Kaminski.link
PL

Privacy Policy

Information on how Kaminski.link collects, processes, and protects your personal data in accordance with GDPR.

Effective date: 10 March 2026 | Last updated: 18 March 2026

1. Data Controller

The controller of your personal data is Konrad Kaminski, conducting business under the name Kaminski.link, with registered address at ul. P.O.W. 17/404, 97-200 Tomaszow Mazowiecki, Poland, Tax ID (NIP): PL7732503951.

You can contact the Controller regarding personal data matters at:

The Controller has not appointed a Data Protection Officer, as this is not required under Article 37 of GDPR.

2. Purposes, Legal Bases, and Retention Periods

2.1. Contact Form

  • Data scope: name, email address, phone number (optional), message content.
  • Purpose: responding to enquiries, taking steps prior to entering into a contract.
  • Legal basis: Article 6(1)(b) GDPR (steps at the data subject's request prior to entering into a contract) and Article 6(1)(f) GDPR (legitimate interest — handling incoming correspondence).
  • Retention: until the end of correspondence, then up to 6 years from the end of the calendar year in which the correspondence ended (statute of limitations under the Polish Civil Code, Article 118).

2.2. Pre-contractual Negotiations and Contract Performance

  • Purpose: taking steps prior to entering into a contract and performing the contract.
  • Legal basis: Article 6(1)(b) GDPR.
  • Retention: for the duration of the contract plus up to 6 years (statute of limitations).

2.3. Analytics and Marketing Cookies

  • Data scope: cookie identifiers, IP address, browsing activity.
  • Purpose: website traffic analysis, content optimisation, marketing campaigns.
  • Legal basis: Article 6(1)(a) GDPR (consent via cookie banner).
  • Retention: as specified in the Cookie Policy or until consent is withdrawn.

2.4. Server Logs (Cloudflare)

  • Data scope: IP address, request date/time, browser, operating system.
  • Purpose: ensuring security and continuity of the website, technical diagnostics.
  • Legal basis: Article 6(1)(f) GDPR (legitimate interest — infrastructure security).
  • Retention: up to 7 days (per Cloudflare policy).

2.5. CMS Panel (Keystatic / GitHub OAuth)

  • Data scope: GitHub username, OAuth access token.
  • Purpose: content management by authorised administrators.
  • Legal basis: Article 6(1)(f) GDPR (legitimate interest — website management).
  • Retention: for the session duration (up to 8 hours for access token, up to 6 months for encrypted refresh token).

2.6. Legal Obligations

  • Purpose: fulfilling obligations under applicable law (e.g. accounting, tax).
  • Legal basis: Article 6(1)(c) GDPR.
  • Retention: 5 years from the end of the calendar year in which the tax obligation arose.

2.7. Establishing, Pursuing, or Defending Legal Claims

  • Purpose: establishing, pursuing, or defending against potential claims.
  • Legal basis: Article 6(1)(f) GDPR (legitimate interest).
  • Retention: until the expiry of the statute of limitations (generally up to 6 years).

3. Recipients of Personal Data

Your personal data may be shared with the following recipients:

Recipient Role Location Transfer Basis
Cloudflare, Inc. Hosting, CDN, DDoS protection USA EU-U.S. Data Privacy Framework (DPF)
Resend, Inc. Email delivery from contact form USA Standard Contractual Clauses (SCCs)
GitHub, Inc. (Microsoft) Code hosting, OAuth for CMS USA EU-U.S. Data Privacy Framework (DPF)
  • Analytics and marketing providers — only if you have given consent via the cookie banner.
  • Public authorities — where required by law (e.g. tax office, court).

The Controller does not sell your personal data to any third parties.

4. Transfer of Data Outside the EEA

Some of the Controller's processors may process data outside the European Economic Area (EEA), including in the United States. The transfer is safeguarded by:

  • EU-U.S. Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) — for DPF-certified entities (Cloudflare, GitHub).
  • Standard Contractual Clauses (SCCs) adopted by Commission Decision 2021/914 — for entities not DPF-certified (Resend).

You may request a copy of the applicable safeguards by contacting the Controller.

5. Your Rights Under GDPR

In accordance with GDPR, you have the following rights:

  1. Right of access (Article 15) — you may request confirmation of whether your data is being processed and obtain a copy.
  2. Right to rectification (Article 16) — you may request correction of inaccurate or completion of incomplete data.
  3. Right to erasure (Article 17) — you may request deletion of your data, subject to exceptions (e.g. data needed for defending claims).
  4. Right to restriction of processing (Article 18) — you may request restriction of processing in specific circumstances.
  5. Right to data portability (Article 20) — you may receive your data in a structured, machine-readable format (applies to data processed by consent or contract, in an automated manner).
  6. Right to object (Article 21) — you have the right to object at any time to processing based on the Controller's legitimate interests (Article 6(1)(f) GDPR). The Controller will cease processing unless compelling legitimate grounds are demonstrated.
  7. Right to withdraw consent (Article 7(3)) — where processing is based on consent (e.g. cookies), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

How to exercise your rights

Contact the Controller at [email protected] or by post. The Controller may request identity verification before fulfilling the request. A response will be provided within 30 days (Article 12(3) GDPR).

Right to lodge a complaint

If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the supervisory authority:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
uodo.gov.pl

6. Voluntary Provision of Data

Providing personal data in the contact form is voluntary but necessary to receive a response. Without your name and email address, we cannot reply to your message.

Consent to analytics and marketing cookies is entirely voluntary and does not affect your ability to use the website.

7. Automated Decision-Making

The Controller does not make decisions based solely on automated processing, including profiling, within the meaning of Article 22 of GDPR.

8. Security of Personal Data

The Controller implements appropriate technical and organisational measures to protect personal data, including:

  • TLS/HTTPS encryption for all connections
  • Cloudflare infrastructure protection (WAF, DDoS protection)
  • Access to personal data restricted to the Controller only
  • Regular review of security measures

9. Cookies

Detailed information about cookies, their types, purposes, and consent management is available in the Cookie Policy.

10. Changes to This Privacy Policy

The Controller reserves the right to update this Privacy Policy to reflect changes in legal requirements or data processing practices. The current version is always available at kaminski.link/en/privacy-policy.

Significant changes will be communicated via an on-site notice.

This document is provided for informational purposes only and does not constitute legal advice. If in doubt, please consult a qualified legal professional.