3.1. Platform User Data

During registration and use of the Platform, we collect:

• Identification data: first name, last name, email address
• Company data: company name, tax ID, address
• Login data: password (in encrypted form), session tokens
• Technical data: IP address, browser data, operating system
• Subscription and payment data

3.2. Data from Connected E-commerce Platforms

From e-commerce systems (WooCommerce, Magento, Shoper, Shopify, IdoSell, RedCart, PrestaShop, SkyShop):

• Transaction data: order number, date, status, order value
• Product data: product ID, name, price, category, stock status, variants
• Aggregated statistical data about customers (number of new/returning customers)
• Information about payment and delivery methods (without authentication data)
• Discount coupon codes and promotional information

From Allegro platform:

• Listing and product data
• Transaction and order data
• Data on costs, fees, commissions, and bonuses
• Category and pricing information

3.3. Data from Advertising Platforms

Google Ads:

• Campaign statistics: impressions, clicks, conversions
• Advertising costs and campaign performance data
• Search phrases and ad group data

Meta Ads (Facebook, Instagram):

• Advertising campaign statistics
• Engagement and reach data
• Costs and conversion results

TikTok Ads:

• Advertising campaign data
• View and engagement statistics
• Cost and conversion information

Criteo and Tradetracker:

• Affiliate commission data
• Remarketing campaign statistics

3.4. Data from Google Analytics

• User session data (aggregated, anonymous)
• E-commerce events
• Navigation paths and traffic sources

3.5. Data NOT Collected by the Platform

All data concerning end customers is presented only in aggregated and anonymous form (e.g., “number of new customers: 150”, “average order value: 250 PLN”).

4.1. Providing Analytical Service

Purpose: Aggregation, analysis, and visualization of e-commerce data to enable users to monitor business results.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract (provision of DataOrganizer service)
• Article 6(1)(f) GDPR – legitimate interest consisting of ensuring Platform functionality

4.2. User Account Management

Purpose: Creating and managing user account, authentication, communication.

Legal basis: Article 6(1)(b) GDPR – performance of contract.

4.3. Billing and Payments

Purpose: Subscription handling, invoicing, payment processing.

Legal basis:

• Article 6(1)(b) GDPR – performance of contract
• Article 6(1)(c) GDPR – legal obligation (tax and accounting regulations)

4.4. Technical Support

Purpose: Providing technical assistance, problem-solving, communication with users.

Legal basis: Article 6(1)(b) and 6(1)(f) GDPR.

4.5. Security and Fraud Detection

Purpose: Ensuring Platform security, detecting and preventing abuse, protection against unauthorized access.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (system security).

4.6. Service Analysis and Improvement

Purpose: Analyzing Platform usage, functionality development, performance optimization.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (service development and improvement).

4.7. Marketing (with Your Consent)

Purpose: Sending newsletters, information about new features, promotional offers.

Legal basis: Article 6(1)(a) GDPR – voluntary consent (which can be withdrawn at any time).

5.1. Platform User Data

Duration of contract: Data is stored throughout the entire period of Platform use.

After contract termination:

• Data necessary for billing: 5 years (in accordance with tax regulations)
• Support communication data: 3 years
• Other data: 30 days from account deactivation (period for possible restoration)

5.2. Data from Connected Platforms

• During active integration: data synchronized and stored on an ongoing basis
• After disconnecting integration: data automatically deleted within 30 days
• User may request immediate data deletion
• Backups: automatically deleted after 90 days from backup creation

5.3. Analytical Data (Anonymized)

Aggregated, anonymized statistics may be stored for up to 7 years for analytical purposes and Platform improvement.

6.1. Main Infrastructure

Google Cloud Platform (GCP) – Europe Region:

• Data stored in BigQuery (region: europe-central2, Warsaw or europe-west1, Belgium)
• Application servers: European GCP region
• Backups: European GCP region

6.2. GDPR Compliance

All main data is stored within the European Union in infrastructure providing the highest security standards in accordance with certifications: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2/SOC 3.

6.3. Data Transfer Outside EEA

To a limited extent, data may be transferred to the United States via Google Cloud Platform based on Standard Contractual Clauses approved by the European Commission and the Data Privacy Framework.

List of countries with adequacy decision: commission.europa.eu

7.1. Data Processors

• Cloud infrastructure providers: Google Cloud Platform (data storage, hosting)
• Technical service providers: CDN and security, backup and data recovery
• Payment service providers: payment operators (to the extent necessary for subscription handling)
• Communication service providers: email providers, helpdesk systems

7.2. Entities Authorized by Law

Data may be disclosed to state authorities when required by law (e.g., tax authorities, law enforcement agencies).

7.3. Data Sources

7.4. Data Processing Agreements

We enter into data processing agreements with all entities processing data on our behalf in accordance with Article 28 GDPR.

8.1. Technical Measures

Encryption:

• Data transmission: TLS 1.3
• Data storage: AES-256
• User passwords: bcrypt (we do not store passwords in plain text)

Access control:

• Two-factor authentication (2FA) available for users
• Principle of least privilege for employees
• Access logs and activity audit

Infrastructure security:

• Web Application Firewall (WAF)
• 24/7 security monitoring
• Regular penetration testing
• Automatic backups (every 6 hours)

8.2. Organizational Measures

• Information security policy
• Regular employee training on data protection
• Incident response procedures
• Limited access to personal data (on a “need to know” basis)
• Confidentiality agreements with employees

8.3. Certifications and Audits

Our infrastructure is based on Google Cloud Platform holding certificates: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II.

