Privacy Policy — K0nsult CNC

K0nsult CNC is committed to protecting your privacy. We do not use third-party tracking tools, do not sell your data, and process only the minimum information necessary to provide our services.

1. Data Controller

The data controller responsible for your personal data is:

Entity: K0nsult CNC — operated by CODE NO CODE (CNC)
Operator: 0n40i4 (Tomasz Obara), sole proprietorship, Poland
Registry: Registered lobbyist No. 00168 (Polish Ministry of Justice)
Contact: kontakt@k0nsult.cloud

2. What Data We Collect

2.1 Contact Form Data

When you submit our contact form, we collect:

Your name
Email address
Company name (if provided)
Message content

2.2 Usage Analytics (Server-Side, No Third-Party Tracking)

K0nsult uses server-side request logs only for usage analytics. No third-party analytics scripts, tracking pixels, or advertising cookies are used. Specifically, we record:

Page URL — the path of the page requested
Timestamp — date and time of the request (UTC)
Referrer header — the URL of the page that linked to us, if present
Anonymized IP address — last octet removed before storage (e.g., 192.168.1.xxx)

No cookies are set for analytics purposes. No third-party pixels (Google Analytics, Facebook Pixel, etc.) are loaded. If a privacy-friendly, cookie-free analytics tool is used in the future (e.g., Plausible.io — EU-hosted, no cookies, no cross-site tracking), this policy will be updated accordingly. This data cannot be used to identify individual users.

3. Purpose of Data Processing

We process your personal data for the following purposes:

Responding to inquiries: To reply to messages submitted through our contact form and provide requested information about our services.
Service improvement: To understand how our website is used and improve the user experience, based on anonymized server-side request logs (no cookies, no third-party tracking).

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

Contact form: Art. 6(1)(f) GDPR (legitimate interest). We have a legitimate interest in responding to inquiries submitted through our contact form.
Starter pack: Art. 6(1)(a) GDPR (consent). When you voluntarily submit your email to receive the Starter Pack, you consent to the processing of your personal data for that purpose.
Newsletter: Art. 6(1)(a) GDPR (consent). When you subscribe to our newsletter, you consent to receiving periodic communications about AI governance.
Server-side analytics logs: Art. 6(1)(f) GDPR (legitimate interest). We have a legitimate interest in collecting anonymized, server-side request logs to understand website usage and improve our services. No cookies are used for this purpose and no data is shared with third parties.

5. Data Retention

Contact form data: 24 months from last contact. You may request deletion at any time.
Anonymous analytics data: 12 months.

You may request deletion of your personal data at any time by contacting us at kontakt@k0nsult.cloud.

6. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of inaccurate or incomplete personal data.
Right to erasure: You may request deletion of your personal data ("right to be forgotten").
Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
Right to object: You may object to the processing of your personal data based on legitimate interest.
Right to withdraw consent: You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at kontakt@k0nsult.cloud. We will respond within 30 days.

7. Cookies and Local Storage

We use only essential cookies and localStorage for the following purposes:

Session management: To maintain your session state while using the website.
User preferences: To remember your display preferences (e.g., theme settings) via localStorage.

We do not use:

Google Analytics
Facebook Pixel
Any third-party tracking cookies
Any advertising or marketing cookies

8. Sub-processors

We use the following sub-processors to provide our services:

Fly.io — Hosting provider, Frankfurt, EU
PostgreSQL — Database, Fly.io managed, Frankfurt, EU

We do not use any third-party analytics or tracking services. We do not sell, trade, or otherwise transfer your personal data to third parties. Your data is used solely by K0nsult CNC for the purposes described in this policy.

9. Data Location and Security

Your data is stored and processed within the European Union:

Hosting location: Fly.io EU — Frankfurt, Germany (primary, 2 instances) + Amsterdam, Netherlands (1 instance). All data stored and processed within EU/EEA.
Security measures: Data is transmitted via encrypted HTTPS connections. Access to personal data is restricted to authorized personnel only.

10. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Any updates will be posted on this page with a revised "Last updated" date. We encourage you to review this page periodically.

12. Supervisory Authority & Right to Complain

If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with the supervisory authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
uodo.gov.pl

You may also lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Lista Sub-Procesorow Danych

Sub-procesor	Cel	Lokalizacja	Certyfikaty
Fly.io Inc.	Hosting aplikacji i bazy danych	Frankfurt, EU	SOC2 Type II
PostgreSQL (Fly.io Managed)	Baza danych	Frankfurt, EU	Szyfrowanie AES-256
Anthropic (Claude AI)	Asystent AI czatu	USA (dane nie przechowywane)	SOC2 Type II, no training on data
LH.pl (mail)	SMTP/IMAP poczta	Polska, EU	-
Stripe Inc.	Przetwarzanie platnosci	USA/EU	PCI DSS Level 1, SOC2

Inspektor Ochrony Danych (DPO)

Kontakt w sprawach ochrony danych osobowych: kontakt@k0nsult.cloud

Administrator danych: K0nsult / CODE NO CODE, kontakt@k0nsult.cloud

Twoje Prawa

Prawo dostepu do danych (art. 15 RODO)
Prawo do sprostowania (art. 16 RODO)
Prawo do usuniecia danych (art. 17 RODO)
Prawo do ograniczenia przetwarzania (art. 18 RODO)
Prawo do przenoszenia danych (art. 20 RODO)
Prawo do sprzeciwu (art. 21 RODO)

Aby skorzystac z powyzszych praw, napisz na kontakt@k0nsult.cloud.

Prosba o Usuniecie Danych

Zgodnie z art. 17 RODO masz prawo zadac usuniecia swoich danych osobowych.

13. Contact

For any questions or requests regarding this Privacy Policy or your personal data, please contact:

K0nsult CNC / CODE NO CODE
Email: kontakt@k0nsult.cloud

14. Data Processing Agreement (DPA)

A Data Processing Agreement is available upon request for enterprise clients.

Current sub-processors:

Fly.io — Application hosting and compute (EU regions: Frankfurt + Amsterdam)
PostgreSQL (Fly.io managed) — Database storage (EU region)

Sub-processor changes: Clients will be notified 30 days before any new sub-processor is added. Clients may object within 14 days.

DPA includes: Standard Contractual Clauses (SCCs), technical and organizational measures (TOMs), breach notification obligations.

To request a DPA: kontakt@k0nsult.cloud

15. Security Incident Response

K0nsult maintains a documented incident response procedure covering:

1. Detection — Automated monitoring and alerting for unauthorized access, data anomalies, and system integrity violations
2. Classification — Incidents classified as P1 (critical: data breach), P2 (high: service disruption), P3 (medium: anomaly), P4 (low: minor issue)
3. Containment — Immediate isolation of affected systems; all actions logged
4. Notification — P1/P2 incidents: affected parties notified within 72 hours per GDPR Art. 33. Supervisory authority (UODO) notified if required
5. Resolution — Root cause analysis, remediation, and post-incident review within 14 days
6. Documentation — Full incident report retained for 36 months

Report a security incident: security@k0nsult.cloud
Emergency contact available 24/7 for P1 incidents