Privacy Policy
This Privacy Policy explains how Byte Imagination Roger Zacharczyk (trading as Byte Imagination, "we", "us") processes personal data in connection with the online service made available on the domain on which this Policy is published (the "Service").
This Policy applies to data we process as controller (account, billing, support, marketing). When we process personal data contained in Customer Data on your instructions, we act as processor under the Data Processing Agreement.
1. Controller
- Controller: Byte Imagination Roger Zacharczyk
- Registered seat: Ludwika Kondratowicza 59/21, Warsaw, Poland
- Tax ID: PL7551870628
- Privacy contact: privacy@byteimagination.com
We have not appointed a Data Protection Officer. Based on our current processing activities and scale, appointment of a Data Protection Officer is not mandatory under Article 37 GDPR. We reassess this determination periodically and whenever our processing activities materially change. privacy@byteimagination.com is the single point of contact for all privacy matters.
2. Categories of personal data we process
| Category | Examples | Source |
|---|---|---|
| Account data | email address, hashed password, account creation date, email-address-verified timestamp, language preference | Provided by you at sign-up |
| Account verification data | short-lived hash of a single-use verification token sent to your email address, with its issue and expiry timestamps. The verification link itself is shown to you only once, in the email; we never store its plaintext form | Generated by the Service at sign-up and at every re-issue |
| Password recovery data | short-lived hash of a single-use password-reset token sent to your email address, with its issue, expiry and (where applicable) consumption timestamps. The reset link itself is shown to you only once, in the email; we never store its plaintext form | Generated by the Service when you request a password reset |
| Abuse-prevention data | short-lived signature of an accepted proof-of-work captcha challenge submitted with your sign-up. The signature is a non-reversible computational artefact and does not identify you | Generated by the Service when you submit the sign-up form |
| Authentication data | API key (stored as a cryptographic hash), the human-readable label you assign to each key when creating it, session cookies, last login timestamp, key revocation timestamp, per-API-key usage records (timestamp, IP address, user agent, one row per authenticated request) | Generated by the Service; the API key label is supplied by you |
| Legal acceptance records | one row per legal document version you have accepted: timestamp of acceptance, IP address at time of acceptance, user agent, acceptance method (sign-up, explicit update, migration), language of the version shown to you | Generated by the Service when you accept a published version of these Terms, the Privacy Policy, the DPA, or a per-Service Additional Terms |
| Billing and transaction data | name, billing address, country, VAT identifier (where provided), Subscription tier, transaction id, last 4 digits of payment card | Collected by Paddle as Merchant of Record and shared with us for fulfilment |
| Billing linkage identifiers | Reference codes that link your account in our system to your billing record at our payment processor. These identifiers do not contain payment-card information; the payment information they reference is held by our payment processor as Merchant of Record. | Received from our payment processor when your subscription is created |
| Usage data | API call counts, endpoint paths, response status, request and response bodies (subject to redaction of authentication and authorization headers, cookies, and common secret fields), trace identifiers, timestamps, IP addresses, user agents | Generated by your interaction with the Service |
| Data export records | the timestamp of your most recent data export request (a single value per account, used only to rate-limit the self-service export) | Generated by the Service when you use the self-service data export |
| Support data | content of messages you send to us, attachments | Provided by you when contacting support |
| Marketing data (optional) | opt-in to product updates, opens/clicks of marketing emails | Provided by you on opt-in |
| Waitlist data | email address, IP address at time of submission, timestamp of submission | Provided by you when you join the pre-launch waitlist on the public site |
We do not intentionally collect special categories of data under Article 9 GDPR or data of children under 16. Do not submit such data through the Service.
