Privacy Policy

1. Identity of the controller

The controller of your personal data is Goup Space Sp. z o. o., registered office ul. Hoża 86/210, 00-682 Warszawa, Poland, KRS 0000932799, REGON 520583134, NIP 7011061440 (the Operator, "we", "us"). The contact point for all data-protection matters is info@pages.otack.eu. No Data Protection Officer has been appointed (we are not required to appoint one under GDPR Art. 37); the same e-mail is the contact point for any privacy enquiry, data-subject request or complaint.

2. Supervisory authority

You have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, "PUODO") in Warsaw, the Polish supervisory authority competent for the Operator under GDPR Art. 77. Agency contact: https://uodo.gov.pl.

3. What personal data we collect

3.1 From you directly

  • e-mail address;
  • full name;
  • password (stored as a bcrypt hash; the cleartext never reaches our database);
  • preferred interface language;
  • payment metadata (order ID, amount, currency, status, provider reference, buyer e-mail) — full card data is never received by us; it is handled by Stripe (see §5);
  • your encrypted ai_keys_blob, which we cannot read.

3.2 Collected automatically

  • IP address logged in form submissions (form_submissions), in rate-limiting contexts and in audit trails;
  • last_login_at timestamp;
  • HTTP request-correlation IDs in application logs;
  • the language of your browser session.

3.3 Content you provide

Prompts you submit to the qualifying chat and to the AI assistant; the generated HTML and project files you create. When the debug flag LOG_AI_REQUESTS is enabled by the platform administrator, the system prompt, the user message and the raw AI response are captured in generation_log (clamped to 256 KB per record, pruned daily, retained 7 days). The API key is never captured among these fields.

3.4 From third parties

  • anti-bot challenge results from hCaptcha;
  • payment status callbacks from Stripe.

4. Purposes and legal bases (GDPR Art. 6)

  • Account creation and operation, delivery of the Access Pass — basis: Art. 6(1)(b) — performance of a contract to which you are a party.
  • Anti-fraud, security, abuse prevention, transactional e-mails (verification, password reset, coworker notifications) — basis: Art. 6(1)(f) — our legitimate interest in operating a secure, working service.
  • Site-request "custom order" brief and any optional marketing communications — basis: Art. 6(1)(a) — your explicit consent, freely given and withdrawable at any time.
  • Accounting and tax records of payments — basis: Art. 6(1)(c) — compliance with a legal obligation, in particular under Ordynacja podatkowa of 29 August 1997 art. 86 §1.

5. Recipients and sub-processors

The following entities receive personal data on our behalf or jointly with us:

  • Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland — payment processing; receives card data directly from your browser. Stripe is in the EEA; Stripe in turn transfers to its US affiliate under Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • Anthropic, PBC (United States) — AI model inference for the Claude family of models. When you bring your own API key (BYO mode), you are the controller toward Anthropic under Anthropic's commercial terms; when the platform-key fallback is used during demo or trial, Anthropic acts as a sub-processor under Standard Contractual Clauses.
  • OpenAI, L.L.C. (United States) — AI model inference for the GPT family of models. The same BYO/platform-key distinction applies; Standard Contractual Clauses apply when the platform-key is used.
  • Google Ireland Ltd. (Ireland) and Google LLC (United States) — AI model inference for the Gemini family of models. BYO/platform-key distinction applies; Standard Contractual Clauses and the EU-US Data Privacy Framework apply for Google LLC.
  • Moonshot AI (People's Republic of China) — AI model inference for the Kimi family of models. Transfer-impact note: China is not subject to a European Commission adequacy decision. Transfers occur only when you explicitly select a Moonshot model, and only your prompt is sent. By selecting the provider you accept that risk.
  • Telegram FZ-LLC (United Arab Emirates) — notification channel used to deliver site-request briefs to the Operator. Your e-mail, name, phone and business information are included in the notification message. Telegram servers are outside the EEA; this transfer relies on your explicit consent at the brief-submission step (Art. 49(1)(a)).
  • Intuition Machines, Inc. (United States) — hCaptcha anti-bot service; relies on the EU-US Data Privacy Framework and Standard Contractual Clauses.
  • Hosting providers: Hostovita.pl Sp. z o.o. (Poland) and HostPro.ua (Ukraine) — server hosting for the platform.
  • SMTP / e-mail delivery provider — for transactional e-mails (verification, password reset, coworker notifications). Identity available on request to info@pages.otack.eu.
  • National Bank of Ukraine (NBU) public exchange-rate API — used to display indicative USD/UAH conversion; no personal data is sent.

We publish updates to this sub-processor list and notify Users via in-app banner or e-mail with at least 30 days' advance notice; you may object to a new sub-processor.

6. International data transfers

Transfers of personal data outside the European Economic Area occur to Stripe (Stripe, Inc. in the United States), Anthropic, OpenAI, Google LLC, Moonshot AI, hCaptcha (Intuition Machines, Inc.) and Telegram (UAE). The safeguards we rely on under GDPR Chapter V (Arts. 44-49) are: (a) the European Commission's Standard Contractual Clauses under Decision (EU) 2021/914; (b) the EU-US Data Privacy Framework where the recipient is certified; and (c) your explicit consent under Art. 49(1)(a) for Telegram brief delivery. You may obtain copies of the safeguard instruments by writing to info@pages.otack.eu.

