Privacy Policy
Last updated: February 5, 2026 · Version: 2.0
Information About the Administrator
This Privacy Policy was created by:
Headquarters: ul. Jana Henryka Dąbrowskiego 77A, 60-529 Poznań, Poland
KRS: 0001017418 · NIP: 9721336108 · REGON: 524423433
Share capital: 1,000 PLN
Contact: contact@dataorganizer.io
(hereinafter “DATADIARY”, “Administrator”, “we”, “us” or “our”)
The Policy applies to the DataOrganizer platform available at dataorganizer.io (hereinafter collectively “Platform” or “Service”).
Scope of the Policy
This Privacy Policy explains:
- What personal data we collect and process
- For what purpose and on what legal basis
- How long we store data
- Who has access to the data
- What rights you have
The Policy applies to all Platform users, including e-commerce business owners, administrators, and end users.
What Data We Collect
3.1. Platform User Data
During registration and use of the Platform, we collect:
- Identification data: first name, last name, email address
- Company data: company name, tax ID, address
- Login data: password (in encrypted form), session tokens
- Technical data: IP address, browser data, operating system
- Subscription and payment data
3.2. Data from Connected E-commerce Platforms
From e-commerce systems (WooCommerce, Magento, Shoper, Shopify, IdoSell, RedCart, PrestaShop, SkyShop):
- Transaction data: order number, date, status, order value
- Product data: product ID, name, price, category, stock status, variants
- Aggregated statistical data about customers (number of new/returning customers)
- Information about payment and delivery methods (without authentication data)
- Discount coupon codes and promotional information
From Allegro platform:
- Listing and product data
- Transaction and order data
- Data on costs, fees, commissions, and bonuses
- Category and pricing information
3.3. Data from Advertising Platforms
Google Ads:
- Campaign statistics: impressions, clicks, conversions
- Advertising costs and campaign performance data
- Search phrases and ad group data
Meta Ads (Facebook, Instagram):
- Advertising campaign statistics
- Engagement and reach data
- Costs and conversion results
TikTok Ads:
- Advertising campaign data
- View and engagement statistics
- Cost and conversion information
Criteo and Tradetracker:
- Affiliate commission data
- Remarketing campaign statistics
3.4. Data from Google Analytics
- User session data (aggregated, anonymous)
- E-commerce events
- Navigation paths and traffic sources
3.5. Data NOT Collected by the Platform
- Email addresses of end store customers
- Phone numbers of end customers
- Residential or delivery addresses of end customers
- Payment card data or banking information
- Passwords to end customer accounts
- Sensitive data within the meaning of Article 9 GDPR
All data concerning end customers is presented only in aggregated and anonymous form (e.g., “number of new customers: 150”, “average order value: 250 PLN”).
Purpose and Legal Basis of Processing
4.1. Providing Analytical Service
Purpose: Aggregation, analysis, and visualization of e-commerce data to enable users to monitor business results.
Legal basis:
- Article 6(1)(b) GDPR – performance of contract (provision of DataOrganizer service)
- Article 6(1)(f) GDPR – legitimate interest consisting of ensuring Platform functionality
4.2. User Account Management
Purpose: Creating and managing user account, authentication, communication.
Legal basis: Article 6(1)(b) GDPR – performance of contract.
4.3. Billing and Payments
Purpose: Subscription handling, invoicing, payment processing.
Legal basis:
- Article 6(1)(b) GDPR – performance of contract
- Article 6(1)(c) GDPR – legal obligation (tax and accounting regulations)
4.4. Technical Support
Purpose: Providing technical assistance, problem-solving, communication with users.
Legal basis: Article 6(1)(b) and 6(1)(f) GDPR.
4.5. Security and Fraud Detection
Purpose: Ensuring Platform security, detecting and preventing abuse, protection against unauthorized access.
Legal basis: Article 6(1)(f) GDPR – legitimate interest (system security).
4.6. Service Analysis and Improvement
Purpose: Analyzing Platform usage, functionality development, performance optimization.
Legal basis: Article 6(1)(f) GDPR – legitimate interest (service development and improvement).
4.7. Marketing (with Your Consent)
Purpose: Sending newsletters, information about new features, promotional offers.
Legal basis: Article 6(1)(a) GDPR – voluntary consent (which can be withdrawn at any time).
