Privacy Policy

At OKDrive.pl ("we", "our", "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website at https://okdrive.pl (the "Service"). This policy is designed to comply with the General Data Protection Regulation (GDPR) and Polish data protection laws.

1. Data Controller

The data controller responsible for your personal data is OKDrive.pl, operating the website https://okdrive.pl. For any data-related inquiries, please contact us via our Contact page.

2. What Data We Collect

We collect the following categories of personal data:

2.1 Account Data

• Name — provided during registration
• Email address — used for account verification, login, and communication
• Password — stored securely using bcrypt hashing (we never store plaintext passwords)
• Phone number (optional) — if provided, stored for account recovery
• Profile information — such as preferred language and license category

2.2 Usage Data

• Practice progress — questions answered, scores, accuracy rates
• Exam results — mock exam scores and completion history
• Saved questions — questions you bookmark for later review
• Settings preferences — theme preference (light/dark), notification settings

2.3 Technical Data

• IP address — for security, rate-limiting, and fraud prevention
• Browser type and version — for compatibility and debugging
• Device information — screen size, operating system
• Security events — suspicious requests, blocked IPs, and brute force attempts are logged for platform security
• Cookies — as described in our Cookie Policy

2.4 Analytics Data (Only With Your Consent)

If you consent to analytics cookies via our cookie consent banner, the following data may be collected by third-party services:

• Google Analytics — anonymized page views, traffic sources, user behavior (IP addresses are anonymized)
• Microsoft Clarity — heatmaps and session recordings to understand page interactions (no personal data collected)
• Ahrefs Analytics — page views and referrer data for SEO analysis
• Google AdSense — ad serving, personalization, and frequency capping (subject to your consent via Google Consent Mode v2)

You can withdraw analytics consent at any time from your account settings or by clearing your browser's local storage.

2.5 Payment Data

If you subscribe to a paid plan, payments are processed by Stripe. We do not store your credit card details. Stripe processes your payment information in accordance with PCI DSS standards. We only store:

• Stripe customer ID (a reference identifier)
• Subscription status and plan name
• Payment amounts, dates, and status (for invoicing and support)

For more information, see Stripe's Privacy Policy.

2.6 Third-Party Authentication

If you choose to sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

3. How We Use Your Data

We use your personal data for the following purposes:

• Provide the Service — to create and manage your account, track your learning progress, and personalize your experience
• Communication — to send you email verification links, password reset emails, and platform notifications
• Security — to protect against unauthorized access, detect fraud, and maintain the integrity of our platform
• Improvement — to analyze usage patterns and improve our Service (using aggregated, anonymized data where possible)
• Legal compliance — to comply with applicable laws, regulations, and legal processes

4. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

• Consent (Art. 6(1)(a)) — when you create an account, agree to our terms, or accept analytics cookies
• Contract performance (Art. 6(1)(b)) — processing necessary to provide you with the Service, including account management, learning progress tracking, and payment processing
• Legitimate interest (Art. 6(1)(f)) — for security monitoring, fraud prevention, and service improvement
• Legal obligation — when required by law to retain or disclose data

5. Data Sharing

We do not sell, trade, or rent your personal data to third parties. We may share data in the following limited circumstances:

• Hosting provider — OVH (EU-based, Poland) for server hosting
• Payment processor — Stripe for subscription payment processing
• Authentication — Google (if you use Google Sign-In)
• Analytics (only with your consent) — Google Analytics, Microsoft Clarity, Ahrefs
• Advertising (only with your consent) — Google AdSense
• Legal requirements — when required by law, court order, or government regulation
• Safety — to protect the rights, property, or safety of OKDrive.pl, our users, or the public

All service providers are bound by data processing agreements (DPAs) in accordance with GDPR Article 28.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account data — retained until you delete your account
• Usage data — retained until you delete your account or reset your progress
• Technical logs — retained for up to 90 days for security purposes (resolved error logs are purged automatically)
• Read notifications — automatically purged after 90 days
• Inactive accounts — accounts with no login activity for 60 months (5 years) are automatically deleted. You will receive an in-app notification after 12 months of inactivity as a reminder. Simply logging in resets the inactivity timer.

When you delete your account (or it is deleted due to inactivity), all personal data is permanently removed from our systems.

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data ("right to be forgotten")
• Right to restrict processing — request limitation of how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — withdraw consent at any time without affecting prior processing

You can exercise most of these rights directly from your Settings page after logging in:

• Download your data — available in your account settings
• Delete your account — permanently removes all your data
• Reset progress — clears all practice and exam history
• Withdraw analytics consent — toggle analytics cookies on/off from your Privacy & Consent settings

For other requests, please contact us through our Contact page. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• HTTPS/TLS encryption for all data in transit
• Bcrypt hashing for passwords
• CSRF protection on all forms
• Content Security Policy (CSP) headers to prevent cross-site scripting
• Automated security monitoring — brute force detection, DDoS protection, and malicious request blocking
• Rate limiting on authentication and sensitive endpoints
• Regular security scanning and package vulnerability auditing
• Access controls to limit data access to authorized personnel only

9. International Transfers

Our servers are located in the European Union (Poland, OVH). We do not intentionally transfer your data outside the EU/EEA. Where third-party service providers (such as Google or Microsoft) may process data outside the EU, they operate under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by the GDPR.

10. Children's Privacy

Our Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a complaint about how we handle your data, please contact us via our Contact page.

You also have the right to lodge a complaint with the Polish data protection authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl