3.1. Platform User Data

During registration and use of the Platform, we collect:

• Identification data: first name, last name, email address
• Company data: company name, tax ID, address
• Login data: password (in encrypted form), session tokens
• Technical data: IP address, browser data, operating system
• Subscription and payment data

3.2. Data from Connected E-commerce Platforms

From e-commerce systems (WooCommerce, Magento, Shoper, Shopify, IdoSell, RedCart, PrestaShop, SkyShop):

• Transaction data: order number, date, status, order value
• Product data: product ID, name, price, category, stock status, variants
• Aggregated statistical data about customers (number of new/returning customers)
• Information about payment and delivery methods (without authentication data)
• Discount coupon codes and promotional information

From Allegro platform:

• Listing and product data
• Transaction and order data
• Data on costs, fees, commissions, and bonuses
• Category and pricing information

3.3. Data from Advertising Platforms

Google Ads:

• Campaign statistics: impressions, clicks, conversions
• Advertising costs and campaign performance data
• Search phrases and ad group data

A detailed description of data originating from Google services is provided in Section 4 (Google User Data).

Meta Ads (Facebook, Instagram):

• Advertising campaign statistics
• Engagement and reach data
• Costs and conversion results

TikTok Ads:

• Advertising campaign data
• View and engagement statistics
• Cost and conversion information

Criteo and Tradetracker:

• Affiliate commission data
• Remarketing campaign statistics

3.4. Data from Google Analytics

• User session data (aggregated, anonymous)
• E-commerce events
• Navigation paths and traffic sources

A full description of data originating from Google services is provided in Section 4 (Google User Data).

3.5. Data NOT Collected by the Platform

All data concerning end customers is presented only in aggregated and anonymous form (e.g., “number of new customers: 150”, “average order value: 250 PLN”).

4.1. What Google User Data We Access

After you grant authorization (OAuth 2.0), we access read-only the following data from your Google accounts:

• Google Ads: campaign statistics (impressions, clicks, conversions), advertising costs, search terms, ad group and campaign performance data
• Google Analytics (GA4): aggregated session data, e-commerce events, traffic sources and navigation paths
• Google Merchant Center: product feed data, offer approval status, visibility, and price competitiveness
• Google Search Console: search performance data (queries, pages, clicks, impressions)

4.2. How We Use Google User Data

We use Google user data solely to provide and improve the user-facing features of the Platform — i.e., the aggregation, analysis, and visualization of marketing and sales results on your analytical dashboards within DataOrganizer.

4.3. With Whom We Share, Transfer, or Disclose Google User Data

Google user data may only be shared with the following categories of recipients:

• Data processors (sub-processors) necessary to provide the Service — in particular the cloud infrastructure provider Google Cloud Platform, on which the Platform is hosted — acting solely on our documented instructions under data processing agreements pursuant to Article 28 GDPR.
• AI service providers: our AI-powered analytical features are provided using Anthropic (Claude) as a sub-processor, accessed via the Anthropic API. Data sent to this provider — which may include data obtained from Google services — is not used to train AI models.
• State authorities, only where strictly required by applicable law or a valid legal request (e.g., law enforcement agencies).
• Authorized employees within our organization, on a limited “need to know” basis, bound by confidentiality obligations.

4.4. Compliance with the Google API Services User Data Policy (Limited Use)

4.5. Minimum Scope of Access (Minimum OAuth Scopes)

We request only the minimum OAuth scopes necessary to enable the Platform’s features, and only in read-only mode. We do not request access to data or permissions beyond what is necessary to aggregate and analyze marketing and sales data. We do not request scopes for features that are not yet implemented.

4.6. Protection of Google User Data

Google user data is subject to the same security measures described in Section 9 — including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and monitoring. OAuth access tokens are stored in encrypted form.

4.7. Retention and Deletion of Google User Data

• We store Google user data only for the duration of the active integration.
• Upon disconnecting the integration (revoking authorization) or upon your request, data is automatically deleted within 30 days; backups within 90 days.
• You may revoke authorization at any time in your DataOrganizer account settings or via your Google account permissions page: myaccount.google.com/permissions.

4.8. Google Workspace Add-on (Google Apps Script)

The DataOrganizer add-on for Google Workspace is built on Google Apps Script and uses the following scopes:

• script.scriptapp – allows the add-on to act on your behalf, including creating and managing triggers (e.g., automatic, scheduled data refresh);
• script.container.ui – allows the add-on to display its interface (sidebar, dialogs) inside the Google application;
• script.external_request – allows the add-on to connect to the external DataOrganizer API in order to retrieve your analytics data and make it available within the add-on.

The add-on does not read your other Google files or documents beyond what is necessary to provide the features described above.

