Paczesny° Back

This is an English translation provided for convenience. The Polish version is the legally authoritative text.

Legal document

Data Processing Agreement

Last updated: 2026-06-29

1. Definitions and Scope

This Data Processing Agreement (the "DPA") forms part of the Terms of Service (the "main agreement") between the customer (the "Controller") and Bartłomiej Paczesny, a natural person conducting unregistered business activity (działalność nierejestrowana), ul. Narutowicza 16, 05-870 Błonie, Poland, operator of Paczesny Analytics (the "Processor"), and governs the Processor's processing of personal data on the Controller's behalf under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR").

Terms such as "personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meanings given to them in the GDPR. Where this DPA conflicts with the main agreement on a matter of data protection, this DPA prevails.

2. Subject Matter, Duration and Nature of Processing

The subject matter of the processing is the personal data contained in the website analytics events and Google Search Console data that the Controller transmits to, or authorises the Processor to collect through, Paczesny Analytics. The nature and purpose of the processing is the provision of cookieless web analytics and search-performance reporting as described in the main agreement.

Processing continues for the duration of the main agreement and ceases on its termination, subject to the return-or-deletion obligations in Section 12. The categories of data subjects and of personal data are set out in Annex A.

3. Obligations of the Processor

The Processor shall process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by Union or Member State law; in such a case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality, shall assist the Controller in meeting its obligations, and shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR.

4. Instructions by the Controller

The Controller's complete and final instructions are set out in this DPA and the main agreement. Any additional or alternative instruction must be agreed in writing. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection provisions.

5. Confidentiality and Personnel

The Processor restricts access to personal data to personnel who need access to perform the agreement, and binds them by appropriate obligations of confidentiality. Access to sensitive collections is limited to administrative service accounts and is logged.

6. Security of Processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B.

7. Sub-Processors

The Controller grants the Processor general written authorisation to engage sub-processors. The Processor maintains an up-to-date list of sub-processors at /sub-processors and offers the Controller the opportunity to subscribe to advance notice of intended changes — at least 30 days — so that the Controller may object.

The Processor imposes on each sub-processor data-protection obligations no less protective than those set out in this DPA, and remains fully liable to the Controller for the performance of each sub-processor's obligations.

8. Data Subject Rights Assistance

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests by data subjects exercising their rights under Chapter III of the GDPR. Requests received directly by the Processor are forwarded to the Controller without undue delay.

9. Personal Data Breach Notification

The Processor notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data, providing the information the Controller reasonably needs to meet its own notification obligations under Articles 33 and 34 of the GDPR. Breach reports may be sent to dpa@paczesny.pl.

10. International Data Transfers

Where the processing involves a transfer of personal data to a third country, the Processor relies on an appropriate transfer mechanism under Chapter V of the GDPR. The specific mechanism applicable to each sub-processor is identified at /sub-processors.

11. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law. [LEGAL-DRAFT]

12. Term and Termination

This DPA takes effect upon the Controller's acceptance and remains in force for the duration of the processing. On termination, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless Union or Member State law requires storage of the personal data.

Matters relating to this DPA, including a request for a counter-signed copy and the designation of the Processor's legal entity at ul. Narutowicza 16, 05-870 Błonie, Poland, may be addressed to dpa@paczesny.pl.

Annex A — Processing Activities

  • Categories of data subjects: visitors to the Controller's websites and the Controller's own authorised users.
  • Categories of personal data: pseudonymised visitor identifiers and event metadata (page, referrer, device class, country) and — where the Controller connects Google Search Console — search-performance metrics for the Controller's verified properties.
  • Processing operations: collection, pseudonymisation, aggregation, storage, and presentation of analytics and search-performance data.
  • Duration: raw event data is retained for 30 days; aggregated data is retained until the Controller deletes the site or the account, as described in the Privacy Policy.

Annex B — Technical and Organisational Measures

  • Encryption of data in transit using TLS for all connections to the service.
  • Encryption of sensitive credentials at rest — Google OAuth refresh tokens are stored using AES-256-GCM authenticated encryption.
  • Pseudonymisation of visitor identifiers by a daily-rotated salted hash, with no raw IP address stored as part of visitor analytics data.
  • Access control restricting personal data to the account owner, with sensitive collections reachable only through administrative service accounts.
  • Audit logging of access to sensitive collections.
  • Automated, time-based deletion of raw event data after the defined retention window.
  • Network and platform isolation on self-hosted infrastructure under the Processor's control.
  • Periodic review of the technical and organisational measures.

Annex C — Sub-Processors

The current list of sub-processors, together with their purposes, locations and transfer mechanisms, is maintained at /sub-processors and forms part of this DPA.