Privacy Policy
Last updated: 18 June 2026
1. Data controller
The controller of your personal data is Bartłomiej Filipiuk Devins, ul. Stacyjna 1, 53-613 Wrocław, Poland, Tax ID (NIP): 596 158 99 01 (the "Controller"). Contact for data matters: bartek@devince.dev. The Controller has not appointed a Data Protection Officer.
2. Purposes and legal bases (GDPR)
| Purpose | Legal basis |
|---|---|
| Order fulfilment, file delivery, Course access, account management | Art. 6(1)(b) GDPR (contract performance) |
| Issuing and storing invoices, tax settlements | Art. 6(1)(c) GDPR (legal obligation) |
| Newsletter / marketing messages | Art. 6(1)(a) GDPR (consent) |
| Fraud prevention, security, establishing/defending claims | Art. 6(1)(f) GDPR (legitimate interest) |
| Non-essential cookies (if implemented) | Art. 6(1)(a) GDPR (consent) |
3. Recipients (processors)
Data may be entrusted to the following processors, with whom the Controller has data processing agreements (Art. 28 GDPR):
- Stripe (Stripe Payments Europe, Ltd., Ireland) — payment processing; processes payment and identification data. Stripe may transfer data to the USA under the EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). Stripe acts as a processor and, for fraud prevention and regulatory duties, as a separate controller.
- Brevo (Sendinblue SAS, Paris, France) — sending e-mails (transactional and marketing); an EU-based processor, data processed in the EU.
- Hetzner Online GmbH (Germany) — hosting/infrastructure; an EU-based processor (servers in Germany).
4. International transfers
As a rule, data is processed within the European Economic Area. The only transfer outside the EEA concerns the payment provider Stripe (USA), based on the DPF and SCCs ensuring an adequate level of protection.
5. Retention periods
- Accounting documents (invoices): 5 years, counted from the end of the calendar year in which the tax payment deadline fell.
- Order and account data: for the duration of the contract/account, then until the limitation periods for mutual claims expire.
- Newsletter data: until consent is withdrawn.
- Course progress data: for the duration of access, then deleted or anonymised.
6. Your rights
You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) — in particular to processing based on legitimate interest and to marketing — and the right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). Exercise your rights by contacting bartek@devince.dev.
7. Complaint to the supervisory authority
You have the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, if you consider that the processing of your data infringes the GDPR.
8. Whether providing data is required
Providing data is voluntary but necessary to conclude and perform the contract (e.g. to deliver the file, issue an invoice). Not providing it makes order fulfilment impossible.
9. Cookies
The Store uses only essential cookies: a session/login cookie (for Courses) and a cookie remembering the theme preference (light/dark). Essential cookies do not require consent; we inform you about them in this Policy. During payment, Stripe may set its own essential cookies (e.g. for fraud prevention). The Controller does not use analytics or marketing cookies; introducing any would require a consent mechanism (banner). Cookies can be managed in your browser settings.
10. Automated decision-making
The Controller does not make decisions about you based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you. The payment provider Stripe may apply its own fraud-risk scoring.
11. Changes to this Policy
This Policy may be updated; it is effective from 18 June 2026.