes for which it is processed; accurate and kept up to date where necessary; stored no longer than is necessary for the purposes for which it is processed; and processed in a manner that ensures appropriate security.

This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the Polish Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2019, item 1781), and the Polish Telecommunications Act of 16 July 2004 insofar as it relates to cookies.

The Controller's services are not directed at persons under the age of 18. The Controller does not knowingly process personal data of minors. If the Controller determines that personal data has been provided by a person under the age of 18 without the consent of a legal guardian, that data will be deleted without undue delay. Exceptions may arise from separate privacy policies applicable to specific products or services of the Controller, which contain their own provisions in this regard.

§ 2. Controller Contact Details

The Controller can be contacted using the following details:

• Address: ul. Jana Pawła II 13/15, 75-452 Koszalin, Poland
• Phone: +48 459 567 070
• Email for personal data matters: [email protected]
• General contact email: [email protected]
• Website: https://chojrak.dev

The Controller has not appointed a Data Protection Officer (DPO), as the applicable legislation does not impose such an obligation. All questions regarding the processing of personal data should be directed to the Controller at [email protected].

§ 3. Sources of Personal Data

The Controller processes exclusively personal data obtained directly from the data subjects — in particular data provided by Users and Clients through contact forms, when entering into agreements, during email or telephone correspondence, and through the service panels.

The Controller does not purchase ready-made databases of personal data from third parties and does not collect data through automated monitoring of social media activity.

The Controller may conduct local market research based on publicly available data (e.g. public registers, company websites, job listings) for the purpose of identifying potential business partners. This process is not automated and does not involve the mass collection of personal data. If, as a result of such research, the Controller obtains the personal data of a specific individual and initiates contact with them, that person will be informed of the source of their data and of their applicable rights at the time of first contact (Art. 14 GDPR).

§ 4. Scope and Purposes of Personal Data Processing

The Controller processes personal data for the following purposes and in the following scopes:

A. Server Logs and Technical Data

Each visit to the Controller's websites causes the servers to automatically record:

• the IP address of the User's device;
• the date and time of the request;
• the URL of the requested resource;
• the HTTP response code;
• the browser type and version, and the operating system;
• the referring page address (referrer), where applicable.

Purpose of processing: ensuring the security and stable operation of the websites, detecting anomalies and unauthorised access attempts, technical diagnostics.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller — IT system security).

Retention period: server logs are retained for 30 days, after which they are permanently deleted, unless an established security incident creates a justified need for longer retention.

B. Analytical Data

The Controller uses the Umami Analytics tool in a self-hosted version (installed on the Controller's own server). Umami is configured in a privacy-friendly mode: it does not use fingerprinting, does not track Users across different websites, does not use advertising cookies, and the collected data is not shared with third parties.

Collected analytical data is aggregated and anonymised to the greatest extent possible.

Purpose of processing: analysing traffic to optimise the websites and improve service quality.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller) or Art. 6(1)(a) GDPR (consent) — depending on the User's cookie settings.

Retention period: analytical data is retained for 24 months.

C. Website Use and Account Data

In connection with account registration in the clients.chojrak.dev or support.chojrak.dev panel, the Controller processes:

• first name and last name;
• email address;
• phone number.

Purpose of processing: enabling access to the client panel, communicating with the Client, handling support requests.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or taking steps prior to entering into a contract at the request of the data subject).

Retention period: for the duration of the relationship with the Client and up to 3 years after its termination, after which data is permanently deleted or anonymised.

D. Orders and Service Provision

In connection with concluding agreements and fulfilling orders, the Controller processes:

• Identification data: first name, last name / company name, VAT ID (NIP), address;
• Contact data: email address, phone number;
• Accounting data: bank account number, invoicing details;
• order content and correspondence related to service execution.

Purpose of processing: performance of the contract, accounting (inFakt Sp. z o.o.), archiving of accounting documents.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(c) GDPR (legal obligation — tax and accounting regulations).

Retention period: for the duration of the agreement and 5 years from the end of the financial year in which the agreement was performed (tax and accounting requirements).

E. Use of Other Services and Products

In connection with the use of software, games, and other products provided by Chojrak Development, the Controller may process additional personal data. Detailed information on data processing in respect of specific services and products is available in the relevant privacy policies supplied with those services.

F. Recording of Telephone Calls

The Controller informs Users that telephone calls may be recorded for the purposes of ensuring customer service quality, establishing, pursuing, or defending claims, and staff training.

Prior to recording, the caller will be informed by means of an automated message. Continuing the call constitutes consent to the recording.

The telephone service provider is Zadarma. Detailed information on data processing by Zadarma can be found in their privacy policy at: https://zadarma.com/en/legal/privacy-policy/

Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest of the Controller — protection against claims).

Retention period: telephone call recordings are retained for up to 6 months from the date of recording. Upon expiry of this period, recordings are permanently and irreversibly deleted. An exception applies where a recording constitutes evidence in ongoing legal proceedings — in such cases it is retained until the proceedings are concluded by a final decision.

G. Marketing and Communications

Where consent has been given, the Controller may process the User's contact details (first name, email address) for the purpose of sending commercial information, newsletters, or marketing materials.

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: until consent is withdrawn or an objection is raised, after which data is permanently deleted.

§ 5. Recipients of Personal Data

Personal data may be disclosed to the following recipients or categories of recipients:

inFakt — Accounting and Invoicing

inFakt Sp. z o.o., registered in Kraków, Poland, provides accounting services and issues invoices on behalf of the Controller. inFakt acts as a data processor under the GDPR, on the basis of a data processing agreement.

inFakt privacy policy: https://www.infakt.pl/polityka-prywatnosci/

Scope of data transferred: Client's identification and contact data, invoicing details (VAT ID/NIP, address, amounts).

