Skip to content

Privacy Policy

Compliant with GDPR (Regulation EU 2016/679) Β· Version 1.0 Β· Effective from 22 March 2026

1. Data Controller

The data controller for your personal data is the operator of PsychoProfil.pl (hereinafter: "Controller").

Contact for data protection matters: privacy@psychoprofil.pl

2. What Data Do We Collect?

2.1. Data Provided Voluntarily

  • Email address β€” when registering or logging in (magic link)
  • Test question responses β€” when completing Tests (optional, only for logged-in Users)

2.2. Data Collected Automatically

  • Session identifier β€” an anonymous, randomly generated identifier for tracking test progress
  • Analytics events β€” anonymous data about Service usage (e.g. test started, test abandoned, results viewed)
  • Server logs β€” IP address, browser type, date and time of request

2.3. Data We Do NOT Collect

  • We do not collect payment card data β€” payments are handled by LemonSqueezy LLC as Merchant of Record
  • We do not collect health data β€” Test Results are not treated as medical data
  • We do not profile Users for advertising purposes
  • We do not use tracking cookies

3. Purposes of Processing

PurposeLegal basis (GDPR)Retention period
Account management and loginArt. 6(1)(b) β€” performance of a contractUntil account deletion
Storing test resultsArt. 6(1)(b) β€” performance of a contractUntil account deletion
Payment processingArt. 6(1)(b) β€” performance of a contractAs required by tax law (5 years)
Analytics (Plausible)Art. 6(1)(f) β€” legitimate interestsAnonymised data, no limit
Security and diagnosticsArt. 6(1)(f) β€” legitimate interests30 days (server logs)

4. Sharing of Data

Your data may be shared only with the following categories of recipients:

  • Supabase Inc. β€” database hosting and authentication. Supabase processes data in the EU (Frankfurt region). Standard Contractual Clauses (SCCs) ensure GDPR compliance.
  • Vercel Inc. β€” application hosting. Data processed on edge servers globally. GDPR compliance ensured through SCCs.
  • LemonSqueezy LLC β€” Merchant of Record for payments. LemonSqueezy processes payment data as an independent data controller.
  • Plausible Analytics β€” anonymous analytics, data stored in the EU. No cookie consent required (no cookies used).

The Controller does not sell personal data and does not share it with third parties for marketing purposes.

5. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) β€” you may obtain information about the personal data we process about you
  • Right to rectification (Art. 16) β€” you may request correction of inaccurate data
  • Right to erasure (Art. 17, "right to be forgotten") β€” you may request deletion of your data
  • Right to restriction of processing (Art. 18) β€” you may restrict the way we use your data
  • Right to data portability (Art. 20) β€” you may receive your data in a machine-readable format
  • Right to object (Art. 21) β€” you may object to processing based on legitimate interests
  • Right to lodge a complaint β€” with your national data protection authority. In Poland: Prezes UrzΔ™du Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl

To exercise your rights, contact us at: privacy@psychoprofil.pl. We will respond within 30 days.

6. Cookies

PsychoProfil.pl uses only strictly necessary cookies required for the Service to function:

  • Supabase session cookie β€” stores the login session token. Expires on browser close or after 1 hour of inactivity.
  • Consent cookie β€” stores your cookie preference decision (localStorage). Does not expire.
  • Locale cookie β€” stores your preferred language. Does not expire.

We do not use advertising, tracking, or profiling cookies. Analytics (Plausible) operates without cookies.

7. Data Security

We apply the following security measures:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of passwords and session tokens (bcrypt, JWT)
  • Row Level Security (RLS) in the database β€” each user can only access their own data
  • HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy)
  • Regular automated database backups (Supabase)

8. Children's Data

The Service is not directed at persons under the age of 16. We do not knowingly collect data from minors. If we become aware that data has been provided by a person under 16 without parental or guardian consent, we will delete it without delay.

9. Changes to This Privacy Policy

The Controller reserves the right to update this Privacy Policy. Users will be informed of material changes via the Service or by email.

Last updated: 22 March 2026

10. Contact

For matters relating to personal data protection:

Push Notifications

Our mobile app may collect device tokens to send push notifications about new tests and features. We collect platform information (iOS/Android) and language preferences.

Device tokens are automatically deleted after 90 days of inactivity. We do not share this data with third parties.

Privacy Policy | PsychoProfil.pl