Privacy Policy

1. Information About the Administrator

This Privacy Policy was created by:
DATADIARY prosta spółka akcyjna
Headquarters: ul. Jana Henryka Dąbrowskiego 77A, 60-529 Poznań, Poland
KRS: 0001017418
NIP: 9721336108
REGON: 524423433
Share capital: 1,000 PLN
Contact: contact@dataorganizer.io
(hereinafter “DATADIARY”, “Administrator”, “we”, “us” or “our”).

The Policy applies to the DataOrganizer platform available at dataorganizer.io (hereinafter collectively “Platform” or “Service”).

2. Scope of the Policy

This Privacy Policy explains:

• What personal data we collect and process
• For what purpose and on what legal basis
• How long we store data
• Who has access to the data
• What rights you have

The Policy applies to all Platform users, including e-commerce business owners, administrators, and end users.

3. What Data We Collect

3.1. Platform User Data

During registration and use of the Platform, we collect:

• Identification data: first name, last name, email address
• Company data: company name, tax ID, address
• Login data: password (in encrypted form), session tokens
• Technical data: IP address, browser data, operating system
• Subscription and payment data

3.2. Data from Connected E-commerce Platforms

After connecting your online store to the Platform, we collect the following data categories:

From e-commerce systems (WooCommerce, Magento, Shoper, Shopify, IdoSell, RedCart, PrestaShop, SkyShop):

• Transaction data: order number, order date, order status, order value
• Product data: product ID, name, price, category, stock status, variants
• Aggregated statistical data about customers (number of new/returning customers)
• Information about payment and delivery methods (without authentication data)
• Discount coupon codes and promotional information

From Allegro platform:

• Listing and product data
• Transaction and order data
• Data on costs, fees, commissions, and bonuses
• Category and pricing information

3.3. Data from Advertising Platforms

Google Ads:

• Campaign statistics: impressions, clicks, conversions
• Advertising costs and campaign performance data
• Search phrases and ad group data

Meta Ads (Facebook, Instagram):

• Advertising campaign statistics
• Engagement and reach data
• Costs and conversion results

TikTok Ads:

• Advertising campaign data
• View and engagement statistics
• Cost and conversion information

Criteo and Tradetracker:

• Affiliate commission data
• Remarketing campaign statistics

3.4. Data from Google Analytics

• User session data (aggregated, anonymous)
• E-commerce events
• Navigation paths and traffic sources

3.5. Data NOT Collected by the Platform

DataOrganizer platform does NOT collect, does NOT process, and does NOT store:

• Email addresses of end store customers
• Phone numbers of end customers
• Residential or delivery addresses of end customers
• Payment card data or banking information
• Passwords to end customer accounts
• Sensitive data within the meaning of Article 9 GDPR

All data concerning end customers is presented only in aggregated and anonymous form (e.g., “number of new customers: 150”, “average order value: 250 PLN”).

4. Purpose and Legal Basis of Processing

4.1. Providing Analytical Service

Purpose: Aggregation, analysis, and visualization of e-commerce data to enable users to monitor business results.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract (provision of DataOrganizer service)
• Article 6(1)(f) GDPR – legitimate interest consisting of ensuring Platform functionality

Scope: Processing of transaction, product, and marketing data from connected platforms.

4.2. User Account Management

Purpose: Creating and managing user account, authentication, communication.

Legal basis: Article 6(1)(b) GDPR – performance of contract

Scope: Identification data, login data, user preferences.

4.3. Billing and Payments

Purpose: Subscription handling, invoicing, payment processing.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract
• Article 6(1)(c) GDPR – legal obligation (tax and accounting regulations)

Scope: Company data, subscription data, payment history.

4.4. Technical Support

Purpose: Providing technical assistance, problem-solving, communication with users.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract
• Article 6(1)(f) GDPR – legitimate interest (ensuring service quality)

Scope: Contact data, communication history, system logs.

4.5. Security and Fraud Detection

Purpose: Ensuring Platform security, detecting and preventing abuse, protection against unauthorized access.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (system security)

Scope: System logs, login attempt data, technical data.

4.6. Service Analysis and Improvement

Purpose: Analyzing Platform usage, functionality development, performance optimization.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (service development and improvement)

Scope: Data on Platform feature usage, usage statistics (anonymized).

4.7. Marketing (with Your Consent)

Purpose: Sending newsletters, information about new features, promotional offers.

Legal basis: Article 6(1)(a) GDPR – voluntary consent (which can be withdrawn at any time)

Scope: Email address, communication preferences.

5. How Long We Store Data

5.1. Platform User Data

Duration of contract: Data is stored throughout the entire period of Platform use.

After contract termination:

• Data necessary for billing: 5 years (in accordance with tax regulations)
• Support communication data: 3 years
• Other data: 30 days from account deactivation (period for possible restoration)

5.2. Data from Connected Platforms

During active integration: Data synchronized and stored on an ongoing basis.

After disconnecting integration:

• Data automatically deleted within 30 days of disconnection
• User may request immediate data deletion

Backups: Data in backups is automatically deleted after 90 days from backup creation.

