This is a courtesy translation. In case of any discrepancy, the Polish-language version of this document is legally binding.
Oczep.pl privacy and cookie policy
Version 1.0 — effective from 8 July 2026.
1. Data controller
The controller of personal data processed in the Oczep.pl service (https://oczep.pl and https://app.oczep.pl — the “Service”) is [full name / company name — to be completed], [address — to be completed] — the “Controller”.
Contact for personal-data matters: thedarthbartek@gmail.com.
2. What data we process
- Account data: email address, password (stored only as a cryptographic hash — we do not know your password), the chosen account role (self-builder / carpenter / sawmill), email verification status.
- Google sign-in (if you use it): the Google account identifier and the email address provided by Google.
- Project content: building-project data entered in the application (floor plans, walls, materials, cut settings). As a rule this is not personal data, but it is stored within your account.
- Technical data: standard server logs (IP address, date and time of the request, browser information) — to the extent necessary to ensure security and diagnostics.
Providing data is voluntary but necessary to create and use an account.
3. Purposes and legal bases of processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and running the account, providing the Service (projects, cut plan, exports) | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (address verification, account notifications) | Art. 6(1)(b) — performance of a contract |
| Ensuring security, error diagnostics, server logs | Art. 6(1)(f) — legitimate interest of the Controller |
| Handling complaints and correspondence | Art. 6(1)(b) or (f) |
| Payment settlement — after payments are launched (currently inactive) | Art. 6(1)(b) and (c) |
We do not run marketing, do not profile users and do not make automated decisions producing legal effects.
4. Data recipients
We entrust data only to entities necessary for the Service to operate:
- server infrastructure provider: [hosting/VPS provider name — to be completed] — hosting of the application and database,
- Resend, Inc. (USA) — sending transactional emails; the transfer of data to the USA takes place on the basis of the European Commission decision on the EU–US Data Privacy Framework or standard contractual clauses,
- Google Ireland Ltd. — only if you use Google sign-in,
- Stripe — only after payments are launched; payments currently do not work and no payment data is collected.
We do not sell data and do not share it with other entities, unless such an obligation results from the law.
5. Retention period
- Account data and projects — for as long as you have an account; after the account is deleted, data is removed promptly, at the latest within 30 days (subject to backups, which are overwritten cyclically).
- Server logs — up to 90 days.
- Correspondence (including complaints) — for the limitation period of any claims.
Note: the Service is in a development phase (beta) — test data may be cleared periodically, which we try to announce in advance.
6. Your rights
You have the right to: access your data, rectify it, erase it, restrict processing, data portability and object to processing based on legitimate interest. To exercise these rights, write to the Controller’s contact address.
You can request deletion of your account at any time by email — we do not require a reason.
You also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl).
7. Cookies and similar technologies
The Service uses only cookies and technologies necessary for the service to work. We do not use analytics, marketing or third-party cookies — which is why we do not display a cookie consent banner: under the Polish Electronic Communications Law, storing information necessary to provide the service requested by the user does not require consent.
| Name | Type | Purpose | Period |
|---|---|---|---|
karkas_refresh |
httpOnly cookie (app.oczep.pl) | keeping the logged-in session (token refresh) | 30 days |
| browser storage (PWA cache / IndexedDB) | local storage | running the offline “job site” view | until browser data is cleared |
The information site (https://oczep.pl) does not set any cookies.
If we introduce analytics or marketing tools in the future, we will update this policy and — where required — ask for consent.
8. Security
We apply technical and organizational measures appropriate to the risk, in particular: encryption of transmission (HTTPS), storing passwords only as hashes, session tokens in an httpOnly cookie inaccessible to scripts, and restricting access to the infrastructure.
9. Changes to the policy
We will inform you of significant changes to this policy by email or by a notice in the Service. The current version is always available in the Service.