Privacy Policy
Product: Exceptao (and related brands: paraKSCol, CyberZgodność EDU)
Controller: METAMORFOZIS GLETSCHMANN SPÓŁKA JAWNA (imprint)
1. Who we are and how to contact us
We are the operator of the Exceptao compliance platform and its associated brands (paraKSCol, CyberZgodność EDU). Our full registered details are published at /legal/imprint.
Data controller: METAMORFOZIS GLETSCHMANN SPÓŁKA JAWNA (KRS 0001193277, NIP 6711868606, REGON 542678656)
Registered address: ul. gen. Stanisława Maczka 9/14, 78-100 Kołobrzeg, Poland
Privacy contact: privacy@exceptao.com
DPO: No Data Protection Officer is appointed; data-protection matters are handled directly by the Operator (see Privacy contact above).
We act in two distinct capacities:
- As data controller: in respect of personal data we collect directly — prospective customers, marketing contacts, our own staff, and account registration data.
- As data processor: in respect of personal data that our Customers (Tenants) upload or generate within the Service — governed by the DPA at
/legal/dpa.
This Privacy Policy covers our activities as data controller. If you are a User within a Tenant's account, contact that organisation's privacy officer for questions about how your data is used within the Service.
2. What personal data we collect and why
2.1 Service operation — account and user data
Legal basis: Contract (Art. 6(1)(b) GDPR) — necessary for performance of the subscription agreement.
| Data element | Purpose |
|---|---|
| Email address | Account identification, login credential, notification delivery |
| Full name (optional at registration) | Display within the Tenant's workspace; email salutation |
| Password hash (Argon2id, salted) | Authentication — hash computed client-side, never transmitted in plain text |
| TOTP secret (AES-encrypted at rest) | Multi-factor authentication |
| WebAuthn credential ID and public key | Passkey-based authentication |
| Session tokens (server-side) | Maintaining authenticated sessions |
| IP address at login | Security monitoring; audit log; rate-limiting |
| User-agent string at login | Security anomaly detection |
| Locale and timezone preference | UI personalisation |
| Subscription and billing data | Service delivery, invoicing, legal compliance |
| Role and permission assignments | Access control; audit log context |
Retention: Account and user data is retained for the duration of the Tenant's subscription plus 30 days post-termination. Billing records are retained for 5 years (Polish Accounting Act, Art. 74).
2.2 Audit log integrity
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR).
Each audit log row records: actor identity (user ID, email address, IP address, user-agent string), action performed, before/after state summary, timestamp, and cryptographic hash (SHA-256 chain).
Right to erasure — pseudonymisation carve-out. Upon a verified right-to-erasure request under GDPR Art. 17, PII fields in audit log rows are pseudonymised: replaced with a stable, non-reversible tombstone identifier (actor_tombstone_<uuid>). The audit event record and cryptographic hash chain are preserved. The legal basis is legitimate interest in audit integrity (Art. 6(1)(f)).
Retention: 35 days (Starter), 90 days (Professional), negotiated (Enterprise), or as required by law, whichever is longer.
2.3 Security and fraud prevention
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Retention: 90 days rolling.
2.4 Email communications
Legal basis: Contract (workflow notifications); legitimate interest (service and security announcements); consent (marketing). Marketing consent may be withdrawn at any time by emailing privacy@exceptao.com.
2.5 Prospective customers
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Retention: 24 months from last contact.
| Data element | Purpose |
|---|---|
| Name | Personalised communication |
| Email address | Responding to enquiries |
| Job title / role | Understanding compliance context; tailoring the demo |
| Organisation name | Identifying the organisation and its compliance needs |
| Notes from conversations | Maintaining continuity in sales and support conversations |
3. How long we keep your data
| Category | Retention period |
|---|---|
| Account and user data (active Tenant) | Duration of Tenant subscription |
| Account and user data (post-termination) | 30 days post-termination |
| Audit log — Starter | 35 days rolling |
| Audit log — Professional | 90 days rolling |
| Audit log — Enterprise | Negotiated; minimum 90 days |
| Billing records (invoices, payment records) | 5 years from end of billing period |
| Security and anomaly detection logs | 90 days rolling |
| Email send status records | 90 days |
| Marketing consent records | Until withdrawal + 3 years |
| Prospective customer records | 24 months from last contact |
| Right-to-erasure request records | 3 years |
4. Who has access to your data
4.1 Operator staff
Only Operator staff with a documented, role-specific business need have access to production systems. All such access requires MFA and is logged in the operator's own audit log.