5.1. Providing Analytical Service

Purpose: Aggregation, analysis, and visualization of e-commerce data to enable users to monitor business results.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract (provision of DataOrganizer service)
• Article 6(1)(f) GDPR – legitimate interest consisting of ensuring Platform functionality

5.2. User Account Management

Purpose: Creating and managing user account, authentication, communication.

Legal basis: Article 6(1)(b) GDPR – performance of contract.

5.3. Billing and Payments

Purpose: Subscription handling, invoicing, payment processing.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract
• Article 6(1)(c) GDPR – legal obligation (tax and accounting regulations)

5.4. Technical Support

Purpose: Providing technical assistance, problem-solving, communication with users.

Legal basis: Article 6(1)(b) and 6(1)(f) GDPR.

5.5. Security and Fraud Detection

Purpose: Ensuring Platform security, detecting and preventing abuse, protection against unauthorized access.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (system security).

5.6. Service Analysis and Improvement

Purpose: Analyzing Platform usage, functionality development, performance optimization.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (service development and improvement).

5.7. Marketing (with Your Consent)

Purpose: Sending newsletters, information about new features, promotional offers.

Legal basis: Article 6(1)(a) GDPR – voluntary consent (which can be withdrawn at any time).

Marketing is conducted only on the basis of Platform users’ contact data. We do not use Google user data for marketing activities (see Section 4.2).

6.1. Platform User Data

Duration of contract: Data is stored throughout the entire period of Platform use.

After contract termination:

• Data necessary for billing: 5 years (in accordance with tax regulations)
• Support communication data: 3 years
• Other data: 30 days from account deactivation (period for possible restoration)

6.2. Data from Connected Platforms

• During active integration: data synchronized and stored on an ongoing basis
• After disconnecting integration: data automatically deleted within 30 days
• User may request immediate data deletion
• Backups: automatically deleted after 90 days from backup creation

Detailed retention and deletion rules for Google user data are described in Section 4.7.

6.3. Analytical Data (Anonymized)

Aggregated, anonymized statistics may be stored for up to 7 years for analytical purposes and Platform improvement.

7.1. Main Infrastructure

Google Cloud Platform (GCP) – Europe Region:

• Data stored in BigQuery (region: europe-central2, Warsaw or europe-west1, Belgium)
• Application servers: European GCP region
• Backups: European GCP region

7.2. GDPR Compliance

All main data is stored within the European Union in infrastructure providing the highest security standards in accordance with certifications: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2/SOC 3.

7.3. Data Transfer Outside EEA

To a limited extent, data may be transferred to the United States via Google Cloud Platform based on Standard Contractual Clauses approved by the European Commission and the Data Privacy Framework.

List of countries with adequacy decision: commission.europa.eu

8.1. Data Processors

• Cloud infrastructure providers: Google Cloud Platform (data storage, hosting)
• AI service providers: Anthropic (Claude) — for AI-powered analytical features; data sent to this provider is not used to train models
• Technical service providers: CDN and security, backup and data recovery
• Payment service providers: payment operators (to the extent necessary for subscription handling)
• Communication service providers: email providers, helpdesk systems

8.2. Entities Authorized by Law

Data may be disclosed to state authorities when required by law (e.g., tax authorities, law enforcement agencies).

8.3. No Sale and No Transfer for Advertising Purposes

8.4. Data Sources

8.5. Data Processing Agreements

We enter into data processing agreements with all entities processing data on our behalf in accordance with Article 28 GDPR.

9.1. Technical Measures

Encryption:

• Data transmission: TLS 1.3
• Data storage: AES-256
• User passwords: bcrypt (we do not store passwords in plain text)
• OAuth access tokens: stored in encrypted form

Access control:

• Two-factor authentication (2FA) available for users
• Principle of least privilege for employees
• Access logs and activity audit

Infrastructure security:

• Web Application Firewall (WAF)
• 24/7 security monitoring
• Regular penetration testing
• Automatic backups (every 6 hours)

9.2. Organizational Measures

• Information security policy
• Regular employee training on data protection
• Incident response procedures
• Limited access to personal data (on a “need to know” basis)
• Confidentiality agreements with employees

9.3. Certifications and Audits

Our infrastructure is based on Google Cloud Platform holding certificates: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II.

10.1. Right of Access (Article 15 GDPR)

• Confirmation of whether we process your personal data
• Copy of processed personal data
• Information about processing purposes, data categories, recipients

How to exercise: contact@dataorganizer.io

10.2. Right to Rectification (Article 16 GDPR)

You may request correction of inaccurate or completion of incomplete data directly in account settings on the Platform or by contacting contact@dataorganizer.io.

10.3. Right to Erasure – “Right to be Forgotten” (Article 17 GDPR)

You may request deletion of personal data when: data is no longer necessary for the purposes collected, you have withdrawn consent, you have objected to processing, or data is processed unlawfully.

