Privacy Policy

Personal data processing principles by Coding Szymon Krasnodębski

Last updated: 09.11.2025

1. General Provisions

1.1. This Privacy Policy defines the principles of personal data processing by Coding Szymon Krasnodębski, Tax ID: 6511742705, REGON: 523184819.

1.2. The Administrator of personal data is Szymon Krasnodębski conducting business activity under the name Coding Szymon Krasnodębski, hereinafter referred to as the "Administrator".

1.3. The Privacy Policy has been developed in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR)
  • Personal Data Protection Act of May 10, 2018
  • Electronic Services Act of July 18, 2002

1.4. Administrator's contact information:

  • Email: ok@codessa.pl
  • Website: codessa.pl

2. Scope of Personal Data Processing

2.1. The Administrator processes personal data for the following purposes:

2.1.1. Contact Form

  • Data scope: first name, last name, email, phone (optional), company name (optional), message content
  • Purpose: handling inquiries, communication with clients
  • Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest)
  • Retention period: until consent is withdrawn or the matter is closed

2.1.2. Service and Project Provision

  • Data scope: first name, last name, company name, Tax ID, REGON, address, email, phone
  • Purpose: contract conclusion and performance, invoice issuance
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Retention period: for the duration of contract performance and time required by law (minimum 5 years for tax purposes)

2.1.3. Newsletter and Marketing

  • Data scope: email, first name (optional)
  • Purpose: newsletter delivery, service information, special offers
  • Legal basis: Art. 6(1)(a) GDPR (consent)
  • Retention period: until consent is withdrawn or objection is expressed

2.1.4. Codessa AI Assistant

The website uses Codessa AI Assistant - an artificial intelligence (AI) based chatbot. Codessa AI Assistant is available in the bottom right corner of the screen as a chat bubble. After clicking the bubble, a chat window opens in which the user must accept the Terms and Conditions and this Privacy Policy before starting a conversation with the assistant.

  • Data scope: conversation content, email (optional, if provided)
  • Purpose: answering questions, customer service
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
  • Retention period: conversations stored for up to 30 days

2.1.5. Cookies and Analytics

  • Data scope: IP address, browser type, operating system, visit time, visited pages, device identifiers
  • Purpose: traffic analysis, website optimization, statistics, content personalization
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest) or consent (marketing cookies)
  • Tools: Google Analytics 4, Google Tag Manager, Google Consent Mode v2
  • Cookie types: essential, functional, analytical, marketing

2.1.6. Applications That Do Not Collect Personal Data

Some of our Services, in particular theme extensions (Theme App Extensions) and applications operating solely on the client's browser side, do not collect, store or transmit any personal data to our servers.

Examples of applications without data collection:

  • Theme App Extensions operating solely in the user's browser
  • Applications operating fully on the client side (client-side)
  • Applications that do not communicate with external servers to store information

Such applications function solely within the e-commerce platform theme (e.g., Shopify, Shoper) in the user's browser and do not process any personal data. For such applications, there is no need to process personal data in accordance with GDPR, as data is not collected or processed.

2.1.7. Applications That Collect Personal Data

For the purpose of providing other Services, in particular SaaS applications and applications requiring integration with platform API, we may process data retrieved from the Platform API or data entered by the user.

Scope of data processed by data-collecting applications:

  • Store customer data (first name, last name, email address, delivery address, phone number)
  • Order data (order number, products, values, statuses)
  • Product data (names, descriptions, prices, availability)
  • Transaction and payment data (to the extent required for service provision)
  • Application configuration data entered by the user
  • Login and authorization data (access tokens, API keys)

Processing purpose: providing SaaS services, application functionality implementation, integration with external systems, order and transaction handling, business process automation.

Legal basis: Art. 6(1)(b) GDPR (service contract performance) and Art. 6(1)(f) GDPR (Administrator's legitimate interest).

Retention period: data is stored for the duration of service provision and time required by law (minimum 5 years for tax purposes). After service termination, data may be stored for up to 30 days for service restoration purposes, then deleted.

Data recipients: data may be transferred to hosting service providers, e-commerce platform API service providers and other entities listed in section 3 of this Privacy Policy.

3. Personal Data Recipients

3.1. Personal data may be transferred to the following categories of recipients:

  • IT service providers: hosting (Google Cloud Platform, Vercel), email (Gmail, Google Workspace), project management tools
  • Payment service providers: payment operators, banks
  • Accounting service providers: accounting office
  • Analytics service providers: Google Analytics 4, Google Tag Manager
  • AI service providers: OpenAI (ChatGPT), Google (Gemini) - when using the assistant

3.2. All recipients process data on the basis of data processing agreements in accordance with GDPR.

3.3. Data is not transferred to third countries outside the European Economic Area (EEA), except when service use requires such transfer.

