C4
Legal

Privacy Policy · Polityka prywatności

How Coding 4 Bread collects, uses, and protects your personal data under GDPR / RODO.

Data Controller / Administrator danych

Firma / Entity
Boniface Mwanza
Jednoosobowa działalność gospodarcza
NIP
6793328743
REGON
541482313
Adres / Registered address
ul. Kuźnicy Kołłątajowskiej 25h/21
31-234 Kraków, Polska

Contact: legal@coding4bread.com

1. Scope

This Privacy Policy explains how Boniface Mwanza (the "Data Controller") processes personal data of users of the Coding 4 Bread website in accordance with Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR / RODO) — and Polish data protection law (ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych).

2. Personal data we collect

  • Account data — email address, hashed password, optional profile details (full name, username, bio, avatar URL).
  • Usage data — pages visited, features used, quiz attempts and scores, browser/device technical data.
  • Payment data — handled by Stripe; we only store your Stripe customer ID and subscription metadata. We never see or store full card numbers.
  • Contact messages — the contents of any form you submit via our contact page.
  • Uploaded content — profile information and (admin only) CAD/project files stored in Cloudflare R2.
  • Cookies — essential authentication cookies set by Supabase to keep you signed in. Theme preference is stored in your browser's localStorage.

3. Purposes and legal basis (art. 6 GDPR)

Provision of the service — art. 6(1)(b) GDPR (performance of a contract).

Processing payments and managing subscriptions — art. 6(1)(b) GDPR.

AI-generated quiz explanations (opt-in) — art. 6(1)(a) GDPR (consent, which you can withdraw at any time by toggling off the AI feature in the quiz).

Transactional emails — art. 6(1)(b) and art. 6(1)(f) GDPR (legitimate interest in operating a working service).

Fraud prevention, abuse protection, security — art. 6(1)(f) GDPR (legitimate interest).

Error monitoring (Sentry) — art. 6(1)(f) GDPR (legitimate interest in a stable service).

Legal and tax obligations — art. 6(1)(c) GDPR (e.g. retention of invoices).

4. Recipients and sub-processors

We share personal data with the following processors strictly as needed to run the Service. Each is bound by a data processing agreement and GDPR-compliant safeguards:

  • Supabase, Inc. (USA / EU) — database, authentication, file storage. Data stored in EU region where configured.
  • Cloudflare, Inc. (R2 object storage) — CDN and storage for CAD and image files.
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing, subscription billing.
  • Google LLC (Google AI Studio / Gemma) — only triggered when the AI explanation toggle is enabled. The question text, choices and your answer are sent to the API; no personally identifying data is included.
  • Google LLC (YouTube Data API v3) — used to fetch public channel metadata; no User data sent.
  • Functional Software, Inc. (Sentry) — error and performance monitoring.
  • Vercel, Inc. — application hosting (if applicable).

Transfers outside the European Economic Area rely on Standard Contractual Clauses (SCCs) pursuant to art. 46 GDPR.

5. Retention

  • Account data — for as long as the Account is active and deleted within 30 days after you delete your Account.
  • Quiz attempts — stored while the Account is active; removed on Account deletion.
  • Invoices and financial records — retained for 5 years after the end of the tax year, as required by Polish tax law.
  • Error logs and monitoring data — up to 90 days.
  • Contact messages — up to 3 years unless longer retention is needed to resolve a complaint.

6. Your rights (Chapter III GDPR)

You have the right to:

  • Access your personal data (art. 15 GDPR).
  • Rectify inaccurate data (art. 16 GDPR) — most of this is editable in your profile page.
  • Erase data ("right to be forgotten") (art. 17 GDPR).
  • Restrict processing (art. 18 GDPR).
  • Data portability (art. 20 GDPR).
  • Object to processing based on legitimate interest (art. 21 GDPR).
  • Withdraw consent at any time for consent-based processing (art. 7 GDPR).

To exercise any of these rights, email legal@coding4bread.com. We will respond within 30 days.

7. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In Poland this is the Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa.

8. Automated decision-making

We do not perform profiling or automated decision-making that produces legal effects about you (art. 22 GDPR). AI-generated explanations are purely educational and do not affect your Account or subscription status.

9. Children

The Service is not intended for children under 13. We do not knowingly process personal data of children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Security

We apply appropriate technical and organisational measures: TLS encryption in transit, hashed passwords, row-level security on our database, least-privilege access for service keys and encrypted storage at rest with our providers.

11. Changes

We may update this Privacy Policy to reflect changes in the law or how we operate. The effective date above reflects the current version. Material changes will be communicated to active users by email.