Limitations: We may refuse deletion when processing is necessary to establish, exercise, or defend legal claims.

10.4. Right to Restriction of Processing (Article 18 GDPR)

You may request restriction of data processing in certain situations (e.g., during verification of data accuracy).

10.5. Right to Data Portability (Article 20 GDPR)

You have the right to receive your data in a structured, commonly used format through the export function on the Platform.

10.6. Right to Object (Article 21 GDPR)

You may object to data processing for reasons related to your particular situation (when based on legitimate interest) or to processing for direct marketing purposes (at any time, unconditionally).

10.7. Right to Withdraw Consent (Article 7(3) GDPR)

If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. You may revoke authorization to access Google services in your DataOrganizer account settings or at myaccount.google.com/permissions.

10.8. Right to Lodge a Complaint (Article 77 GDPR)

10.9. Exercise of Rights

Response time: Within 30 days of receiving the request (possible extension by another 60 days with notification). Exercise of rights is as a rule free of charge.

11.1. What Are Cookies?

Cookies are small text files sent by a server and stored on the user’s device, enabling browser recognition during subsequent visits.

11.2. What Cookies Do We Use?

Essential cookies (do not require consent):

• Authentication and session management
• Security (CSRF protection)
• Basic Platform functionality

Statistical cookies (require consent):

• Google Analytics (traffic measurement, usage statistics)
• Platform performance analysis

Preference cookies (require consent):

• Remembering user settings
• Interface language, display preferences

Marketing cookies (require consent):

• Conversion tracking from advertising campaigns
• Remarketing, marketing content personalization

11.3. Legal Basis

• Essential cookies: Article 6(1)(f) GDPR (legitimate interest)
• Other cookies: Article 6(1)(a) GDPR (user consent)

11.4. Cookie Management

Upon entering the site, a consent panel is displayed where you can accept all cookies, reject all (except essential), or customize settings for individual categories. You can change preferences at any time by clicking the icon in the bottom left corner of the page.

11.5. Storage Time

• Session cookies: until browser is closed
• Persistent cookies: according to expiration date (maximum 24 months)

13.1. Shopify Integration

Scope: Order data (value, status, date), product data (ID, name, price, variants, categories), aggregated customer statistics (without end customer personal data).

Authorization: OAuth 2.0 by store owner. Data deletion: within 30 days after app uninstallation or upon request. Compliance: Shopify API Terms of Service and GDPR Requirements.

13.2. WooCommerce Integration

Transaction and product data via WooCommerce REST API. Authorization: API keys generated in the WooCommerce panel by the store owner.

13.3. Google Ads, Google Analytics, Google Merchant Center, and Google Search Console Integration

Advertising campaign data, traffic statistics (aggregated, anonymous), product feed data, and search performance. Authorization: OAuth 2.0 in read-only mode. Compliant with Google Ads API Terms, Google Analytics Terms of Service, and the Google API Services User Data Policy (including Limited Use). See Section 4 for full details.

13.4. Meta Ads Integration

Facebook and Instagram campaign statistics. Authorization: Facebook Business Manager OAuth. Compliant with Meta Platform Terms and Business Tools Terms.

13.5. Other Integrations

Similar principles apply to integrations with: Magento, Shoper, IdoSell, RedCart, PrestaShop, SkyShop, Allegro, TikTok Ads, Criteo, Tradetracker.

14.1. California Residents’ Rights (CCPA)

• Right to information about collected data
• Right to deletion of data
• Right to opt-out of data “sale” (we do not sell data)
• Right to non-discrimination

Contact: contact@dataorganizer.io with subject “CCPA Request”

14.2. UK Residents’ Rights (UK GDPR)

We apply data protection standards compliant with UK GDPR. Supervisory authority: Information Commissioner’s Office (ICO), ico.org.uk.

16.1. Updates

We reserve the right to update this Privacy Policy to reflect changes in legal regulations, Platform functionality, or data processing practices. We will notify users in advance of any change to how we use Google user data.

16.2. Notifications

We will inform about significant changes via email notification (with 30 days’ notice), communication in the Platform, and an updated “Last updated” date at the top of the document.

16.3. Acceptance of Changes

Continued use of the Platform after changes are introduced means acceptance of the updated Policy. In case of significant changes, we may require renewed consent.

18.1. Language

The Privacy Policy is available in Polish and English. In case of discrepancies, the Polish version is binding.

18.2. Applicable Law

This Policy and all matters related to it are governed by Polish law.

18.3. Severability

If any provision of the Policy is deemed invalid or unenforceable, the remaining provisions remain in full force.

18.4. Related Documents

This Privacy Policy should be read in conjunction with:

• DataOrganizer Platform Terms and Conditions
• Terms of Service