7. Retention periods

  • Account data: retained while the Account is active, plus a 90-day grace period after deletion before purge from primary storage.
  • Inactive projects: deleted 30 days after inactivity; notice e-mails are sent 7, 5 and 3 days before deletion.
  • generation_log (AI usage telemetry): 7 days, pruned nightly.
  • form_submissions (visitor data on hosted sites): 365 days, pruned nightly.
  • Payment / invoice records (accounting): 5 years from the end of the calendar year of the transaction (Ordynacja podatkowa art. 86 §1); these may not be erased before this period elapses.
  • Consent logs (e.g. withdrawal-right waiver, age confirmation, brief consent): 3 years.
  • Application logs: rotated weekly, retained no longer than 30 days.

8. Your rights as a data subject

  • Right of access (Art. 15) — request a copy of your personal data; response within 1 month, extendable by 2 further months for complex requests, with notice.
  • Right to rectification (Art. 16) — correct inaccurate data via your profile settings or by writing to us.
  • Right to erasure (Art. 17) — request deletion of your Account and associated data. Currently fulfilled via a manual request process at info@pages.otack.eu; self-service deletion is in development. Erasure may be limited by legal retention obligations (see §7).
  • Right to restrict processing (Art. 18) — by request via e-mail.
  • Right to data portability (Art. 20) — receive your Account data in a structured, commonly used, machine-readable format (JSON for structured records, CSV for tabular data); delivered within 1 month of request.
  • Right to object (Art. 21) — to processing based on legitimate interest; we will cease unless we demonstrate compelling legitimate grounds.
  • All requests are free of charge unless manifestly unfounded or excessive.
  • Right to lodge a complaint with PUODO (Art. 77) — see §2.

9. AI keys — how we handle them

Your AI provider API key is encrypted on your device using PBKDF2 and AES-256-GCM under a password that never reaches our server. The encrypted blob is stored either in users.ai_keys_blob (Account mode) or in your browser's localStorage (File mode); we cannot decrypt it. When you make an AI request, the key is decrypted in your browser and transmitted to our server over TLS in the X-AI-API-Key header, where it is held in PHP memory only for the duration of the single AI request before being discarded. It is not persisted in readable form and is not logged. For asynchronous generation jobs placed in our internal Redis queue, the key is encrypted again with AES-256-GCM by our JobEncryptor before being placed on the queue, and is erased from the queue payload after the worker has processed the job.

We do NOT operate a true zero-knowledge architecture at the moment of use — the key passes through our server in plaintext for a single request. We do, however, never store it in readable form and never log it.

10. Hosted Generated Sites — visitor data and our role as processor

When you publish a Generated Site through our platform and the site collects personal data via forms, you act as the controller of your visitors' personal data and we act as the processor on your behalf, in the meaning of GDPR Art. 28. The terms of that processing are set out in our Data Processing Agreement, which is automatically concluded between you and us when you accept the Terms of Service. You are responsible for: (a) publishing your own privacy and cookie notices on your Generated Site that comply with the law applicable to your visitors; (b) ensuring the data you collect via forms is collected on a lawful basis under GDPR; (c) responding to data-subject requests directed at you by your visitors. We assist you with these obligations to the extent provided in the DPA.

11. Children

The platform is not directed at persons under the age of 16. We do not knowingly collect personal data of children under 16. A minimum-age confirmation is captured at registration. If we discover that we have collected such data without parental authorisation, we will delete it without undue delay. Parents or guardians who believe their child has provided us with personal data may write to info@pages.otack.eu for prompt erasure.

12. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects on you based solely on automated processing within the meaning of GDPR Art. 22. AI-driven content generation produces creative output; it does not adjudicate eligibility, pricing or access to the service.

13. Cookies and similar technologies

The platform uses only strictly-necessary and security cookies. For details, including names, purposes and durations, see the Cookie Policy.

14. Security measures

We apply reasonable technical and organisational measures proportionate to the risks, in line with GDPR Art. 32, including TLS in transit, bcrypt password hashing, client-side AES-256-GCM encryption for AI keys, server-side AES-256-GCM encryption for sensitive job-queue payloads (JobEncryptor), role-based access controls, CSRF protection on state-changing endpoints, application-level rate limiting, audit logging of administrative actions, and regular database backups. For a full description see the Data Security page. In the event of a personal data breach we notify the supervisory authority (PUODO) within 72 hours where required by GDPR Art. 33, and notify affected data subjects without undue delay where required by Art. 34.

15. Changes to this Policy

We will publish material changes to this Policy with at least 14 days' advance notice via in-app banner and/or e-mail. The version date is shown below. Continued use of the platform after the effective date of a change constitutes acceptance of the updated Policy. The English version is the master version; in case of any conflict between translations the English version prevails. Effective date: 2026-05-20.