Privacy Policy
Otack Pages — operated by Goup Space Sp. z o. o.
Effective date: 2026-05-29
1. Identity of the controller
The controller of your personal data is Goup Space Sp. z o. o., ul. Hoża 86/210, 00-682 Warszawa, Poland, KRS 0000932799, REGON 520583134, NIP 7011061440 (the "Operator"). Contact for all data-protection matters: info@otack.eu.
No Data Protection Officer has been appointed (GDPR Art. 37 does not require one for this type of processing).
2. Supervisory authority
You may lodge a complaint with the President of the Personal Data Protection Office (PUODO), the Polish supervisory authority under GDPR Art. 77: https://uodo.gov.pl.
3. Personal data we collect
3.1 Provided by you
- e-mail address, full name, preferred language;
- password — stored as a bcrypt hash only; plaintext is never written to our database;
- payment metadata (order ID, amount, currency, status, provider reference, buyer e-mail) — card data is handled exclusively by Stripe (see §5);
- encrypted AI-keys blob (ai_keys_blob) — stored encrypted; we cannot decrypt it (see §9).
3.2 Collected automatically
- IP address — in form submissions, rate-limiting, and audit trails;
- login timestamp, HTTP request-correlation IDs, browser session language;
- basic request metadata (user-agent, referring URL) captured by server logs.
3.3 Content and debug logging
Prompts and generated project files you create on the Platform. When the administrator flag LOG_AI_REQUESTS is enabled (a diagnostic tool, off by default in production), the system prompt, user message, and AI response are logged for up to 7 days. API keys are never captured in logs under any circumstances.
3.4 From third parties
- anti-bot challenge results from hCaptcha;
- payment status callbacks from Stripe.
4. Purposes and legal bases (GDPR Art. 6)
- Art. 6(1)(b) — contract: account creation, operation, and delivery of the Access Pass.
- Art. 6(1)(f) — legitimate interest: security, anti-fraud, abuse prevention, transactional e-mails.
- Art. 6(1)(a) — consent: custom-order briefs and marketing communications. Withdrawable at any time via info@otack.eu.
- Art. 6(1)(c) — legal obligation: accounting and tax records under Ordynacja podatkowa art. 86 §1.
5. Recipients and sub-processors
Payment
- Stripe Payments Europe Ltd. (Ireland, EEA) — payment processing. Card data goes directly to Stripe; we never receive it. US transfers covered by SCCs and EU-US DPF.
AI model inference
- Anthropic PBC (USA) — Claude models. In BYO-key mode you are the controller toward Anthropic. Platform-key use (demo/trial): sub-processor under SCCs.
- OpenAI L.L.C. (USA) — GPT models. Same BYO/platform-key distinction; SCCs for platform-key use.
- Google Ireland Ltd. / Google LLC (Ireland / USA) — Gemini models. Same distinction; SCCs and EU-US DPF for Google LLC.
- Moonshot AI (China) — Kimi models. Transfer notice: China has no EU adequacy decision. Transfer occurs only when you select Moonshot; only your prompt is sent. By selecting this provider you accept the transfer risk (GDPR Art. 49(1)(a)).
Notifications
- Telegram FZ-LLC (UAE) — delivery of custom-order briefs to the Operator. Your name, e-mail, phone, and business details are included. Transfer basis: explicit consent at brief-submission (Art. 49(1)(a)); supplemented by SCCs.
Security
- Intuition Machines Inc. (USA) — hCaptcha on the registration page. Covered by EU-US DPF and SCCs.
Infrastructure
- Hostovita.pl Sp. z o. o. (Poland, EEA) — primary hosting.
- HostPro.ua (Ukraine) — secondary/backup hosting. No EU adequacy decision; transfers governed by SCCs.
- SMTP provider — transactional e-mails. Identity available on request at info@otack.eu.
Sub-processor list updates are notified at least 30 days in advance via in-app banner or e-mail. You may object by contacting info@otack.eu.
6. International data transfers
Transfers outside the EEA occur to: Stripe Inc., Anthropic, OpenAI, Google LLC (USA); Moonshot AI (China); Telegram FZ-LLC (UAE); HostPro.ua (Ukraine). Safeguards: (a) SCCs under Decision (EU) 2021/914; (b) EU-US Data Privacy Framework where applicable; (c) explicit consent (Art. 49(1)(a)) for Telegram and Moonshot. Transfer impact assessments have been conducted for US and Ukraine transfers. Copies available on request at info@otack.eu.