How Long We Store Data
5.1. Platform User Data
Duration of contract: Data is stored throughout the entire period of Platform use.
After contract termination:
- Data necessary for billing: 5 years (in accordance with tax regulations)
- Support communication data: 3 years
- Other data: 30 days from account deactivation (period for possible restoration)
5.2. Data from Connected Platforms
- During active integration: data synchronized and stored on an ongoing basis
- After disconnecting integration: data automatically deleted within 30 days
- User may request immediate data deletion
- Backups: automatically deleted after 90 days from backup creation
5.3. Analytical Data (Anonymized)
Aggregated, anonymized statistics may be stored for up to 7 years for analytical purposes and Platform improvement.
Data Storage Location
6.1. Main Infrastructure
Google Cloud Platform (GCP) – Europe Region:
- Data stored in BigQuery (region: europe-central2, Warsaw or europe-west1, Belgium)
- Application servers: European GCP region
- Backups: European GCP region
6.2. GDPR Compliance
All main data is stored within the European Union in infrastructure providing the highest security standards in accordance with certifications: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2/SOC 3.
6.3. Data Transfer Outside EEA
To a limited extent, data may be transferred to the United States via Google Cloud Platform based on Standard Contractual Clauses approved by the European Commission and the Data Privacy Framework.
List of countries with adequacy decision: commission.europa.eu
Data Disclosure – Recipients
7.1. Data Processors
- Cloud infrastructure providers: Google Cloud Platform (data storage, hosting)
- Technical service providers: CDN and security, backup and data recovery
- Payment service providers: payment operators (to the extent necessary for subscription handling)
- Communication service providers: email providers, helpdesk systems
7.2. Entities Authorized by Law
Data may be disclosed to state authorities when required by law (e.g., tax authorities, law enforcement agencies).
7.3. Data Sources
7.4. Data Processing Agreements
We enter into data processing agreements with all entities processing data on our behalf in accordance with Article 28 GDPR.
Data Security
8.1. Technical Measures
Encryption:
- Data transmission: TLS 1.3
- Data storage: AES-256
- User passwords: bcrypt (we do not store passwords in plain text)
Access control:
- Two-factor authentication (2FA) available for users
- Principle of least privilege for employees
- Access logs and activity audit
Infrastructure security:
- Web Application Firewall (WAF)
- 24/7 security monitoring
- Regular penetration testing
- Automatic backups (every 6 hours)
8.2. Organizational Measures
- Information security policy
- Regular employee training on data protection
- Incident response procedures
- Limited access to personal data (on a “need to know” basis)
- Confidentiality agreements with employees
8.3. Certifications and Audits
Our infrastructure is based on Google Cloud Platform holding certificates: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II.
Data Subject Rights
In accordance with GDPR, you have the following rights:
9.1. Right of Access (Article 15 GDPR)
- Confirmation of whether we process your personal data
- Copy of processed personal data
- Information about processing purposes, data categories, recipients
How to exercise: contact@dataorganizer.io
9.2. Right to Rectification (Article 16 GDPR)
You may request correction of inaccurate or completion of incomplete data directly in account settings on the Platform or by contacting contact@dataorganizer.io.
9.3. Right to Erasure – “Right to be Forgotten” (Article 17 GDPR)
You may request deletion of personal data when: data is no longer necessary for the purposes collected, you have withdrawn consent, you have objected to processing, or data is processed unlawfully.
Limitations: We may refuse deletion when processing is necessary to establish, exercise, or defend legal claims.
9.4. Right to Restriction of Processing (Article 18 GDPR)
You may request restriction of data processing in certain situations (e.g., during verification of data accuracy).
9.5. Right to Data Portability (Article 20 GDPR)
You have the right to receive your data in a structured, commonly used format through the export function on the Platform.
9.6. Right to Object (Article 21 GDPR)
You may object to data processing for reasons related to your particular situation (when based on legitimate interest) or to processing for direct marketing purposes (at any time, unconditionally).
9.7. Right to Withdraw Consent (Article 7(3) GDPR)
If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
9.8. Right to Lodge a Complaint (Article 77 GDPR)
Address: ul. Stawki 2, 00-193 Warsaw
Tel.: 22 531 03 00 · Email: kancelaria@uodo.gov.pl
Website: uodo.gov.pl
9.9. Exercise of Rights
Response time: Within 30 days of receiving the request (possible extension by another 60 days with notification). Exercise of rights is as a rule free of charge.
