Privacy Policy

1. Introduction

This Privacy Policy describes how the personal data of users ("Users") of the website tonyabel.com/metaads-agent and buyers of the MetaAds Agent digital product ("Product") is collected, processed, and protected.

The Data Controller processes personal data in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR/RODO), the Polish Act of 10 May 2018 on Personal Data Protection (Dz.U. 2018 poz. 1000), and the Polish Telecommunications Law Act of 16 July 2004 (Prawo telekomunikacyjne).

2. Data Controller

The Data Controller is:

Paweł Szczabel
NIP: 9910361892
ul. Wygonowa 51/2A
45-402 Opole
Poland

Contact email: pawelszczabel@gmail.com

The Data Controller has not appointed a Data Protection Officer (DPO). For any matters regarding personal data processing, please contact the Data Controller directly at the email address above.

3. Categories of Personal Data Collected

The Data Controller may collect the following categories of personal data:

• Transaction and identification data — first name, last name, email address, billing address, NIP (if applicable), and payment information necessary to complete a purchase. Full payment card details are not stored by the Data Controller — payments are processed by a third-party payment operator.
• Technical and usage data — IP address (anonymized), browser type and version, operating system, screen resolution, pages visited, time on page, referral source, and approximate geographical location derived from timezone settings. This data is collected via Vercel Analytics in an anonymized, non-identifiable form.
• Cookie and localStorage data — data stored locally on the User's device, including language preference, currency preference, and cookie consent decision. See the Cookie Policy for details.
• Communication data — email address and the content of messages when the User contacts the Data Controller voluntarily.
• Invoice data — data necessary to issue an invoice in accordance with Polish tax law, including name, address, and NIP. The Seller is VAT-exempt (zwolniony podmiotowo z VAT) and issues invoices without VAT.

4. Legal Basis and Purpose of Processing

Personal data is processed on the following legal bases (Article 6(1) GDPR):

• Article 6(1)(b) — performance of a contract — processing is necessary for the performance of a contract to which the User is a party, or in order to take steps at the User's request prior to entering into a contract. This includes: delivering the purchased Product, providing access to download files, issuing invoices, and providing customer support.
• Article 6(1)(c) — legal obligation — processing is necessary for compliance with a legal obligation to which the Data Controller is subject. This includes: maintaining accounting records and issuing invoices as required by Polish tax law (Ordynacja podatkowa).
• Article 6(1)(f) — legitimate interest — processing is necessary for the legitimate interests pursued by the Data Controller, such as: analyzing website performance and usage patterns (via anonymized analytics), preventing fraud and unauthorized use, and defending legal claims.
• Article 6(1)(a) — consent — where the User has given explicit consent for a specific purpose, such as: receiving marketing communications. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

5. Recipients of Personal Data

Personal data may be shared with the following categories of recipients:

• Payment processor — to securely process purchase transactions. The payment processor acts as an independent data controller for payment data.
• Vercel Inc. — website hosting provider. Vercel Analytics collects anonymized, non-personal usage data and does not identify individual users.
• Accounting/tax service providers — to the extent necessary for bookkeeping and tax compliance under Polish law.
• Public authorities — where required by law (e.g., tax authorities, courts).

The Data Controller does not sell, rent, or share personal data with third parties for their own marketing purposes.

6. Transfer of Data Outside the EEA

Some of the Data Controller's service providers (e.g., Vercel Inc.) are based in the United States. In such cases, data transfers are safeguarded by:

• Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR.
• Where applicable, the EU-US Data Privacy Framework.

The User may request a copy of the applicable safeguards by contacting the Data Controller.

7. Data Retention Period

Personal data is retained only for as long as necessary to fulfill the purposes described in this policy:

• Transaction and invoice data: retained for the period required by Polish tax and accounting regulations — 5 years from the end of the tax year in which the transaction occurred (Article 70 §1 Ordynacja podatkowa).
• Usage/analytics data: anonymized; retained for up to 24 months.
• Communication data: retained for up to 12 months after the last exchange, unless retention is necessary for legal claims.
• Consent records: retained for the duration of the consent and for 3 years after withdrawal (statute of limitations for claims).

After the retention period, data is permanently deleted or irreversibly anonymized.

8. Rights of the Data Subject

Under GDPR (Articles 15–22), the User has the following rights:

• Right of access (Art. 15) — the right to obtain confirmation whether personal data is being processed and to request a copy of that data.
• Right to rectification (Art. 16) — the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to erasure (Art. 17) — the right to request deletion of personal data ("right to be forgotten"), subject to exceptions (e.g., legal obligations, defense of claims).
• Right to restriction of processing (Art. 18) — the right to request that processing be restricted in certain circumstances.
• Right to data portability (Art. 20) — the right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Art. 21) — the right to object to processing based on legitimate interest (Art. 6(1)(f)), including profiling. The Data Controller shall cease processing unless there are compelling legitimate grounds.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any of the above rights, the User should send a request to: pawelszczabel@gmail.com. The Data Controller will respond without undue delay and in any event within one month of receiving the request (Article 12(3) GDPR). In complex cases, this period may be extended by a further two months.

9. Right to Lodge a Complaint

If the User considers that personal data is being processed in violation of GDPR, the User has the right to lodge a complaint with the supervisory authority:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)
ul. Stawki 2
00-193 Warszawa
Poland
https://uodo.gov.pl
Email: kancelaria@uodo.gov.pl

10. Automated Decision-Making and Profiling

The Data Controller does not use automated decision-making, including profiling, within the meaning of Article 22 GDPR that would produce legal effects concerning the User or similarly significantly affect the User.

11. Data Security

The Data Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS/HTTPS).
• Secure hosting infrastructure with access controls.
• Minimization of data collected (data minimization principle, Art. 5(1)(c) GDPR).
• Regular review and update of security measures.

12. Obligation to Provide Data

Providing personal data is voluntary but may be necessary to:

• Complete a purchase — without transaction data (name, email, payment), the purchase cannot be processed.
• Receive an invoice — without invoice data (name, address, NIP), an invoice cannot be issued.
• Contact the Data Controller — without an email address, a response cannot be sent.

Failure to provide the required data will result in the inability to perform the respective service.

13. Changes to This Policy

The Data Controller reserves the right to amend this Privacy Policy. Any changes will be published on this page with an updated "Last updated" date. Changes do not apply retroactively. The User is encouraged to review this page periodically.