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) | Notes |
|---|---|---|
| Provide the Service: account creation, authentication, API serving, quota enforcement | Art. 6(1)(b) — performance of a contract | |
| Email-address verification at sign-up: confirming that the address you provide is one you control before granting access | Art. 6(1)(b) — performance of a contract | A short-lived verification token (stored as a cryptographic hash) is sent to your email address; clicking the link confirms control. Unconfirmed addresses cannot complete sign-up |
| Password recovery: allowing you to regain access to your account if you forget your password | Art. 6(1)(b) — performance of a contract | A short-lived password-reset token (stored as a cryptographic hash) is sent to your email address; setting a new password through the link both consumes the token and signs you in. Only verified addresses can request a reset |
| Sign-up abuse prevention: refusing automated form submissions that would result in unsolicited verification emails to third parties | Art. 6(1)(f) — legitimate interest in protecting our infrastructure, our outbound-email reputation, and third-party recipients from unsolicited messages | A proof-of-work captcha is required on the sign-up form. The accepted-challenge signature is stored briefly to prevent the same captcha solution being replayed |
| Billing, invoicing, tax and accounting compliance | Art. 6(1)(b) and Art. 6(1)(c) — legal obligation | Paddle handles end-customer billing as MoR; we hold Paddle's monthly statements |
| Security: abuse detection, rate limiting, fraud prevention, incident response, audit logs | Art. 6(1)(f) — legitimate interest in protecting the Service, our users, and our infrastructure | |
| Data portability and access: providing a self-service export of your data (in fulfilment of your Art. 20 and Art. 15 rights), and rate-limiting that export to prevent abuse and accidental load | Art. 6(1)(b) — the export delivers data you provided under your service contract; Art. 6(1)(f) — legitimate interest for the rate-limit timestamp | The export is an exercise of your existing rights against already-lawful processing, not a separate processing activity. We retain only the timestamp of your most recent export to enforce the limit; see Section 8 |
| Customer support | Art. 6(1)(b) and Art. 6(1)(f) | |
| Service notifications (changes to Terms, Privacy Policy, security incidents, scheduled maintenance) | Art. 6(1)(b) and Art. 6(1)(c) | Cannot be opted out of while you have an active account |
| Product updates and marketing communications | Art. 6(1)(a) — consent | Opt-in only; opt-out at any time |
| Pre-launch waitlist contact | Art. 6(1)(a) — consent | You are added to the waitlist for the Service whose public site you signed up on; we contact you when the Service opens to general availability or to ask for early-access feedback. You can request removal at any time via privacy@byteimagination.com |
| Compliance with legal obligations and defence of legal claims | Art. 6(1)(c) and Art. 6(1)(f) | |
| Proof of acceptance of these Terms, the Privacy Policy, the DPA, and per-Service Additional Terms | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest in demonstrating valid acceptance and defending against legal claims | The IP address attached to a legal acceptance is automatically cleared after 365 days; the acceptance record itself is preserved for the lifetime of the account |
4. Recipients and sub-processors
We share personal data only with the following categories of recipients:
- Paddle.com Market Ltd (UK) — Merchant of Record; processes payment, billing address, and tax data.
- DigitalOcean, LLC — hosting and infrastructure services.
- Resend, Inc. — transactional email delivery (account verification, password reset, billing notices, service notifications).
- Public authorities — where required by law (court order, lawful request).
A current Sub-processor list with each provider's role and country of processing is published alongside this Policy. We notify you at least 30 days before adding or replacing a sub-processor for processor activities under the DPA.
5. International transfers
Personal data may be processed outside the European Economic Area where a sub-processor is located outside the EEA. Where this is the case, transfers are based on:
- An adequacy decision under Article 45 GDPR; or
- Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR with supplementary measures as appropriate; or
- A derogation under Article 49 GDPR.
A copy of the SCCs in force for a given recipient is available on request to privacy@byteimagination.com.
6. Retention
| Data | Retention |
|---|---|
| Account data | For the lifetime of your account; deleted immediately on account closure, except for records retained on legal-basis grounds (billing — 5 years; legal acceptance records — see Section 8) |
| Billing records | 5 years from the end of the calendar year in which the transaction occurred (Polish accounting law) |
| Billing linkage identifiers (references to your record at our payment processor) | For the lifetime of your subscription; deleted when your account is closed |
| API key hashes | Until you delete the key or close the account |
| API key labels (the human-readable name you assign) | Until you delete the key or close the account; revoked keys keep their label as part of the audit history |
| API key revocation timestamps | For the lifetime of your account; preserved as part of the key's audit history |
| API request/response logs (Logbook) | 30 days, then deleted |
| API request/response markers and trace ids in application logs | 90 days |
| Audit events | For the lifetime of your account; retained as part of Customer Data |
| Source IP attached to audit events | 365 days, then automatically cleared from the event row (the audit row itself is preserved) |
| Per-API-key usage records (timestamp, IP, user agent) | 365 days from the time of each call, then the record is automatically deleted (the API key itself is preserved) |