5.3. Analytical Data (Anonymized)

Aggregated, anonymized statistics may be stored for up to 7 years for analytical purposes and Platform improvement.

6. Data Storage Location

6.1. Main Infrastructure

Google Cloud Platform (GCP) – Europe Region:

• Data stored in BigQuery (region: europe-central2, Warsaw or europe-west1, Belgium)
• Application servers: European GCP region
• Backups: European GCP region

6.2. GDPR Compliance

All main data is stored within the European Union in infrastructure providing the highest security standards in accordance with:

• ISO/IEC 27001 certification
• ISO/IEC 27017 certification
• ISO/IEC 27018 certification
• SOC 2/SOC 3 certification

6.3. Data Transfer Outside EEA

To a limited extent, data may be transferred to third countries:

United States:

• Google Cloud Platform (based on Standard Contractual Clauses approved by the European Commission and Data Privacy Framework)

Safeguards:

• We use Standard Contractual Clauses (SCC) approved by the European Commission
• We cooperate only with entities certified under the EU-U.S. Data Privacy Framework
• We require partners to implement additional technical and organizational measures

List of countries with adequacy decision: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

7. Data Disclosure – Recipients

7.1. Data Processors

Data may be disclosed to the following recipient categories:

Cloud infrastructure providers:

• Google Cloud Platform (data storage, hosting)

Technical service providers:

• CDN and security service providers
• Backup and data recovery service providers

Payment service providers:

• Payment operators (to the extent necessary for subscription handling)

Communication service providers:

• Email service providers (sending notifications, support)
• Helpdesk system providers

7.2. Entities Authorized by Law

Data may be disclosed to state authorities when required by law (e.g., tax authorities, law enforcement agencies).

7.3. Data Sources

Important: DataOrganizer does not share any data back to source platforms (Shopify, WooCommerce, Google Ads, etc.). Data flow is unidirectional – only to the Platform for analytical purposes.

7.4. Data Processing Agreements

We enter into data processing agreements with all entities processing data on our behalf in accordance with Article 28 GDPR.

8. Data Security

8.1. Technical Measures

Encryption:

• Data transmission: TLS 1.3
• Data storage: AES-256
• User passwords: bcrypt (we do not store passwords in plain text)

Access control:

• Two-factor authentication (2FA) available for users
• Principle of least privilege for employees
• Access logs and activity audit

Infrastructure security:

• Web Application Firewall (WAF)
• 24/7 security monitoring
• Regular penetration testing
• Automatic backups (every 6 hours)

8.2. Organizational Measures

• Information security policy
• Regular employee training on data protection
• Incident response procedures
• Limited access to personal data (on a “need to know” basis)
• Confidentiality agreements with employees

8.3. Certifications and Audits

Our infrastructure is based on Google Cloud Platform holding certificates:

• ISO/IEC 27001 (information security management)
• ISO/IEC 27017 (cloud security)
• ISO/IEC 27018 (personal data protection in the cloud)
• SOC 2 Type II

9. Data Subject Rights

In accordance with GDPR, you have the following rights:

9.1. Right of Access (Article 15 GDPR)

You have the right to obtain:

• Confirmation of whether we process your personal data
• Copy of processed personal data
• Information about processing purposes, data categories, recipients

How to exercise: Send a request to contact@dataorganizer.io

9.2. Right to Rectification (Article 16 GDPR)

You may request correction of inaccurate or completion of incomplete data.

How to exercise:

• Directly in account settings on the Platform
• Contact support: contact@dataorganizer.io

9.3. Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR)

You may request deletion of personal data when:

• Data is no longer necessary for the purposes for which it was collected
• You have withdrawn consent (if it was the basis for processing)
• You have objected to processing
• Data is processed unlawfully

Limitations: We may refuse deletion when processing is necessary, e.g., to establish, exercise, or defend legal claims.

How to exercise: contact@dataorganizer.io

9.4. Right to Restriction of Processing (Article 18 GDPR)

You may request restriction of data processing in certain situations (e.g., during verification of data accuracy).

9.5. Right to Data Portability (Article 20 GDPR)

You have the right to receive your data in a structured, commonly used format through the export function on the Platform.

9.6. Right to Object (Article 21 GDPR)

You may object to data processing:

• For reasons related to your particular situation (when processing is based on legitimate interest)
• To processing for direct marketing purposes (at any time, unconditionally)

9.7. Right to Withdraw Consent (Article 7(3) GDPR)

If processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing carried out before consent withdrawal.

9.8. Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority:

Personal Data Protection Office
Address: ul. Stawki 2, 00-193 Warsaw
Tel.: 22 531 03 00
Email: kancelaria@uodo.gov.pl
Website: https://uodo.gov.pl

9.9. Exercise of Rights

Response time: Within 30 days of receiving the request (in complex cases, possible extension by another 60 days with notification).

Free of charge: As a rule, exercise of rights is free (possible fee for additional data copies).

10. Cookies

10.1. What Are Cookies?

Cookies are small text files sent by a server and stored on the user’s device, enabling browser recognition during subsequent visits.