Cookies
10.1. What Are Cookies?
Cookies are small text files sent by a server and stored on the user’s device, enabling browser recognition during subsequent visits.
10.2. What Cookies Do We Use?
Essential cookies (do not require consent):
- Authentication and session management
- Security (CSRF protection)
- Basic Platform functionality
Statistical cookies (require consent):
- Google Analytics (traffic measurement, usage statistics)
- Platform performance analysis
Preference cookies (require consent):
- Remembering user settings
- Interface language, display preferences
Marketing cookies (require consent):
- Conversion tracking from advertising campaigns
- Remarketing, marketing content personalization
10.3. Legal Basis
- Essential cookies: Article 6(1)(f) GDPR (legitimate interest)
- Other cookies: Article 6(1)(a) GDPR (user consent)
10.4. Cookie Management
Upon entering the site, a consent panel is displayed where you can accept all cookies, reject all (except essential), or customize settings for individual categories. You can change preferences at any time by clicking the icon in the bottom left corner of the page.
10.5. Storage Time
- Session cookies: until browser is closed
- Persistent cookies: according to expiration date (maximum 24 months)
Automated Decision-Making and Profiling
Platform-Specific Requirements
12.1. Shopify Integration
Scope: Order data (value, status, date), product data (ID, name, price, variants, categories), aggregated customer statistics (without end customer personal data).
Authorization: OAuth 2.0 by store owner. Data deletion: within 30 days after app uninstallation or upon request. Compliance: Shopify API Terms of Service and GDPR Requirements.
12.2. WooCommerce Integration
Transaction and product data via WooCommerce REST API. Authorization: API keys generated in the WooCommerce panel by the store owner.
12.3. Google Ads and Google Analytics Integration
Advertising campaign data and traffic statistics (aggregated, anonymous). Authorization: OAuth 2.0. Compliant with Google Ads API Terms and Google Analytics Terms of Service.
12.4. Meta Ads Integration
Facebook and Instagram campaign statistics. Authorization: Facebook Business Manager OAuth. Compliant with Meta Platform Terms and Business Tools Terms.
12.5. Other Integrations
Similar principles apply to integrations with: Magento, Shoper, IdoSell, RedCart, PrestaShop, SkyShop, Allegro, TikTok Ads, Criteo, Tradetracker.
Special Consumer Rights
13.1. California Residents’ Rights (CCPA)
- Right to information about collected data
- Right to deletion of data
- Right to opt-out of data “sale” (we do not sell data)
- Right to non-discrimination
Contact: contact@dataorganizer.io with subject “CCPA Request”
13.2. UK Residents’ Rights (UK GDPR)
We apply data protection standards compliant with UK GDPR. Supervisory authority: Information Commissioner’s Office (ICO), ico.org.uk.
Children’s Data Protection
DataOrganizer Platform is intended for entrepreneurs and is not directed at persons under 16 years of age. We do not knowingly collect personal data of children under 16 years of age.
If we learn that a child’s data has been collected without parental/guardian consent, we will delete it immediately.
Privacy Policy Changes
15.1. Updates
We reserve the right to update this Privacy Policy to reflect changes in legal regulations, Platform functionality, or data processing practices.
15.2. Notifications
We will inform about significant changes via email notification (with 30 days’ notice), communication in the Platform, and an updated “Last updated” date at the top of the document.
15.3. Acceptance of Changes
Continued use of the Platform after changes are introduced means acceptance of the updated Policy. In case of significant changes, we may require renewed consent.
Contact Regarding Data Protection
Address: ul. Jana Henryka Dąbrowskiego 77A, 60-529 Poznań
Email: contact@dataorganizer.io
Tel.: +48 571 460 217
For questions regarding personal data processing, you can contact us as above. We commit to responding to inquiries within 5 business days.
Final Provisions
17.1. Language
The Privacy Policy is available in Polish and English. In case of discrepancies, the Polish version is binding.
17.2. Applicable Law
This Policy and all matters related to it are governed by Polish law.
17.3. Severability
If any provision of the Policy is deemed invalid or unenforceable, the remaining provisions remain in full force.
17.4. Related Documents
This Privacy Policy should be read in conjunction with:
- DataOrganizer Platform Terms and Conditions
- Terms of Service