1. Data controller

The controller of personal data is One Cod.

You can contact us about privacy matters through the contact form available on this website.

2. What data we collect

• Contact form data: name, email address, selected service and message.
• Home form data: name, email address and selected service.
• Project brief data: company or project name, business activity, contact person, email, phone number, social media links, project goals, target audience, competitors, website structure, requested features, domain and hosting preferences, budget, timeline and additional notes.
• Technical data: IP address or masked IP address, hashed IP identifier, browser user agent, language, request URI, referrer host, page visited, date and time of visit.
• Security and anti-spam data: CSRF token, session identifier, form timing data, honeypot field status and Google reCAPTCHA token.
• Cookie and consent data: cookie/localStorage preferences and information necessary to remember your choices.

3. Purposes and legal bases

• Responding to messages, preparing offers and handling project enquiries: taking steps before entering into a contract or our legitimate interest in business communication.
• Receiving and analysing project briefs: taking steps before entering into a contract or our legitimate interest in preparing a relevant proposal.
• Website security, spam prevention, rate limiting and abuse detection: our legitimate interest in protecting the website and users.
• Sending administrative email notifications and confirmations: performance of communication requested by you and our legitimate interest in documenting correspondence.
• Analytics and measurement, including Google tools where enabled: your consent, where legally required.
• Compliance with legal, tax or accounting obligations, where applicable: legal obligation.

4. Cookies, analytics and similar technologies

The website may use essential cookies or similar storage to keep the site secure, manage sessions, remember language or privacy choices and protect forms from abuse.

Analytics or marketing tools, including Google Tag Manager or Google Analytics where enabled, should be loaded only after the user gives consent, unless a specific tool is strictly necessary under applicable law. You can change cookie preferences by clearing browser storage or using the cookie controls provided on the website.

5. Google reCAPTCHA, Google Tag and external resources

We may use Google reCAPTCHA to protect forms from spam and automated abuse. This service may process technical information such as IP address, browser data and interaction signals according to Google policies.

The website may also use Google Tag Manager, Google Analytics and Google Fonts. These services may involve Google acting as an independent controller or processor depending on the configuration. If these tools are enabled, related data may be transferred outside the European Economic Area.

6. Recipients of data

• Hosting and server infrastructure providers.
• Email and SMTP providers used to deliver form submissions and confirmations.
• Google services, including reCAPTCHA, Tag Manager, Analytics and Fonts, where enabled.
• Geo-IP or analytics service providers, where enabled.
• IT, development, maintenance, legal or accounting providers who support the operation of the website or business.
• Public authorities or courts, only where required by law.

7. International transfers

If data is processed by providers located outside the European Economic Area, we use available safeguards such as adequacy decisions, standard contractual clauses or provider transfer mechanisms required by GDPR. Some third-party tools, especially Google services, may involve transfers to the United States or other countries.

8. Retention periods

• Contact requests and project enquiries: normally up to 24 months after the last communication, unless a longer period is needed for legal claims or a contract.
• Project briefs: normally up to 24 months after submission or for the duration of cooperation and applicable limitation periods if a contract is concluded.
• Technical security logs and analytics data: normally up to 12 months, unless longer retention is necessary to investigate abuse or protect legal claims.
• Cookie consent records: for the period required to remember your choice or until you clear browser storage.
• Accounting or contract-related records: for the period required by applicable law.

9. Your rights

• Right of access to your personal data.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure of data, where the law allows it.
• Right to restriction of processing.
• Right to object to processing based on legitimate interests.
• Right to data portability, where processing is based on consent or contract and carried out by automated means.
• Right to withdraw consent at any time, without affecting processing carried out before withdrawal.
• Right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office (UODO).

10. Voluntary provision of data

Providing data in forms is voluntary, but some data is necessary to answer your request, prepare an offer or handle a project brief. Without required data, we may be unable to respond or provide the requested service.

11. Automated decision-making

We do not use your data for decisions based solely on automated processing that produce legal effects or similarly significant effects. Anti-spam and security tools may automatically classify suspicious submissions to protect the website.

12. Security

We use technical and organisational measures intended to protect personal data, including secure sessions, CSRF protection, input validation, rate limiting, restricted storage access and encrypted email transport where supported by providers.

13. Changes to this policy

We may update this Privacy Policy when the website, services, providers or legal requirements change. The current version is published on this page.