9.1. Right of Access (Article 15 GDPR)

• Confirmation of whether we process your personal data
• Copy of processed personal data
• Information about processing purposes, data categories, recipients

How to exercise: contact@dataorganizer.io

9.2. Right to Rectification (Article 16 GDPR)

You may request correction of inaccurate or completion of incomplete data directly in account settings on the Platform or by contacting contact@dataorganizer.io.

9.3. Right to Erasure – “Right to be Forgotten” (Article 17 GDPR)

You may request deletion of personal data when: data is no longer necessary for the purposes collected, you have withdrawn consent, you have objected to processing, or data is processed unlawfully.

Limitations: We may refuse deletion when processing is necessary to establish, exercise, or defend legal claims.

9.4. Right to Restriction of Processing (Article 18 GDPR)

You may request restriction of data processing in certain situations (e.g., during verification of data accuracy).

9.5. Right to Data Portability (Article 20 GDPR)

You have the right to receive your data in a structured, commonly used format through the export function on the Platform.

9.6. Right to Object (Article 21 GDPR)

You may object to data processing for reasons related to your particular situation (when based on legitimate interest) or to processing for direct marketing purposes (at any time, unconditionally).

9.7. Right to Withdraw Consent (Article 7(3) GDPR)

If processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

9.8. Right to Lodge a Complaint (Article 77 GDPR)

9.9. Exercise of Rights

Response time: Within 30 days of receiving the request (possible extension by another 60 days with notification). Exercise of rights is as a rule free of charge.

10.1. What Are Cookies?

Cookies are small text files sent by a server and stored on the user’s device, enabling browser recognition during subsequent visits.

10.2. What Cookies Do We Use?

Essential cookies (do not require consent):

• Authentication and session management
• Security (CSRF protection)
• Basic Platform functionality

Statistical cookies (require consent):

• Google Analytics (traffic measurement, usage statistics)
• Platform performance analysis

Preference cookies (require consent):

• Remembering user settings
• Interface language, display preferences

Marketing cookies (require consent):

• Conversion tracking from advertising campaigns
• Remarketing, marketing content personalization

10.3. Legal Basis

• Essential cookies: Article 6(1)(f) GDPR (legitimate interest)
• Other cookies: Article 6(1)(a) GDPR (user consent)

10.4. Cookie Management

Upon entering the site, a consent panel is displayed where you can accept all cookies, reject all (except essential), or customize settings for individual categories. You can change preferences at any time by clicking the icon in the bottom left corner of the page.

10.5. Storage Time

• Session cookies: until browser is closed
• Persistent cookies: according to expiration date (maximum 24 months)

12.1. Shopify Integration

Scope: Order data (value, status, date), product data (ID, name, price, variants, categories), aggregated customer statistics (without end customer personal data).

Authorization: OAuth 2.0 by store owner. Data deletion: within 30 days after app uninstallation or upon request. Compliance: Shopify API Terms of Service and GDPR Requirements.

12.2. WooCommerce Integration

Transaction and product data via WooCommerce REST API. Authorization: API keys generated in the WooCommerce panel by the store owner.

12.3. Google Ads and Google Analytics Integration

Advertising campaign data and traffic statistics (aggregated, anonymous). Authorization: OAuth 2.0. Compliant with Google Ads API Terms and Google Analytics Terms of Service.

12.4. Meta Ads Integration

Facebook and Instagram campaign statistics. Authorization: Facebook Business Manager OAuth. Compliant with Meta Platform Terms and Business Tools Terms.

12.5. Other Integrations

Similar principles apply to integrations with: Magento, Shoper, IdoSell, RedCart, PrestaShop, SkyShop, Allegro, TikTok Ads, Criteo, Tradetracker.

13.1. California Residents’ Rights (CCPA)

• Right to information about collected data
• Right to deletion of data
• Right to opt-out of data “sale” (we do not sell data)
• Right to non-discrimination

Contact: contact@dataorganizer.io with subject “CCPA Request”

13.2. UK Residents’ Rights (UK GDPR)

We apply data protection standards compliant with UK GDPR. Supervisory authority: Information Commissioner’s Office (ICO), ico.org.uk.

15.1. Updates

We reserve the right to update this Privacy Policy to reflect changes in legal regulations, Platform functionality, or data processing practices.

15.2. Notifications

We will inform about significant changes via email notification (with 30 days’ notice), communication in the Platform, and an updated “Last updated” date at the top of the document.

15.3. Acceptance of Changes

Continued use of the Platform after changes are introduced means acceptance of the updated Policy. In case of significant changes, we may require renewed consent.

17.1. Language

The Privacy Policy is available in Polish and English. In case of discrepancies, the Polish version is binding.

17.2. Applicable Law

This Policy and all matters related to it are governed by Polish law.

17.3. Severability

If any provision of the Policy is deemed invalid or unenforceable, the remaining provisions remain in full force.

17.4. Related Documents

This Privacy Policy should be read in conjunction with:

• DataOrganizer Platform Terms and Conditions
• Terms of Service