4.2 Subprocessors
We will notify Tenants at least 30 days in advance of adding or replacing any subprocessor (GDPR Art. 28(2)).
| Subprocessor | Purpose | Data categories | Region |
|---|---|---|---|
| Cloudflare, Inc. | CDN, WAF, DDoS protection, Cloudflare Tunnel, R2 object storage | IP addresses and request metadata (CDN/WAF); encrypted evidence files and backups (R2) | R2: EU; CDN: global edge |
| Backblaze, Inc. | Secondary encrypted backup storage | GPG-encrypted backup archives only — Backblaze cannot decrypt the data | EU (Amsterdam) |
| Microsoft Corporation (Graph API) | Outbound transactional email notifications | Recipient email address, name, notification content | EU M365 tenant |
4.3 Legal disclosure
We may disclose personal data if required by court order, regulatory requirement, or other legal obligation. We will limit disclosure to the minimum required by law.
4.4 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to that entity assuming the same obligations under this Privacy Policy.
5. International transfers
Customer business data is stored in the region selected at Tenant creation:
- EU region (Frankfurt): Exceptao and paraKSCol Tenants — all business data remains within the EU/EEA.
- PL region (Warsaw — when active): CyberZgodność EDU Tenants — data processed within Poland/EU.
Where subprocessors are located outside the EU/EEA, we ensure appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses (SCCs) and Transfer Impact Assessments where required.
6. Your rights under GDPR
To exercise any right, email privacy@exceptao.com. We will respond within 30 calendar days.
| Right | Description | Notes |
|---|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you | Structured, machine-readable export provided on request |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data | Users can update most data themselves in Service settings |
| Erasure (Art. 17) | Request deletion of your personal data | See audit log pseudonymisation carve-out in §2.2 |
| Restriction (Art. 18) | Request restriction of processing while a dispute is resolved | |
| Data portability (Art. 20) | Receive data in a structured, machine-readable format (JSON or CSV) | Applies to data processed by contract or consent |
| Object (Art. 21) | Object to processing based on legitimate interest | We will cease unless we can demonstrate compelling legitimate grounds |
| Withdraw consent (Art. 7(3)) | Withdraw consent for marketing at any time | Withdrawal does not affect the lawfulness of prior processing |
| No automated decisions (Art. 22) | We do not carry out automated decision-making with significant legal effects |
If you believe we have processed your data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Poland:
Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw — uodo.gov.pl, kancelaria@uodo.gov.pl
7. How we protect your data
| Measure | Implementation |
|---|---|
| Tenant isolation | Postgres FORCE ROW LEVEL SECURITY on all tenant-scoped tables |
| Encryption at rest | LUKS-encrypted VPS volume; GPG-encrypted database backups; AES-equivalent encryption for sensitive fields via Vault transit engine; Cloudflare R2 provider-side encryption + client-side encryption for evidence files |
| Encryption in transit | TLS 1.3, Cloudflare-terminated; HSTS preload; mTLS Cloudflare Tunnel |
| Authentication | Argon2id password hashing; mandatory TOTP MFA; WebAuthn passkeys; OIDC/SAML SSO |
| Access control | Role-based; principle of least privilege; all production access requires MFA and is logged |
| Audit logging | Tamper-evident SHA-256 hash chain, append-only DB role; CI verification on every deploy |
| Backups | 3-2-1 policy: Cloudflare R2 (primary) + Backblaze B2 (secondary); GPG-encrypted; quarterly restore drills |
| Network perimeter | No public inbound ports on VPS; all ingress via Cloudflare Tunnel; WAF with managed rules |
| Secret management | HashiCorp Vault; secrets never persisted to disk; Shamir-shared unseal keys stored off-VPS |
8. Automated decision-making and profiling
We do not carry out automated decision-making or profiling that produces legal or other similarly significant effects on data subjects.
9. Cookies and tracking
We use a minimal set of cookies. The full cookie disclosure is at /legal/cookies. Summary:
- Session cookie (
sessionid): strictly necessary;Secure; HttpOnly; SameSite=Lax; no personal data stored in the cookie itself. - CSRF token (
csrftoken): strictly necessary; protects against Cross-Site Request Forgery. - No third-party tracking cookies on the application or marketing site.
10. Children's data
The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. Contact privacy@exceptao.com if you believe we have inadvertently collected a child's data.
11. Changes to this Privacy Policy
We will notify Tenant Admins of material changes at least 30 days before the changes take effect, by email and by a notice in the Service dashboard.
12. Contact
| Purpose | Contact |
|---|---|
| Privacy enquiries and rights requests | privacy@exceptao.com |
| Data controller (registered address) | METAMORFOZIS GLETSCHMANN SPÓŁKA JAWNA, ul. gen. Stanisława Maczka 9/14, 78-100 Kołobrzeg, Poland |
| DPO | Not appointed; data-protection matters handled by the Operator |
| Supervisory authority | Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl |