Cookie Policy
Last Updated: April 11, 2026 · Version: 2026.1 · ePrivacy Directive & GDPR Compliant
1. Legal Framework
This Cookie Policy complies with:
- ePrivacy Directive 2002/58/EC, Article 5(3): prior consent required for storing or accessing information on terminal equipment, except for strictly necessary purposes
- GDPR Article 4(11): valid consent must be freely given, specific, informed, and unambiguous
- CJEU Planet49 ruling (C-673/17, October 2019): pre-checked boxes are invalid; active affirmative consent is required
- Polish Telecommunications Law (Prawo telekomunikacyjne) of 16 July 2004
- EDPB Guidelines 05/2020 on consent and EDPB Guidelines 03/2022 on dark patterns
2. What Are Cookies and Tracking Technologies
Under the ePrivacy Directive and EDPB guidelines, “cookies” encompasses any technology that stores or accesses information on a user's terminal equipment, including:
- HTTP cookies and Flash cookies
- LocalStorage and sessionStorage
- Device fingerprinting and pixel tags
- Mobile identifiers (IDFA, AAID)
3. Consent Requirements
3.1 Valid Consent Criteria
Per Article 4(11) GDPR and EDPB enforcement guidance, consent must be:
- Freely given: No cookie walls conditioning access to the Service on acceptance of non-essential cookies.
- Specific: Granular consent by purpose. Analytics and advertising must be consented to separately.
- Informed: Clear information on purposes, duration, and third parties must be provided before consent is collected.
- Unambiguous: A clear affirmative action is required. Implied consent via scrolling is not valid.
3.2 Equal Prominence
Consistent with CNIL enforcement practice and EDPB Guidelines 03/2022 on dark patterns, our consent interface provides:
- “Accept All” and “Reject All” buttons with identical size, colour weight, and visual hierarchy
- The same number of clicks to accept or to reject all non-essential cookies
- No pre-ticked boxes for any cookie category
4. Cookie Categories
Essential Cookies (Strictly Necessary) No Consent Required
Placed on the basis of the Article 5(3) ePrivacy Directive exception for cookies strictly necessary for the provision of a service explicitly requested by the user.
- Session management and authentication
- Security, fraud prevention, and bot detection
- Load balancing and network routing
Legal basis: Article 5(3) ePrivacy Directive — strictly necessary exception.
Analytics Cookies Consent Required
Used to measure and understand how visitors interact with our website. No data collected under this category is used for advertising profiling.
- Google Analytics 4 — IP anonymization enabled; data retention set to 14 months
- First-party analytics in privacy-focused configuration
- Performance monitoring and error tracking
Marketing & Advertising Cookies Consent Required
Used to deliver relevant advertising, track ad performance, and build behavioural profiles across sessions and sites.
Functional & Preference Cookies Consent Required
Enable enhanced functionality and personalization that is useful but not strictly necessary for the Service to operate.
5. Consent Management
5.1 Consent Records
Under the Article 7(1) GDPR accountability requirement, we maintain consent logs including:
- Timestamp and date of consent action
- Categories accepted or rejected
- Version of the consent banner displayed at time of consent
Consent records are retained for 3 years from the date of consent.
5.2 Withdrawal of Consent
Withdrawal must be as easy as giving consent (Article 7(3) GDPR):
- Preference centre accessible via the “Cookie Settings” link in our website footer
- Withdrawal takes effect immediately; no cookies continue to operate after a valid withdrawal
- No detriment to the user — the Service remains functional for all essential features after withdrawal
6. Third-Party Processors
| Processor | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Google Analytics 4 | Website analytics | EU / US (DPF + SCCs) | IP anonymization, 14-month retention limit, DPA |
| Cloudflare | CDN, security, DDoS protection | Global (EU SCCs) | DPA, EU Standard Contractual Clauses |
| Stripe | Payment processing | EU / US (DPF + SCCs) | PCI-DSS Level 1, DPA |
7. Automated Privacy Signals
We respect the Global Privacy Control (GPC) browser signal as an expression of the user's opt-out preference for non-essential cookies, where technically feasible. We also respect Do Not Track (DNT) signals on a best-efforts basis.
8. Cookie Duration
- Session cookies: Deleted automatically when the browser is closed
- Persistent cookies: Maximum duration of 12 months, in line with EDPB recommendations
- Consent renewal: Users are re-prompted after 6 months, or earlier where purposes or processors have changed materially
9. Your Rights
Under GDPR and Polish law, in relation to personal data processed through cookies you have the right to:
- Access your data (Article 15 GDPR)
- Withdraw consent at any time (Article 7(3) GDPR) — via the Cookie Settings link in the footer
- Object to processing based on legitimate interests (Article 21 GDPR)
- Request erasure of your data (Article 17 GDPR)
- Lodge a complaint with UODO (uodo.gov.pl) or your national supervisory authority
10. Updates and Contact
We update this Cookie Policy to reflect changes in our use of cookies, applicable law, and regulatory enforcement guidance. The “Last Updated” date at the top of this page indicates the date of the most recent revision.