Privacy Policy

1. Data Controller

The controller of personal data is: PENTEST Rafał Dyck, ul. Tadeusza Kościuszki 64/17, 81-198 Pogórze, Poland, NIP: 5782867795, Email: kontakt@studym8.app.

2. Scope of Data

• Account Data: name, e-mail address, password (encrypted).
• Educational Data (Backup): If the User activates the backup function, information about subjects, dates, and text notes are processed on the server.
• Technical Data: IP address, system logs, device data, Push notification tokens.
• Payment Data: Processed exclusively by payment operators (the Service Provider does not store card or bank account details).
• Invoice Data: Company name/full name, Tax ID (NIP), address (if the User requests an invoice).

3. Purposes of Processing

Data is processed for the following purposes:

• provision of Application services and Account management,
• provision of the optional server data backup service,
• processing payments and issuing invoices/accounting documents,
• ensuring system security and preventing abuse,
• sending system notifications regarding educational deadlines.

4. Legal Basis

• Art. 6(1)(b) GDPR – performance of a contract (provision of Application services),
• Art. 6(1)(c) GDPR – legal obligations (tax and accounting regulations regarding invoices),
• Art. 6(1)(f) GDPR – legitimate interest (data security, exercising or defending legal claims),
• Art. 6(1)(a) GDPR – voluntary consent (e.g., signing up for the waitlist or activating backup).

5. Data Recipients

Data may be transferred to trusted cooperating entities:

• Supabase Inc. / Vercel Inc. – database and hosting infrastructure,
• PayU S.A. / PayPro S.A. (Przelewy24) – payment processing,
• Resend – e-mail delivery services,
• Cloudflare – service protection and optimization,
• Accounting office – for the purpose of processing issued invoices.

6. Data Transfer Outside the EU

Due to the use of services from entities such as Supabase or Vercel, data may be transferred outside the EEA (to the USA). The Controller uses entities certified under the Data Privacy Framework or applies Standard Contractual Clauses (SCC) ensuring an adequate level of protection.

7. Retention Period

• Account and backup data are stored for the duration of the Account's activity.
• Upon Account deletion, data is removed, except for data necessary for tax purposes (invoices – 5 years).
• Waitlist data is deleted immediately after sending the information regarding the Application launch.

8. User Rights

You have the right to: access your data, rectify it, erase it ("right to be forgotten"), restrict processing, data portability, object, and withdraw consent at any time. You also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO).

9. Profiling

Data is not subject to automated decision-making or profiling within the meaning of the GDPR.

10. Cookies

The service uses technical cookies necessary for operation (session maintenance). Analytical or marketing cookies may only be used after obtaining your voluntary consent via the cookie banner.

11. Security

The Controller uses connection encryption (SSL/TLS), password hashing, and rigorous database access procedures to ensure the highest level of protection for your information.

12. Changes to the Policy

The Controller reserves the right to update the Privacy Policy. Users will be informed of significant changes via e-mail.