Back to home page

    <PrivacyPolicy />

    Privacy Policy

    1. Data Controller

    The controller of your personal data is Kamil Pawelec, operating under the business name Kamil Pawelec E-GAMES, NIP (Tax ID): 7133091784, REGON: 364446350 (hereinafter: the "Controller").

    2. Legal Basis

    This Privacy Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the Polish Act of 10 May 2018 on the Protection of Personal Data, and the Polish Act of 18 July 2002 on Providing Services by Electronic Means.

    3. Contact Information

    For matters related to personal data protection, you can contact the Controller through the contact form available on the home page or via LinkedIn (opens in new tab).

    4. Data Collection Methods

    The Controller collects personal data through the following channels:

    • Contact form — name, email address, message content. Data is encrypted using AES-256-GCM before being stored in the database. Additionally, an HMAC-SHA256 hash of the email address is created to detect duplicate submissions
    • Challenges — nickname, completion time, hashed browser fingerprint (SHA-256). The fingerprint is used solely to prevent multiple result submissions
    • Technical data — IP address, User-Agent header, and browser language are automatically collected by the hosting server (Vercel). For rate limiting purposes, a temporary SHA-256 hash is created from this data and stored in Redis memory

    5. Purposes and Legal Bases of Processing

    Your personal data is processed for the following purposes:

    • Responding to contact form inquiries — based on your consent (Art. 6(1)(a) GDPR) and the Controller's legitimate interest (Art. 6(1)(f) GDPR)
    • Recording challenge results — based on consent (Art. 6(1)(a) GDPR), given by voluntarily submitting a result
    • Protection against abuse (rate limiting, reCAPTCHA, honeypot) — based on the Controller's legitimate interest (Art. 6(1)(f) GDPR)
    • Ensuring proper website functionality (technical cookies, session storage) — based on the Controller's legitimate interest (Art. 6(1)(f) GDPR)

    6. Google reCAPTCHA

    The contact form uses Google reCAPTCHA v3 to protect against automated submissions (bots). As part of this service, Google collects and analyzes data about user behavior on the website (including mouse movements, time spent on the page, IP address). This data is transmitted to Google servers and processed in accordance with Google's Privacy Policy (opens in new tab) and Google's Terms of Service (opens in new tab). The Controller does not have access to the data collected by Google through reCAPTCHA — only the assessment score indicating the likelihood that the user is human is received.

    7. Data Recipients

    To provide its services, the Controller uses the following data processors:

    • Vercel Inc. (USA) — website hosting, server log processing (IP address, User-Agent)
    • Supabase Inc. (USA) — database storing encrypted contact data and challenge results
    • Resend Inc. (USA) — sending email notifications to the Controller about new contact form messages
    • Upstash Inc. (USA) — temporary storage of hashed identifiers for rate limiting purposes (Redis)
    • Google LLC (USA) — reCAPTCHA v3 service for bot protection

    8. International Data Transfers

    The entities listed in Section 7 are based in the United States. Data transfers are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission and — where applicable — under the EU-U.S. Data Privacy Framework. The Controller has made efforts to ensure that selected providers guarantee an adequate level of personal data protection in compliance with GDPR requirements.

    9. Data Security

    The Controller applies the following technical and organizational measures to protect personal data: encryption of contact data using AES-256-GCM (authenticated encryption ensuring confidentiality and integrity), HMAC-SHA256 deduplication hashing, transmission exclusively via HTTPS, HTTP security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), admin panel authentication via Supabase Auth, and multi-layered form protection (rate limiting, honeypot, reCAPTCHA, Zod validation).

    10. Data Retention Period

    Personal data is stored for the following periods:

    • Contact form data — until the correspondence is concluded and the purpose of the inquiry is fulfilled, then until consent is withdrawn or a deletion request is made
    • Challenge results (nickname, time, fingerprint) — for the duration of the active challenge and ranking display, then archived or deleted
    • Rate limiting data (hash) — automatically deleted after the time window expires (maximum 24 hours)
    • Server logs (Vercel) — according to Vercel's retention policy (up to 30 days)

    11. Your Rights

    Under GDPR, you have the following rights:

    • Right to access your data (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure — "right to be forgotten" (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR)
    • Right to object to processing (Art. 21 GDPR)
    • Right to withdraw consent at any time — without affecting the lawfulness of processing carried out before the withdrawal
    • Right to lodge a complaint with the President of the Personal Data Protection Office (UODO)

    12. Voluntary Provision of Data

    Providing personal data is voluntary but necessary to use the contact form or submit a challenge result. Failure to provide the required data will prevent the use of these features.

    13. Changes to the Privacy Policy

    The Controller reserves the right to make changes to this Privacy Policy. Any significant changes will be communicated by updating the content on this page. It is recommended to periodically review the current version of the policy.

    Last updated: April 5, 2026