| Data export request timestamp (the time of your most recent data export, kept to rate-limit exports under Art. 6(1)(f)) | A single most-recent timestamp per account, for the lifetime of your account; deleted when your account is closed |
| Legal acceptance records | For the lifetime of your account, and for up to 6 years after account closure under art. 118 of the Polish Civil Code (or longer if a specific claim is pending or threatened), for the purpose of establishing, exercising, or defending legal claims (Art. 17(3)(e) GDPR). The IP address attached to each acceptance is automatically cleared after 365 days. |
| Idempotency keys | 24 hours, then automatically deleted |
| Email-address verification tokens | 24 hours, then automatically deleted whether or not the link was used; a new token is issued on each sign-up attempt |
| Password-reset tokens | 1 hour from issuance (after which the link no longer works), then a further 7-day forensic retention so we can answer support questions about why a link was rejected; deleted automatically thereafter. A new token is issued on each reset request |
| Sign-up abuse-prevention signatures | 20 minutes from acceptance, then automatically deleted |
| Support correspondence | 3 years from the date of the last message |
| Marketing opt-in records | Until you withdraw consent + 3 years for evidentiary purposes |
| Waitlist entries (email, IP, timestamp) | The IP address attached to a waitlist entry is automatically cleared after 365 days. The email and timestamp are kept until the Service opens to general availability and waitlist communications complete, until you request removal, or 24 months idle — whichever is earliest, after which the entry is automatically deleted |
7. Security
We apply technical and organisational measures appropriate to the risk, including:
- Encryption of data in transit using current industry-standard protocols;
- Encryption at rest where supported by the underlying storage;
- API keys stored as cryptographic hashes, never in plaintext;
- Passwords stored using a salted, computationally expensive hash algorithm;
- Access control and least-privilege within the operations team;
- Audit logging of authenticated API access and administrative actions;
- Redaction of single-use secret links from our server access logs: where a link we send you (such as an account-verification or password-reset link) or a payment-recovery link carries a one-time secret in its web address, that secret is replaced with a placeholder before the request is recorded in our web server's access logs, so the secret itself is never written to those logs;
- Sub-processor due diligence and contractual safeguards.
No system is fully secure. If you believe your account has been compromised, contact privacy@byteimagination.com immediately.
8. Your rights
Subject to the conditions of GDPR you have the right to:
- access your personal data (Art. 15);
- rectify inaccurate or incomplete data (Art. 16);
- erasure ("right to be forgotten") (Art. 17);
- restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3));
- lodge a complaint with a supervisory authority. The Polish authority is the Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl. You may also lodge a complaint with the supervisory authority in your country of residence or work.
To exercise any right, contact privacy@byteimagination.com. We respond within one month, extendable by two further months for complex requests under Art. 12(3) GDPR.
Self-service data export. You can exercise your right to data portability (Art. 20) at any time without contacting us: sign in and use Export your data in your account. The export is a downloadable archive of machine-readable JSON files containing your account details, the data you have created in the Service, and your full activity history — including a record of operations on items you have since deleted. To prevent abuse, the self-service export can be used once every 30 days; this does not limit your right to request your data from us at any time, which we fulfil within one month as described above.
Note on legal acceptance records: the right to erasure under Art. 17 does not extend to legal acceptance records (timestamp, acceptance method, document version, and locale of each version you accepted) where those records are necessary for the establishment, exercise, or defence of legal claims (Art. 17(3)(e) GDPR). We retain these records after account closure and anonymisation on this basis, for up to 6 years from account closure under art. 118 of the Polish Civil Code (the general limitation period for civil claims), or such longer period as may be required if a specific claim is pending or threatened. The IP address attached to each acceptance is, however, cleared automatically after 365 days.
9. Cookies
The Service uses cookies as described in our Cookie Policy.
10. Automated decision-making
We do not make automated decisions that produce legal effects concerning you or that similarly significantly affect you within the meaning of Article 22 GDPR.
Some processing described in Section 3 (security, abuse detection, rate limiting) is automated by nature but does not meet the Article 22 threshold: it is a standard feature of API services and does not determine rights, contract terms, or access in a way that cannot be remedied through human review. If you believe your account has been incorrectly blocked or limited, contact privacy@byteimagination.com and a human will review the decision.
If we introduce processing that meets the Article 22 threshold in the future, we will update this section and notify you in accordance with Section 11.
11. Changes to this Policy
We may update this Policy from time to time. Material changes are notified by email at least 30 days before the effective date. The current version and effective date are shown at the top of this document. Prior versions are preserved in our public source repository.
12. Contact
Privacy questions and requests: privacy@byteimagination.com.