3.3.1. Data Transfer to the United States

For the following services, data may be transferred to the USA:

  • Google Analytics 4 and Google Tag Manager: analytical data processed by Google LLC based in the USA
  • Google Cloud Platform: data hosted on Google servers in the USA
  • OpenAI (ChatGPT): assistant conversation content processed by OpenAI Inc. in the USA
  • Google Gemini AI: AI queries processed by Google LLC in the USA

All transfers are made with appropriate legal safeguards in accordance with GDPR, including standard contractual clauses approved by the European Commission and Adequacy Decision for Google LLC.

4. Rights of Data Subjects

4.1. The following rights are available to persons whose data is processed:

4.1.1. Right of Access to Data

Right to obtain confirmation whether the Administrator processes personal data and right of access to such data and information about processing (Art. 15 GDPR).

4.1.2. Right to Rectification of Data

Right to request immediate rectification of inaccurate or completion of incomplete personal data (Art. 16 GDPR).

4.1.3. Right to Erasure of Data ("Right to be Forgotten")

Right to request immediate erasure of personal data if one of the circumstances provided for in Art. 17 GDPR occurs (e.g., data is no longer necessary for the purposes for which it was collected).

4.1.4. Right to Restriction of Processing

Right to request restriction of data processing in cases specified in Art. 18 GDPR (e.g., when a person contests data accuracy).

4.1.5. Right to Data Portability

Right to receive personal data in a structured, commonly used format machine-readable and transmit it to another administrator (Art. 20 GDPR).

4.1.6. Right to Objection

Right to object to processing of personal data based on the Administrator's legitimate interest, including profiling (Art. 21 GDPR).

4.1.7. Right to Withdraw Consent

When processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal.

4.1.8. Right to Lodge a Complaint

Right to lodge a complaint with the supervisory authority (President of the Personal Data Protection Office) if a person considers that processing of their data violates GDPR provisions.

4.2. To exercise your rights, please contact the Administrator via email: ok@codessa.pl

4.3. The Administrator responds to requests within 30 days of receipt.

5. Personal Data Security

5.1. The Administrator applies appropriate technical and organizational measures ensuring protection of processed personal data:

5.1.1. Technical Measures

  • SSL/TLS connection encryption (HTTPS)
  • Data encryption in databases
  • Regular backups
  • Protection against attacks (firewall, DDoS protection)
  • System and software updates
  • Security event monitoring and logging

5.1.2. Organizational Measures

  • Limiting access to personal data (need-to-know principle)
  • Data processing agreements with processing entities
  • Data breach reporting procedures
  • Regular security reviews

5.2. In case of personal data breach, the Administrator will take appropriate actions, including notification of the supervisory authority and data subjects (if required).

6. Cookies

6.1. The website uses cookies (small text files saved on the user's device).

6.1.1. Cookie Types

  • Essential cookies: required for proper website operation (sessions, security, consents) - no consent required
  • Functional cookies: remember user preferences, assistant settings - consent required
  • Analytical cookies: used for traffic analysis and statistics (Google Analytics 4, Google Tag Manager) - consent required
  • Marketing cookies: used for ad personalization and remarketing - consent required
  • External cookies: from external providers (Google, OpenAI) - consent required

6.1.2. Cookie Management

The user can at any time:

  • Change cookie settings in their browser
  • Delete saved cookie files
  • Withdraw consent to cookies through website settings
  • Manage consents for individual cookie categories

Instructions for cookie management are available in browser settings. Limiting cookie use may affect some website functionalities.

6.1.3. Google Consent Mode v2

The website uses Google Consent Mode v2 for cookie consent management. This allows for:

  • Respecting user choices regarding cookies
  • Controlling analytics tools operation according to consents
  • Maintaining website functionality with limited consents
  • Compliance with GDPR and ePrivacy Directive requirements

7. Privacy Policy Changes

7.1. The Administrator reserves the right to make changes to the Privacy Policy.

7.2. Users will be informed of any changes through publication of the updated Privacy Policy version on the website.

7.3. In case of significant changes affecting personal data processing methods, the Administrator will also inform users via email (if email address is available).

8. Contact Regarding Data Protection

For questions regarding personal data processing or exercise of rights, please contact:

Coding Szymon Krasnodębski
Tax ID: 6511742705
REGON: 523184819

Email: ok@codessa.pl
Website: codessa.pl

Privacy Policy | Codessa