Privacy Policy for GridStats

Effective date: 18 March 2026
Last updated: 18 March 2026

This Privacy Policy explains how personal data is processed when you use the GridStats website and related services (the "Service").

The policy is designed to be transparent and practical. It describes what data is collected, why it is needed, how long it is kept, who can receive it, and what rights you can exercise under GDPR and Polish law.

If any part of this document is unclear, you can request clarification at [email protected].

0. Definitions

• "Personal data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data (for example: collection, storage, use, disclosure, deletion).
• "Controller" means the entity deciding why and how data is processed.
• "User" means any person visiting the Service or creating/using an account.
• "GDPR" means Regulation (EU) 2016/679.

1. Data Controller

The data controller under Article 4(7) of the GDPR is:

Jakub Burzyński
Aleja Partyzantów 10c/1
47-224 Kędzierzyn-Koźle
Poland
Unregistered business activity: gridstats

For privacy matters, contact the Controller at: [email protected]

A dedicated Data Protection Officer (DPO) has not been formally appointed. All GDPR-related requests are handled directly by the Controller.

2. Applicable Law

• Regulation (EU) 2016/679 (GDPR),
• Polish Act of 10 May 2018 on the Protection of Personal Data,
• Polish Act of 18 July 2002 on Providing Services by Electronic Means,
• applicable Polish regulations concerning electronic communications and cookies.

Where mandatory legal provisions differ from this policy, mandatory law prevails.

3. Scope of the Policy

• user registration and account management,
• login and authentication,
• session maintenance and security,
• operation, development, and protection of the Service,
• communication with users on privacy matters,
• handling paid features and premium-status related requests (once enabled),
• processing required to respond to legal requests,
• handling abuse reports, incidents, and potential claims.

This policy applies to the website and user account features. It does not apply to third-party websites you may open via links available in the Service.

4. Categories of Personal Data

• account identification data: username, email address,
• authentication data: password hash (the Service does not store plain text passwords),
• account metadata: user role, account creation and update timestamps,
• declaration data: acceptance of terms and conditions,
• technical/session data: authentication cookie token, session expiration data,
• payment and transaction data (for paid features once enabled): payer email, transaction identifier, payment status, payment amount, currency, premium access period, refund/reclamation request metadata,
• standard server/network data (for security and diagnostics), such as IP address, request metadata, and timestamps (as available in hosting/server logs).

The Service is content-focused (Formula 1 data) and does not intentionally collect special categories of personal data under Article 9 GDPR.

Please do not provide unnecessary personal data in optional communications. If such data is sent unintentionally, it may still be processed to the extent necessary to handle your request and secure the Service.

5. Sources of Personal Data

• directly from you (registration/login forms),
• from payment operator systems and transaction notifications (for paid features once enabled),
• automatically during use of the Service (technical/session data, server logs).

The Controller does not intentionally buy personal data from data brokers for account-related processing.

6. Purposes and Legal Bases for Processing

1. Account registration and account administration

Legal basis: Article 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract).

Purpose details: creating the account, enabling login, storing account settings, and providing account features.

2. User authentication, session handling, and access control

Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR (legitimate interest in securing the Service and preventing unauthorized access).

Purpose details: credential verification, session renewal, logout handling, and account/session integrity checks.

3. Service security, abuse prevention, diagnostics, and defense against claims

Legal basis: Article 6(1)(f) GDPR (legitimate interest).

Purpose details: monitoring unusual activity, preserving relevant logs, and preventing misuse.

4. Compliance with legal obligations (if and where applicable)

Legal basis: Article 6(1)(c) GDPR.

Purpose details: responding to legally valid requests from competent public authorities.

5. Establishment, exercise, or defense of legal claims

Legal basis: Article 6(1)(f) GDPR.

Purpose details: documenting and handling disputes, complaints, and legal risk management.

6. Payment handling and premium-status provisioning (once paid features are enabled)

Legal basis: Article 6(1)(b) GDPR, and where required Article 6(1)(c) GDPR (legal obligations).