10.2. What Cookies Do We Use?

Essential cookies (do not require consent):

• Authentication and session management
• Security (CSRF protection)
• Basic Platform functionality

Statistical cookies (require consent):

• Google Analytics (traffic measurement, usage statistics)
• Platform performance analysis

Preference cookies (require consent):

• Remembering user settings
• Interface language
• Display preferences

Marketing cookies (require consent):

• Conversion tracking from advertising campaigns
• Remarketing
• Marketing content personalization

10.3. Legal Basis

• Essential cookies: Article 6(1)(f) GDPR (legitimate interest)
• Other cookies: Article 6(1)(a) GDPR (user consent)

10.4. Cookie Management

Consent panel: Upon entering the site, a panel is displayed where you can:

• Accept all cookies
• Reject all (except essential)
• Customize settings for individual categories

Changing settings: You can change preferences at any time by clicking the icon in the bottom left corner of the page.

Browser settings: More information about managing cookies: http://www.aboutcookies.org/

10.5. Storage Time

• Session cookies: until browser is closed
• Persistent cookies: according to expiration date (maximum 24 months)

11. Automated Decision-Making and Profiling

11.1. No Automated Decisions

DataOrganizer Platform does not make automated decisions producing legal effects for users or similarly significantly affecting their situation.

11.2. No Profiling

We do not conduct user profiling within the meaning of Article 22 GDPR (except voluntary marketing activities for which consent was given).

12. Platform-Specific Requirements

12.1. Shopify Integration

Scope of data from Shopify:

• Order data (value, status, date)
• Product data (ID, name, price, variants, categories)
• Aggregated customer statistics (without end customer personal data)

Purpose: Sales performance and store efficiency analysis.

Authorization: Connection requires OAuth 2.0 authorization by store owner.

Data deletion: After app uninstallation or upon request, data deleted within 30 days.

Compliance: Processing compliant with Shopify API Terms of Service and GDPR Requirements.

12.2. WooCommerce Integration

Scope: Transaction and product data via WooCommerce REST API.

Authorization: API keys generated in WooCommerce panel by store owner.

12.3. Google Ads and Google Analytics Integration

Scope: Advertising campaign data and traffic statistics (aggregated, anonymous).

Authorization: OAuth 2.0 with owner’s Google account.

Compliance: In accordance with Google Ads API Terms and Google Analytics Terms of Service.

12.4. Meta Ads Integration

Scope: Facebook and Instagram campaign statistics.

Authorization: Facebook Business Manager OAuth.

Compliance: Meta Platform Terms and Business Tools Terms.

12.5. Other Integrations

Similar principles apply to integrations with: Magento, Shoper, IdoSell, RedCart, PrestaShop, SkyShop, Allegro, TikTok Ads, Criteo, Tradetracker.

General principle: We collect only data necessary for analytical purposes, without access to end customer personal data.

13. Special Consumer Rights

13.1. California Residents’ Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to information about collected data
• Right to deletion of data
• Right to opt-out of data “sale” (we do not sell data)
• Right to non-discrimination

Contact: contact@dataorganizer.io with subject “CCPA Request”

13.2. UK Residents’ Rights (UK GDPR)

We apply data protection standards compliant with UK GDPR. Supervisory authority: Information Commissioner’s Office (ICO), https://ico.org.uk

14. Children’s Data Protection

DataOrganizer Platform is intended for entrepreneurs and is not directed at persons under 16 years of age. We do not knowingly collect personal data of children under 16 years of age.

If we learn that a child’s data has been collected without parental/guardian consent, we will delete it immediately.

15. Privacy Policy Changes

15.1. Updates

We reserve the right to update this Privacy Policy to reflect changes in:

• Legal regulations
• Platform functionality
• Data processing practices

15.2. Notifications

We will inform about significant changes:

• Via email notification (with 30 days’ notice)
• Via communication in the Platform
• Via updated “Last updated” date at the top of the document

15.3. Acceptance of Changes

Continued use of the Platform after changes are introduced means acceptance of the updated Policy. In case of significant changes, we may require renewed consent.

16. Contact Regarding Data Protection

16.1. Data Controller

DATADIARY prosta spółka akcyjna
Address: ul. Jana Henryka Dąbrowskiego 77A, 60-529 Poznań
Email: contact@dataorganizer.io
Tel.: +48 571 460 217

16.2. Personal Data Protection

For questions regarding personal data processing, you can contact us as above.

16.3. Response Time

We commit to responding to inquiries within 5 business days.

17. Final Provisions

17.1. Language

The Privacy Policy is available in Polish and English. In case of discrepancies, the Polish version is binding.

17.2. Applicable Law

This Policy and all matters related to it are governed by Polish law.

17.3. Severability

If any provision of the Policy is deemed invalid or unenforceable, the remaining provisions remain in full force.

17.4. Related Documents

This Privacy Policy should be read in conjunction with:

• DataOrganizer Platform Terms and Conditions (https://dataorganizer.io/regulamin)
• Terms of Service

Last updated: February 5, 2026
Version: 2.0

By using the DataOrganizer Platform, you confirm that you have read this Privacy Policy and accept its terms.