OVH — Server and Email Service Provider

OVH SAS, registered in France, provides hosting services for the Controller's servers and email. OVH acts as a data processor under the GDPR, on the basis of a data processing agreement.

OVH privacy policy: https://www.ovhcloud.com/en/terms-and-conditions/privacy-policy/

Scope of data transferred: all data stored on servers and transmitted via email.

Zadarma — Telephone Service Provider

Zadarma provides telephone services for the Controller, including call recording.

Zadarma privacy policy: https://zadarma.com/en/legal/privacy-policy/

Scope of data transferred: phone number, call recordings, call metadata.

Other Parties

Data may also be disclosed to:

• public authorities (courts, law enforcement, the Tax Office, the Social Insurance Institution/ZUS) — on the basis of applicable law or enforceable legal orders;
• IT service providers — to the extent necessary for service provision, on the basis of data processing agreements.

The Controller does not sell personal data to third parties.

§ 6. Transfer of Data to Third Countries

As a general rule, the Controller does not transfer personal data to third countries (outside the European Economic Area — EEA).

Where data must be transferred outside the EEA (e.g. due to technology used by a subcontractor), such transfers are made exclusively on the basis of an adequacy decision by the European Commission, standard contractual clauses approved by the European Commission, or other safeguards provided for by the GDPR.

Upon request, the Controller will provide information about the safeguards applied.

§ 7. Rights of Data Subjects

Data subjects have the following rights under the GDPR:

• Right of access (Art. 15 GDPR) — the right to obtain confirmation as to whether the Controller is processing personal data and, if so, to receive a copy of that data along with information about the purposes and legal bases for processing;
• Right to rectification (Art. 16 GDPR) — the right to request correction of inaccurate or completion of incomplete data;
• Right to erasure — "right to be forgotten" (Art. 17 GDPR) — the right to request deletion of data when it is no longer necessary for the purposes for which it was collected, or when consent has been withdrawn;
• Right to restriction of processing (Art. 18 GDPR) — the right to request restriction of processing in cases defined by the GDPR;
• Right to data portability (Art. 20 GDPR) — the right to receive data in a structured, commonly used, machine-readable format, and the right to transmit it to another controller;
• Right to object (Art. 21 GDPR) — the right to object to processing of data on the basis of the Controller's legitimate interest, including profiling; following an objection, the Controller shall cease processing unless it demonstrates compelling legitimate grounds;
• Right to withdraw consent — where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
• Right to lodge a complaint with a supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland; website: https://uodo.gov.pl.

To exercise any of the above rights, please contact the Controller at [email protected]. The Controller shall respond without undue delay and no later than one month from receipt of the request. Where necessary, this deadline may be extended by a further two months, in which case the Controller will inform the data subject accordingly.

§ 8. Data Security

The Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved and the categories of data being processed, in accordance with Art. 32 GDPR. In particular, the Controller:

• uses data transmission encryption (HTTPS/TLS protocol);
• implements access controls based on the principle of least privilege;
• performs regular encrypted data backups;
• uses firewalls and security monitoring systems;
• conducts regular security reviews.

In the event of a personal data breach, the Controller shall notify the supervisory authority (UODO) within 72 hours, and if the breach is likely to result in a high risk to the rights and freedoms of individuals, shall also notify those individuals without undue delay (Art. 33–34 GDPR).

§ 9. Additional Information

Providing personal data is voluntary but necessary for: concluding and performing a contract; using the full functionality of the websites; and contacting the Controller. Failure to provide data required for concluding a contract makes it impossible to do so.

Personal data is not processed in an automated manner for the purpose of making decisions that produce legal effects or similarly significantly affect the data subject (Art. 22 GDPR). The Controller does not use profiling within the meaning of Art. 4(4) GDPR for the purposes of automated decision-making.

§ 10. Cookies

The Controller's websites use cookies — small text files stored on the User's end device.

Types of Cookies

The Controller uses the following types of cookies:

• Strictly necessary cookies (session cookies) — essential for the proper functioning of the website, including maintaining the session of logged-in Users; these do not require the User's consent;
• Analytical cookies — collected by self-hosted Umami Analytics for the purpose of analysing website traffic; data is not shared with third parties, no fingerprinting or cross-site tracking is used.

The Controller does not use advertising cookies or third-party cookies for marketing purposes.

Legal Basis

• Strictly necessary cookies — legitimate interest of the Controller (Art. 6(1)(f) GDPR) and Art. 173(3)(2) of the Polish Telecommunications Act.
• Analytical cookies — User's consent (Art. 6(1)(a) GDPR and Art. 173(1) of the Polish Telecommunications Act), expressed by accepting the cookie banner on the first visit to the website.

Managing Cookies

The User may change their cookie settings in their web browser at any time (e.g. block cookies from being stored or delete existing ones). Disabling strictly necessary cookies may impair some website features, in particular preventing login to the client panel.

Retention Period

Analytical cookies are retained for up to 24 months from the date they are stored, or until consent is withdrawn.

§ 11. Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy — in particular in connection with changes in legislation, guidelines from supervisory authorities, or the introduction of new services.

The current version of the Privacy Policy is always available on the Controller's website at: https://chojrak.dev/privacy

Users will be informed of material changes to the Privacy Policy via email or a notice on the website at least 14 days in advance.

Changes take effect on the date of publication, unless the Controller specifies a different effective date.

Chojrak Development Norbert Dudziak ul. Jana Pawła II 13/15, 75-452 Koszalin, Poland NIP: 6692589548 | REGON: 543475286 [email protected] | [email protected] Phone: +48 459 567 070 https://chojrak.dev