Privacy Policy — piotrlitwa.com

Last updated: March 10, 2026

This policy sets out the rules for processing personal data of users of the website available at https://piotrlitwa.com (the "Website"), as well as persons contacting the Controller, using its services, tools, and receiving the newsletter.

Read this policy to learn who processes your data, for what purpose, on what legal basis, and what your rights are. If you do not accept this document, please stop using the Website.

Every person using the Website remains anonymous until they choose to reveal their identity. The Controller does not process any data without your consent or another legal basis provided by GDPR. Personal data is processed for various purposes — always in accordance with the law.

To ensure the security of your data, the Controller selects technical measures to protect it — including against disclosure to unauthorized persons or processing in violation of the law.

§1. Definitions

Website — the website at https://piotrlitwa.com including its subpages (/checkGTM/, /uca/, /dashboard/)
Controller — Piotr Litwa Web Analyst Sp. z o.o. with registered office in Gliwice (details below)
User — a natural person using the Website
Client — a person or company using the Controller's paid services
Newsletter — a service allowing the User to receive free information from the Controller at the provided email address

§2. Data Controller

Piotr Litwa Web Analyst Sp. z o.o.
ul. Plebiscytowa 1/121, 44-100 Gliwice, Poland
KRS: 0001002753 · NIP: 6312709007 · REGON: 523692332
Share capital: PLN 5,000
Registration date: November 17, 2022
Email: hello@piotrlitwa.com

The Controller has not appointed a Data Protection Officer due to not meeting the mandatory criteria. Contact on personal data matters: hello@piotrlitwa.com.

§3. General provisions

Personal data is processed in accordance with Regulation (EU) 2016/679 (GDPR), the Polish Data Protection Act, and the Act on Electronic Services.
The Controller strives to ensure an appropriate level of privacy and security for Users and Clients.
The Website and services are not intended for children under 16 — the Controller does not knowingly collect data from persons below that age.
The Controller ensures that personnel authorized to process personal data do so in accordance with this Policy and internal procedures.

§4. Scope and purpose of data collection

4.1. Free GTM Audit (checkGTM)

Data	Purpose	Legal basis
Email address	Delivering the audit report	Consent (form submission)
Website URL / GTM ID	Performing the audit	Consent
Audit results (score, issues)	Service delivery and improvement	Legitimate interest
Language preference	Localization	Legitimate interest
Marketing consent	Optional marketing emails	Explicit consent
UTM parameters, referrer	Marketing attribution	Legitimate interest

4.2. Client Dashboard

Data	Purpose	Legal basis
Email address	Authentication and account management	Contract performance
Subscription data	Service delivery	Contract performance
Support tickets	Customer support	Contract performance

4.3. Payments

Data	Purpose	Legal basis
Payment data (card, billing details)	Payment processing (handled by Stripe)	Contract performance
Invoice data (name, company, address, tax ID)	Issuing invoices	Legal obligation (tax regulations)

The Controller does not store credit card data. Payments are handled by Stripe, Inc. — a certified PCI DSS-compliant payment processor. The Controller reserves the right to process invoice data for the purpose of pursuing claims.

4.4. Newsletter and contact forms

When subscribing to the newsletter, the email address is processed — the legal basis is consent. The User may unsubscribe at any time.

When using the contact form, data provided by the User is processed — by default, the email address. The legal basis is preparation and performance of a contract or legitimate interest of the Controller.

4.5. Statistical data (without filling in forms)

During a visit to the Website, statistical data is collected: pages visited, time spent on each, date and time of visit, operating system, browser, location. The legal basis is the Controller's legitimate interest in improving the Website structure and services.

Unless cookie preferences are set otherwise, data may be processed for marketing purposes — this includes browsing history, clicks, etc. The Controller does not profile data.

§5. Data processing methods

Use of the Website is voluntary.
Personal data of Users and Clients will not be shared with third parties for marketing purposes.
The Controller shares personal data with employees and collaborators for the purpose of service delivery.
The Controller shares personal data with authorized state authorities — in particular the Police, prosecution, or the President of UODO — if they request it on the basis of legal provisions.