Purpose details: receiving and reconciling payment confirmations, enabling premium status, preventing payment fraud, and handling refund/reclamation workflows.

When processing is based on legitimate interest (Article 6(1)(f) GDPR), the Controller balances those interests against users' rights and freedoms.

7. Cookies and Similar Technologies

The Service uses cookies, including:

• strictly necessary authentication/session cookie (gridstats_session) used to keep users logged in and maintain account security.

Main characteristics of the session cookie:

• HttpOnly: enabled,
• SameSite: Lax,
• Secure: enabled in production environments,
• default session lifetime: up to 30 minutes, with renewal during active authenticated use.

The session cookie is necessary to provide authenticated features and cannot be disabled without losing login functionality.

Legal basis for strictly necessary cookies: Article 6(1)(f) GDPR (legitimate interest in secure authenticated service operation) in conjunction with applicable national rules on storing/reading information on user devices for necessary technical purposes.

You can manage cookies through browser settings (block, delete, or limit cookies), but doing so may affect how account functions work.

At present, the Service does not intentionally use first-party analytics or advertising cookies. If non-essential cookies are introduced in the future, they will be implemented in compliance with applicable consent requirements.

If optional cookies are introduced in the future, legal basis will be consent (Article 6(1)(a) GDPR) and users will be able to withdraw consent at any time with effect for the future.

External resources, such as web fonts loaded by your browser, may involve technically necessary requests to third-party domains.

Third-party cookies may also be set by external providers if users open external links or embedded/hosted third-party resources, according to those providers' own policies.

8. Whether Providing Data Is Mandatory

Providing data marked as required in registration/login forms is necessary to create and use an account.

Failure to provide required data may result in inability to register, authenticate, or access account-related features.

Providing data not marked as required is voluntary, but such data should be limited to what is necessary.

The Service currently does not require marketing-consent checkboxes for account creation or basic functionality.

9. Data Recipients

Personal data may be disclosed only when necessary and proportionate, in particular to:

• hosting and infrastructure providers,
• IT and maintenance service providers,
• database and backup service providers,
• payment operator and payment infrastructure providers (for paid features once enabled),
• authorized entities where disclosure is required by law.

Where required, recipients act under data processing agreements and are obliged to apply confidentiality and appropriate safeguards.

10. Third-Party Services and External Resources

The Service may interact with third-party services:

• Google Fonts by Google LLC (resources are loaded by the browser directly from Google servers/domains),
• external community links (e.g., Discord) when a user chooses to open them,
• PayByLink by Systemy Platnicze sp. z o.o., al. Jana Pawla II, 00-133 Warszawa, NIP: 1182105129, REGON: 360726494, used to authorize and process paid premium transactions (once enabled),
• external Formula 1 data sources used server-side for content generation.

When using third-party services, your data may also be processed by those providers under their own privacy policies.

Within regulated payment-services scope, PayByLink acts as an independent controller for payment execution and settlement; the Controller remains an independent controller for account and premium-access management.

Users can review PayByLink privacy terms and notices on the operator's official website.

The Controller does not control independent privacy practices of third-party services. Users should review their terms and privacy notices separately.

11. International Data Transfers

If personal data is transferred outside the European Economic Area (for example, in connection with external service providers), the Controller applies safeguards required by Chapter V GDPR, such as:

• adequacy decisions,
• standard contractual clauses,
• or other legally accepted transfer mechanisms.

Because Google Fonts resources are loaded from Google domains, technical connection metadata (such as IP address and browser request data) may be transferred outside the EEA, including to the United States, depending on provider infrastructure.

This transfer may occur regularly when users load pages that request those resources, not only in exceptional cases.

If you want more information about the applied transfer safeguards, you can request it via [email protected].

12. Data Retention

Personal data is retained no longer than necessary for the purposes stated above. Main periods include:

• account data: during account lifecycle and generally up to 3 years after deletion for claim defense (unless law requires longer),
• session/authentication traces: usually up to 90 days,
• payment/complaint records: up to 5 years where required by accounting/tax law,
• technical logs: usually up to 12 months.

