1. Personal Data Controller

The controller of your personal data is Jakub Burzyński, founder of ZWS Group and owner of the ZENWAVE.NET brand.

Controller's details:

• Name and surname: Jakub Burzyński
• Brand: ZWS Group / ZENWAVE.NET
• Address: Aleja Partyzantów 10c/1, 47-224 Kędzierzyn-Koźle, Poland

Contact for personal data matters:

• General email: [email protected]
• Data Protection Officer (DPO): [email protected]
• Legal matters: [email protected]

2. What data do we collect

2.1. Data provided directly by the User

During registration and use of the Platform, we collect:

• Identification data: name and surname, email address
• Authentication data: password (stored as a hash), OAuth tokens
• OAuth profile data: information from Google or GitHub accounts (user ID, name, avatar)
• Billing data: company name, address, tax ID, invoice data
• Contact data: phone number (optional), correspondence address

2.2. Data collected automatically

When using the Platform, we automatically collect:

• Technical data: IP address, browser type, operating system, screen resolution
• Session data: session ID (30 minutes), login time, system activity
• Server logs: HTTP requests, response codes, execution time
• Device data: unique device identifier, device type
• Preferences: interface language, theme (light/dark), accessibility settings

2.3. Data from cookies

Detailed information about cookies can be found in our Cookie Policy. We collect data using the following cookies:

• Session cookies: sessionId, connect.sid (30 minutes)
• Authentication cookies: jwt_token (1 hour)
• Security cookies: _csrf (attack protection)
• Functional cookies: language, theme_preference (1 year)
• OAuth cookies: oauth_state (session)

3. Purposes and legal bases of processing

We process your personal data for the following purposes:

4. Sharing personal data

Your personal data may be shared with the following categories of recipients:

4.1. Service providers (processors)

• Google LLC – OAuth 2.0 authentication (when you choose to log in with Google)
• GitHub Inc. – OAuth authentication (when you choose to log in with GitHub)
• Przelewy24 (PayPro S.A.) – online payment processing
• MySQL Session Store – user session storage
• Hosting providers – data storage on servers in the EU
• Nodemailer / SMTP – sending email notifications

4.2. Public authorities

We may share data with state authorities upon their request if required by law (e.g., tax authorities, law enforcement).

4.3. Data transfer outside the EU/EEA

For Google LLC and GitHub Inc., data may be transferred to the USA based on:

• Standard contractual clauses approved by the European Commission
• Adequacy decision for the USA (Data Privacy Framework)
• Guarantees of appropriate technical safeguards

5. Your rights as a data subject

Under GDPR, you have the following rights:

5.1. Right of access (Art. 15 GDPR)

You can obtain confirmation whether we process your data and receive a copy of your data.

5.2. Right to rectification (Art. 16 GDPR)

You can request correction of incorrect or completion of incomplete data.

5.3. Right to erasure – "right to be forgotten" (Art. 17 GDPR)

You can request deletion of your data in the following cases:

• Data is no longer necessary for the purposes for which it was collected
• You have withdrawn consent and there is no other legal basis
• You have objected to processing
• Data is processed unlawfully

5.4. Right to restrict processing (Art. 18 GDPR)

You can request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful but you do not want the data deleted
• You need the data to establish, exercise, or defend claims

5.5. Right to data portability (Art. 20 GDPR)

You can receive your data in a structured format (JSON, CSV) and transfer it to another controller.

5.6. Right to object (Art. 21 GDPR)

You can object to processing based on legitimate interest or for marketing purposes.

5.7. Right to withdraw consent (Art. 7(3) GDPR)

If processing is based on consent, you can withdraw it at any time.

5.8. Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority – President of the Personal Data Protection Office (PUODO).

PUODO contact:

• Address: ul. Stanisława Moniuszki 1A, 00-014 Warsaw
• Email: [email protected]
• Phone: +48 22 531 03 00

How to exercise your rights?

To exercise the above rights, contact us:

• DPO email: [email protected]
• Form in account settings: User panel → Privacy → Manage data

6. Data security

We use advanced technical and organizational measures to protect data:

6.1. Technical measures

• Encryption: AES-256 for data at rest, TLS 1.3 for transmission
• Password hashing: bcrypt with salt (12 rounds)
• JWT tokens: signed with HS256 algorithm, short validity (1h)
• Attack protection: CSRF tokens, rate limiting, XSS protection
• Firewall: network-level security
• Backup: daily backups stored for 90 days
• Monitoring: access logs, 24/7 anomaly detection

6.2. Organizational measures

• Limited data access – least privilege principle
• Employee training on GDPR and security
• Data processing agreements with subcontractors
• Data breach reporting procedures
• Regular security audits

7. Data retention period

We store your personal data for as long as necessary to achieve the purposes for which it was collected:

• Account data: until account deletion + 30 days for backups
• User sessions: 30 minutes (sessionId, connect.sid)
• JWT tokens: 1 hour (automatic expiration)
• Billing data and invoices: 5 years (accounting and tax requirements)
• System logs: 90 days (security purposes)
• Support requests: until resolved + 1 year
• Newsletter (after consent withdrawal): immediate deletion
• Backups: 90 days, then permanent deletion

8. Cookies and tracking technologies

Zenwave uses cookies and similar technologies. Detailed information can be found in our Cookie Policy.

We use the following categories of cookies:

• Necessary cookies: required for Platform operation (sessions, authentication, CSRF)
• Functional cookies: remembering preferences (language, theme)
• Analytical cookies: usage statistics (anonymized)

You can manage cookies in your browser settings or in the cookie preferences panel on the website.

9. Profiling and automated decision-making

Zenwave does not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects the user.

We may use basic behavioral analytics (e.g., detecting suspicious logins) solely for security purposes, without automated decision-making.

10. Children's data protection

The Zenwave Platform is not intended for persons under 18 years of age. We do not knowingly collect children's personal data.

If you become aware that a child has provided us with personal data, please contact [email protected] – we will promptly delete such data.

11. Changes to the Privacy Policy

We may periodically update this Privacy Policy. In the event of significant changes:

• We will notify you by email 30 days in advance
• We will publish the updated version on the website with a new date
• You may withdraw consent or delete your account before the changes take effect

We recommend reviewing this Policy regularly to stay up to date with data protection practices.

12. Privacy contact

If you have questions about the processing of your personal data or want to exercise your rights, contact us:

• Data Protection Officer (DPO): [email protected]
• General email: [email protected]
• Legal matters: [email protected]

We will make every effort to respond to your inquiry within 30 days (in accordance with GDPR requirements).