§6. Data processors

Processor	Purpose	Location
ELMO (CSZPiZ)	Central product, consent and license management system	EU (MyDevil hosting, Poland)
Stripe, Inc.	Payment processing	USA (EU data processing, EU SCCs)
Brevo (Sendinblue)	Email delivery	EU (France)
MyDevil.net	Web hosting, database	EU (Poland)
Google LLC	Analytics (GA4), Tag Manager	USA (EU Standard Contractual Clauses)

Processors based outside the European Union (Stripe, Google) guarantee compliance with standards analogous to GDPR. Data transfers are protected by:

EU Standard Contractual Clauses (SCCs)
Data Processing Agreements

§7. Consent management

The Controller records and manages User consents through the ELMO system. Types of consent:

GTM Audit consent — required to use the free audit tool.
Marketing consent — optional, for receiving marketing communications.
Cookie consent — managed via the cookie banner (Google Consent Mode v2).

You can view and manage your consents at any time through the Client Dashboard.

§8. Cookies

The Website uses cookies — short text files stored on the User's device. They may be read by the Controller and by third-party systems whose services are used.

Types of cookies used:

Essential cookies — session management, language preference, consent state (always active).
Analytics cookies — Google Analytics 4 via Google Tag Manager (requires consent).
Marketing cookies — advertising attribution (requires consent).

You can manage your cookie preferences via the cookie banner displayed on the Website.

Managing cookies in your browser:

Web browsers allow cookies by default. You can change your settings:

Google Chrome — instructions
Mozilla Firefox — instructions
Safari — instructions
Microsoft Edge — instructions

Disabling or limiting cookies may cause difficulties in using the Website and limit its functionality.

§9. Data retention

The Controller processes personal data only for the time necessary to achieve the following purposes:

Audit data — 24 months from the last audit.
Account data — for the duration of the service relationship + 12 months.
Invoice data — 6 years (legal requirement, Accounting Act).
Consent records — 5 years (GDPR accountability).
Newsletter — until unsubscription or termination of the service.
Prospective clients — 3 years.

Retention periods are counted from the end of the year in which data processing began. After these periods, data will be irreversibly deleted or destroyed.

§10. Your rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Right to withdraw consent — withdrawal may prevent further use of services that require consent. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Right to object — to processing based on legitimate interest. If the objection is justified, the Controller will delete the data in question.
Right to erasure ("right to be forgotten") — in case of consent withdrawal, justified objection, or unlawful processing.
Right to restriction of processing — when the accuracy of data or the legality of processing is contested.
Right of access — confirmation of processing, a copy of the data, and information about processing principles.
Right to rectification — correction of inaccurate data or completion of incomplete data.
Right to data portability — receiving data in PDF or another agreed format, or direct transfer to another controller.

To exercise these rights, contact us at hello@piotrlitwa.com — within 30 days of receiving the request (for complex requests, the deadline may be extended by another month).

You also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) — uodo.gov.pl.

§11. Data security

The Controller implements appropriate technical and organizational measures to protect personal data:

All data transmitted over HTTPS (TLS encryption).
API keys are never exposed on the frontend — backend communication via PHP proxy.
Database access restricted by IP and credentials.
Regular security reviews of systems.
Credit card data processed exclusively by Stripe (PCI DSS compliant).

§12. Intellectual property

All content published on the Website is protected by copyright and is the property of the Controller. Any use of Website content without the Controller's permission constitutes a copyright infringement.

§13. Changes to this policy

The Controller may periodically update this Privacy Policy by publishing new versions on the Website. Material changes may be communicated via email. Continued use of the Website is subject to the Policy in effect at that time.

§14. Contact and complaints

For matters related to privacy and personal data protection:

Email: hello@piotrlitwa.com
Address: Piotr Litwa Web Analyst Sp. z o.o., ul. Plebiscytowa 1/121, 44-100 Gliwice
Supervisory authority: President of the Personal Data Protection Office (UODO)