As a rule, retention periods are reviewed periodically. Data that is no longer necessary is deleted, anonymized, or otherwise irreversibly de-identified where feasible.

If legal proceedings are ongoing or reasonably expected, selected data may be retained longer to protect legal rights.

13. Data Subject Rights

Under GDPR, you have the right to:

• access your personal data,
• rectify inaccurate data,
• erase data ("right to be forgotten") where applicable,
• restrict processing,
• data portability,
• object to processing based on legitimate interests,
• lodge a complaint with a supervisory authority.

To exercise your rights, contact [email protected] and describe your request clearly.

The Controller may ask for additional information to verify identity and protect data against unauthorized disclosure.

Requests are handled without undue delay and, in principle, within one month. This deadline may be extended where legally permitted due to complexity or number of requests.

In Poland, the competent supervisory authority is:

President of the Personal Data Protection Office (UODO)
Address: ul. Stawki 2, 00-193 Warsaw, Poland
Website: https://uodo.gov.pl

14. Account Deletion

You can request account deletion at any time by contacting [email protected] from the email address assigned to your account.

For security reasons, the Controller may request additional verification before account deletion is completed.

After account deletion, account access is blocked and account-related data is deleted or irreversibly anonymized where feasible.

Some data may still be retained where required by law, accounting/tax obligations, or for the establishment, exercise, or defense of legal claims.

15. Automated Decision-Making

The Service does not use personal data for automated decision-making producing legal effects or similarly significant effects within the meaning of Article 22 GDPR.

No profiling is performed for account eligibility, legal status, or similarly significant decisions.

No marketing profiling is currently performed.

16. Data Security

The Controller applies appropriate technical and organizational measures to protect personal data, including in particular:

• password hashing,
• controlled authentication mechanisms,
• session cookie safeguards,
• access limitation and security monitoring.

Security logic may include anomaly monitoring, failed-login detection, and temporary access restrictions where required to mitigate brute-force and abuse risks.

Security measures are selected with regard to implementation costs, scope of processing, context, and risk to the rights and freedoms of natural persons.

In case of a personal data breach, the Controller follows incident-response procedures and, where required, notifies the competent authority and affected users in accordance with GDPR.

17. Children

The Service is not intentionally directed to children under 16 years of age. If you believe data of a child has been provided unlawfully, please contact the Controller.

Upon verified notice, appropriate corrective actions may include restriction of processing or deletion where legally justified.

18. Changes to This Policy

This Privacy Policy may be updated to reflect legal, technical, or operational changes.

The current version is published on the Service, together with the Last updated date.

Material changes affecting users' rights or the way data is processed will be communicated in an appropriate manner within the Service.

19. Paid Services and PayByLink Transactions

The Service plans to introduce paid premium account status. If premium transactions are enabled, payment authorization and processing will be carried out via PayByLink (Systemy Platnicze sp. z o.o., al. Jana Pawla II, 00-133 Warszawa, NIP: 1182105129, REGON: 360726494).

The Controller does not intentionally process full payment card data; payment credentials are handled by the payment operator under its own legal and technical framework.

For premium activation and reconciliation, the Controller may process transaction metadata, in particular: payer identifier details provided by the operator, order/transaction ID, amount, currency, transaction status, timestamps, and premium validity period assigned to the account.

In case of failed, cancelled, or disputed payments, related data may be processed to verify transaction history and ensure correct account status.

20. Complaints and Proportional Premium Refunds

A complaint regarding premium status may be submitted via [email protected]. The request should include account identifier, transaction details, and a short description of the reason.

Withdrawal, refund calculation, and payout timelines for premium services are defined in the Terms of Service.

This policy does not exclude or limit mandatory consumer rights resulting from generally applicable law.

21. Contact

Jakub Burzyński
Aleja Partyzantów 10c/1
47-224 Kędzierzyn-Koźle, Poland
Unregistered business activity: gridstats
Email: [email protected]

Privacy requests should include enough detail to identify the account or context of the request so that the Controller can respond accurately and securely.