7. Retention periods
- Account data: active period + 90-day grace period after deletion.
- Project files: 30 days after last activity (Free plan); 90 days (Pro/Max). Deletion notices sent at 7, 5, and 3 days.
- AI generation logs (debug only): 7 days.
- Form submissions from Generated Sites: 365 days. Earlier deletion on request at info@otack.eu.
- Payment and invoice records: 5 years (Ordynacja podatkowa art. 86 §1).
- Consent logs: 3 years.
- Application logs: max 30 days.
8. Your rights
- Access (Art. 15): copy of your data within 1 month (extendable by 2 months for complex requests).
- Rectification (Art. 16): via profile settings or by e-mail.
- Erasure (Art. 17): request at info@otack.eu. Self-service deletion planned for 2026. Legal retention obligations may limit erasure (see §7).
- Restriction (Art. 18): by written request.
- Portability (Art. 20): structured export (JSON/CSV) within 1 month.
- Object (Art. 21): to legitimate-interest processing; we cease unless compelling grounds exist.
- Withdraw consent (Art. 7(3)): at any time via info@otack.eu or the opt-out link in any marketing message. Does not affect prior processing.
- All requests are free of charge unless manifestly unfounded or excessive.
- Complaint (Art. 77): lodge with PUODO — see §2.
9. AI keys
Your API key is encrypted in your browser (PBKDF2 + AES-256-GCM) under a password that never reaches our server. We store the encrypted blob but cannot decrypt it. When you make an AI request, your browser decrypts the key and sends it to our server over TLS. The server uses it for that single request, holds it in memory only, then discards it. It is never written to a database or log. For queued generation jobs, the key is re-encrypted (AES-256-GCM) in the queue and erased after processing.
Limitation: the key passes through our server in memory for the duration of one request. This is not a zero-knowledge architecture, but the server-side exposure is limited to the minimum technically necessary.
10. Generated Sites — processor role and user responsibilities
When your Generated Site collects visitor data via forms, you are the controller and we are the processor under GDPR Art. 28. Processing terms are in the Data Processing Agreement, concluded automatically upon acceptance of the Terms of Service.
As controller of your Generated Site, you are responsible for:
- publishing a compliant privacy and cookie notice on your site;
- ensuring a lawful basis for data collected via forms;
- handling data-subject requests from your visitors;
- implementing required cookie consent mechanisms;
- accessibility compliance (WCAG 2.1, European Accessibility Act — Directive (EU) 2019/882);
- compliance with all laws applicable where your site is accessed.
11. Analytics — scope by area
The Platform operates under the single domain pages.otack.eu with different cookie postures by area:
- Public area (pages accessible without login): Google Analytics and Facebook Pixel may be active. These load only after you click "Accept" on the consent banner. See the Cookie Policy.
- Authenticated area (post-login pages): strictly necessary cookies only. No analytics or tracking.
12. Children
The Platform is not directed at persons under 16. We do not knowingly collect their data. Age confirmation is captured at registration. Contact info@otack.eu for erasure of any such data.
13. Automated decision-making
We do not make decisions with legal or similarly significant effects based solely on automated processing (GDPR Art. 22). AI generation produces creative output; it does not determine eligibility, pricing, or access.
14. Security
We apply technical and organisational measures under GDPR Art. 32: TLS in transit, bcrypt password hashing, client-side and server-side AES-256-GCM encryption for AI keys, CSRF protection, rate limiting, role-based access controls, audit logging, and regular backups. Full details: /security. Data breaches are reported to PUODO within 72 hours (Art. 33) and to affected users without undue delay (Art. 34).
15. Changes
Material changes are notified at least 14 days in advance. Changes materially affecting consumer rights require active re-acceptance. Continued use after non-material changes constitutes acceptance. The English version is the master version. In case of any conflict between translations, the English version prevails, subject to mandatory provisions of the law applicable to the User's place of residence.
Goup Space Sp. z o. o. · ul. Hoża 86/210, 00-682 Warszawa · KRS: 0000932799 · info@otack.eu · /privacy