Privacy policy without jargon.

The controller of personal data processed in connection with the use of duztr.com and with our design and engineering services is:

We have not appointed a Data Protection Officer (DPO) — for any data-protection matter you write directly to the controller at the e-mail above.

We collect only data strictly necessary to reply, quote and deliver the project. No data hoarding.

• Data from the contact form — name and/or company, e-mail, optional phone, message content, approximate budget, project type.
• E-mail correspondence — message threads, attachments, sender address.
• Contract data — data needed to sign a contract and issue invoices (VAT ID, address, bank account).
• Technical data — anonymised IP, browser type, navigation events — aggregated only, never profiled.

We do not collect special category (sensitive) data within the meaning of Art. 9 GDPR.

Every processing activity is tied to a specific legal basis. Here are all of them:

By default: no one — we operate solo, no middlemen. Data is shared only with trusted processors strictly necessary to deliver the service:

• Hosting and e-mail — server and mailbox provider (EU).
• Accounting office — the minimum needed to book invoices.
• Payment providers / bank — for settlements.
• Work tooling — code repositories (GitHub), communication and design tools, used strictly within the scope of the project.

We sign a Data Processing Agreement (Art. 28 GDPR) with every processor. We do not sell your data and do not share it for marketing.

By default, data is processed within the EU. Some providers (e.g. GitHub) may process data outside the EEA — in such cases the transfer is based solely on Standard Contractual Clauses (SCC) approved by the European Commission or on an adequacy decision (Data Privacy Framework).

Exact periods are listed in the table in §03. The general rule:

1. Unanswered follow-ups — deleted after 12 months.
2. Contract data and project correspondence — for the duration of the project plus the statute of limitations.
3. Invoices and accounting documents — 5 years from the end of the tax year (legal requirement).
4. Traffic statistics — up to 26 months, aggregated, no identification.

After these periods data is permanently deleted or irreversibly anonymised.

Under GDPR you have full control over your data. To exercise any of these rights, e-mail hey@duztr.com — we respond within 30 days, usually sooner.

The duztr.com site is lean — we use the minimum possible cookies:

• Strictly necessary cookies — remember your language (PL/EN) and light/dark mode. No consent required.
• Analytics cookies (optional) — anonymous traffic statistics, no profiling, no cross-source joining. Loaded only after you consent in the cookie banner.

We do not use remarketing, targeted ads, or third-party trackers such as Facebook Pixel. You can change cookie settings at any time — in the on-page banner or in your browser.

We process data in a way proportionate to our scale — no theatre, real safeguards:

• Site connection encrypted end-to-end (TLS/HTTPS).
• Access to work tooling secured with multi-factor authentication.
• Passwords stored in a password manager — never in plain text, never „just in case” in the cloud.
• Working disks encrypted at the OS level (FileVault / LUKS).
• Project backups encrypted and time-limited.
• In case of a data breach — we notify you and the Polish DPA within 72h under Art. 33 GDPR.

We update this policy when the scope of services, tools or regulations change. Every version carries a number (v.1.0, v.1.1, …) and an issue date — visible at the top and in the footer.

We notify active clients of material changes by e-mail. Previous versions are archived and available on request.