This is an English translation provided for convenience. The Polish version is the legally authoritative text.
Legal document
Security
Last updated: June 29, 2026
1. Data Minimization
Paczesny Analytics is cookieless by design. The analytics tracker sets no cookies and collects no directly identifying personal data. No raw IP address is stored as part of visitor analytics data; visitors are represented only by a daily-rotating pseudonymous identifier.
2. Pseudonymization
The visitor identifier is derived server-side as a salted hash of the site ID, IP address, user agent, and a salt that rotates every UTC day: sha256(siteId + ip + user-agent + daily salt). Because the salt changes daily and the inputs are not retained, the same visitor cannot be linked across days and the identifier cannot be reversed to an IP address.
3. Encryption in Transit
Every connection to the service — the dashboard, the ingestion endpoint, and the API — is served exclusively over TLS. Plaintext HTTP is redirected to HTTPS.
4. Encryption at Rest
Sensitive credentials are encrypted at rest. Google OAuth refresh tokens are stored using AES-256-GCM authenticated encryption, and database storage is protected at the infrastructure layer.
5. Hosting Infrastructure
The service runs on self-hosted infrastructure on Oracle Cloud Infrastructure under our direct control, in the Amsterdam, Netherlands region (eu-amsterdam-1) — within the EU/EEA. We do not hand your data to third-party managed analytics platforms.
6. Access Control
Access to the dashboard requires authentication, and two-factor authentication (MFA) is available. Application data is scoped to the account owner, and sensitive collections are reachable only through administrative service accounts on the server — never directly from the browser.
7. Data Retention
Raw event data is retained for 30 days and then deleted by an automated retention process; aggregated analytics are kept until you delete the site or the account. The alert delivery log is retained for 90 days. Records of legal acceptance are retained for as long as necessary to evidence that acceptance (GDPR Art. 17(3)(b)).
8. Breach Notification
In the event of a personal data breach, we notify affected customers without undue delay and within 72 hours of becoming aware, consistent with our Data Processing Agreement. Breach reports and security concerns can be sent to dpa@paczesny.pl.
9. Responsible Disclosure
If you discover a security vulnerability, please report it to bartek@paczesny.pl and allow us a reasonable period to remediate before any public disclosure. We aim to acknowledge reports within five business days.
10. Certifications
Our current certification status is described below.
We do not currently hold SOC 2 or ISO 27001 certification. These certifications require significant sustained investment and are revisited when enterprise contract requirements demand them. Our security posture is described in full on this page.
11. Sub-Processor Security
We engage a limited set of sub-processors and impose data-protection obligations on each of them. The current list, with purposes and locations, is published at /sub-processors.
12. Cookie Policy
The analytics tracker uses no cookies. The only cookie the service sets is a technical session cookie required to keep you signed in to the dashboard.
13. Legal Documentation
Related documents: our Privacy Policy, Terms of Service, Data Processing Agreement, and Sub-processors list.