Privacy Policy of Freelenzy.com

I. General provisions

1. The controller of personal data is MAGER.STUDIO Jan Mager, operating Freelenzy.com, with address: os. Leśne 12B/65, 62-028 Koziegłowy, Poland; VAT ID (NIP): 7773459342, REGON: 543529958.
2. Contact: info@freelenzy.com, support@freelenzy.com or the contact form at https://freelenzy.com/contact.
3. Personal data are processed in accordance with Regulation (EU) 2016/679 (GDPR).
4. The Administrator takes particular care to protect personal data and applies appropriate technical and organizational measures.
5. Terms written in capital letters have the meaning assigned to them in the Application Terms and Conditions.
6. The Administrator has not appointed a Data Protection Officer (DPO). For matters relating to personal data protection, please use the contact details above.

II. Scope and purposes of processing

1. The Administrator processes personal data for the following purposes:
1. user account registration (e-mail address, password, profile data)
2. provision of services for managing clients, projects, tasks, contracts and valuations
3. payment and subscription handling (via Stripe)
4. contact with the user regarding the operation of the application
5. statistical analysis and improvement of the application (including Google Analytics — only after consent in the cookie banner)
6. sign-in with a Google account (OAuth) — if you use this feature
7. The Administrator does not carry out direct marketing or newsletters within the Application without separate consent; service-related notifications (e.g. account activation, password reset, subscription status) are sent in connection with the contract or the need to keep the account secure.
2. The scope of processed data may include:
1. the user's e-mail address
2. technical data (IP address, device type, browser)
3. client data entered by the user (name, surname, address, phone, e-mail, tax ID)
4. data on projects, tasks, contracts and valuations created by the user
5. notes and documents uploaded by the user
6. transaction data (without payment card data)
7. messages exchanged between the user and clients
8. identifiers stored in browser memory (localStorage) necessary to maintain the session after login
3. Providing personal data is voluntary, but necessary for some features (e.g. account, payments).

III. Legal basis for processing

IV. Recipients of data

1. Personal data may be transferred to:
1. Stripe — payment processing (the Administrator does not store payment card data)
2. Google LLC — Google Analytics (only after consent)
3. Hosting and database providers — storage and serving of the application
4. E-mail service providers — notifications and messages
5. Google LLC — OAuth sign-in and (after consent) analytics
6. Stripe, Inc. / Stripe affiliates — payments and settlement
7. Application hosting provider (e.g. Vercel Inc. or another actually used) — hosting, delivery of the application, and the session/authentication environment (including OAuth / Auth.js / NextAuth as configured)
2. These entities process data under appropriate processing agreements or as independent controllers.

V. Cookies

1. The application uses strictly necessary technical cookies and — only after consent in the banner — analytical cookies / tools (Google Analytics).
2. Types of cookies:
1. Technical cookies: necessary for the application to work; no consent required
2. Analytical cookies (Google Analytics): used for aggregated statistics; require consent
3. Information about Google Analytics:
4. Google Privacy Policy: https://policies.google.com/privacy

VI. Rights of data subjects

1. The user has the following rights:
1. access to data
2. rectification of data
3. erasure of data
4. restriction of processing
5. data portability
6. objection
2. To exercise rights, contact the Administrator.
3. The user has the right to lodge a complaint with the President of the Polish Personal Data Protection Office (UODO).

VII. Retention period

1. Data are stored for the lifetime of the account or until deleted by the user.
2. The user may delete the account and related data at any time.
3. Accounting records (invoices) are kept for the period required by tax and accounting law (usually 5 years).
4. Server logs and backups are kept for as long as necessary for security, diagnostics and data recovery — generally in line with the hosting provider’s retention policy, and no longer than required for the purposes in Section III (often up to several months, unless a shorter period follows from the environment configuration), unless specific law requires longer storage.

VIII. Data security

1. The Administrator applies appropriate technical and organizational measures to protect personal data:
1. encryption of connections using SSL/TLS
2. access control — only authorized persons
3. regular software updates and security reviews

IX. Transfers outside the European Economic Area

1. Some recipients process data in third countries, in particular the USA (e.g. Google, Stripe, the hosting provider. Transfers rely on GDPR mechanisms, including the European Commission’s standard contractual clauses, adequacy decisions (where applicable), or other measures ensuring an adequate level of protection.
2. Key documents (examples): Google — https://policies.google.com/privacy, Stripe — https://stripe.com/privacy. Other recipients in Section IV may transfer data outside the EEA under their own GDPR-compliant mechanisms — please read their documentation.

X. Profiling and automated decision-making

1. The Administrator does not make decisions producing legal effects or similarly significantly affecting users based solely on automated processing within the meaning of Art. 22 GDPR.
2. After consent, analytical tools (e.g. Google Analytics) may produce aggregated statistics; they are not intended to assess creditworthiness, reliability or personal traits within the meaning of high-risk profiling.

XI. Browser storage (localStorage) and similar technologies

1. The application may store technical data in the browser necessary to maintain the session after login (e.g. an authorization token, account identifier). Protected areas of the application cannot be used without this.
2. The user may clear locally stored data via the browser; this will require signing in again.

XII. Entrustment of processing (Art. 28 GDPR)

1. The Administrator entrusts the processing of personal data to processors solely on the basis of a data processing agreement or another instrument provided for in the GDPR, in particular in the categories: hosting and cloud infrastructure, databases, e-mail, payment handling (Stripe), and analytical tools activated after consent (Google Analytics).
2. Processors process data only on documented instructions from the Administrator and apply security measures appropriate to Art. 32 GDPR.

XIII. Third-party data (e.g. the user’s clients) and the client portal

1. Data on natural persons or businesses entered by the user into the Application (e.g. in the “Clients” module, contact details, tax identifiers) are as a rule processed by the user as an independent controller towards their own counterparties; the Application acts as an IT tool.
2. In a typical B2B model, Freelenzy (the Application Administrator) acts as a processor for that data on behalf of the user — on the basis of the service agreement and appropriate data protection clauses (GDPR Art. 28), where the parties so agree.
3. The scope and purposes of processing end clients’ data towards their employees or contact persons are defined by the user in relation to their own clients; the Administrator provides only the technical functionality and security measures described in this policy.
4. A separate data processing agreement (DPA) may be concluded at the request of a user who is an entrepreneur.

XIV. Final provisions

1. The Administrator reserves the right to amend this Privacy Policy.
2. The current version is available in the application.
3. In matters not covered herein, Polish law and the Application Terms and Conditions apply.