IT STORAGE APPLICATION PRIVACY POLICY
IT STORAGE APPLICATION PRIVACY POLICY
**Version dated: February 1, 2026**
---
## 1. GENERAL PROVISIONS
### 1.1 Introduction
This Privacy Policy defines the principles of processing and protecting personal data provided by Users in connection with their use of services provided electronically through the IT-Storage mobile application (hereinafter: "Application").
### 1.2 Definitions
Terms used in the Privacy Policy mean:
1. **Controller** – Filip Dąbrowski, correspondence address: ul.Wędrowna 12/20 20-819 Lublin, Poland, email: itstorageapp@gmail.com – the entity deciding on the purposes and methods of personal data processing
2. **GDPR** – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
3. **Personal data** – information about an identified or identifiable natural person
4. **User** – any natural person visiting the Application or using services provided by the Controller through the Application
5. **Firebase** – Google platform used for service provision, data hosting, and user authentication
### 1.3 Legal basis
The Controller processes personal data in accordance with:
- GDPR
- Act of May 10, 2018 on personal data protection
- Act of July 18, 2002 on electronic service provision
- Act of July 12, 2024 Electronic Communications Law
---
## 2. PERSONAL DATA CONTROLLER
### 2.1 Controller data
The Controller of your personal data is:
**Filip Dąbrowski**
- Correspondence address: ul.Wędrowna 12/20 20-819 Lublin, Poland
- Email address: itstorageapp@gmail.com
### 2.2 Contact for data protection matters
For matters related to personal data processing and exercising your rights, contact:
- Email: itstorageapp@gmail.com
- In writing to: ul.Wędrowna 12/20 20-819 Lublin, Poland
The Controller will respond to inquiries within 14 business days of receipt.
---
## 3. WHAT PERSONAL DATA DO WE PROCESS?
### 3.1 Data collected during registration
When creating an account in the Application, we collect:
**Mandatory data:**
1. **Email address** – necessary for account creation and login
2. **Password** – stored in encrypted form (hash), Controller does not have access to plain text password
3. **Name or nickname** – chosen by the User (can be arbitrary)
**Optional data (if using external login):**
- Google account data (Google Sign-In): email address, name, profile picture
- Apple account data (Apple Sign-In): email address or hidden Apple email address
### 3.2 Automatically generated data
While using the Application, we automatically collect:
1. **Device technical data:**
- Device model (e.g., iPhone 13, Samsung Galaxy S21)
- Operating system version (iOS/Android)
- Application version
- Unique device identifier (Device ID)
2. **Application usage data:**
- Login date and time
- Activity logs (e.g., adding/deleting device)
- Feature usage statistics
- Error and crash information (crash reports)
3. **Location data:**
- Approximate location based on IP address (country, city)
- **We DO NOT collect** precise GPS location
### 3.3 Payment data (Subscriptions)
The Controller **DOES NOT process** payment data directly. Subscription payments are handled by:
- **Google Play** (for Android users)
- **App Store** (for iOS users)
The Controller only receives information about:
- Fact of Subscription purchase
- Plan type (monthly/annual)
- Start and expiration date
- Payment status (active/canceled)
### 3.4 User-created content
The Controller processes data entered by the User into the Application:
1. **IT device data:**
- Device names
- Types/categories
- Descriptions and notes
- Assigned locations
**NOTE:** Device data is processed **exclusively** for the purpose of providing services to the User. The Controller does not use it for other purposes.
### 3.5 Communication data
If you contact the Controller (e.g., regarding complaints, questions):
- Email address
- Message content
- Attachments (if sent)
- Correspondence history
---
## 4. PURPOSES AND LEGAL BASES OF PROCESSING
### 4.1 Processing purposes table
| Processing purpose | Legal basis | Data categories |
|-------------------|-------------|-----------------|
| **Application services provision** - enabling use of IT-Storage features | Art. 6(1)(b) GDPR - contract performance | Email, password, name/nickname, device data |
| **User account management** - registration, login, profile management | Art. 6(1)(b) GDPR - contract performance | Email, password, name/nickname |
| **Payment and Subscription handling** - status verification, Premium access management | Art. 6(1)(b) GDPR - contract performance | Email, subscription status, purchase date |
| **User communication** - answering questions, complaints, technical support | Art. 6(1)(b) GDPR - contract performance | Email, correspondence content |
| **Security provision** - protection against abuse, error detection | Art. 6(1)(f) GDPR - legitimate interest of Controller | Activity logs, technical data, IP |
| **Application analysis and improvement** - feature optimization, bug fixing | Art. 6(1)(f) GDPR - legitimate interest of Controller | Usage statistics (anonymized), crash reports |
| **Marketing (if you consent)** - newsletter, news information | Art. 6(1)(a) GDPR - voluntary consent | Email |
| **Complaint handling** - fulfillment of consumer obligations | Art. 6(1)(c) GDPR - legal obligation | Email, complaint content, transaction history |
| **Claims pursuit** - defense against or pursuit of claims | Art. 6(1)(f) GDPR - legitimate interest of Controller | Data necessary for case handling |
### 4.2 Legitimate interest of the Controller
In cases where processing is based on the legitimate interest of the Controller (Art. 6(1)(f) GDPR), this interest is:
- Ensuring security of provided services
- Protection against abuse and unauthorized access
- Analysis and improvement of Application quality
- Pursuit of claims related to service provision
You have the right to object to such processing (see point 8.6).
---
## 5. TO WHOM DO WE TRANSFER DATA?
### 5.1 Processors (data entrustment)
The Controller uses third-party services that process data on its behalf:
**1. Google LLC (Firebase)**
- **Purpose:** Data hosting, user authentication, cloud data storage
- **Data scope:** Email, password (encrypted), device data, activity logs
- **Location:** Servers in the European Union (europe-west region)
- **Basis:** Data processing agreement compliant with GDPR
- **Security:** Firebase applies advanced security measures in accordance with Google Cloud standards
**2. Google Play / Apple App Store**
- **Purpose:** Subscription payment handling
- **Data scope:** Transaction information, subscription status
- **Basis:** Necessity for payment processing
**3. Analytics services (if implemented)**
- **Firebase Analytics / Crashlytics**
- **Purpose:** Application usage analysis, error reporting
- **Scope:** Anonymized data, statistics, crash reports
- **Can be disabled:** In Application settings
### 5.2 Data recipients
The Controller may transfer personal data to the following categories of recipients:
1. **Legal and accounting service providers** - to the extent necessary for providing these services
2. **Public authorities** - if required by law (e.g., law enforcement upon court order)
3. **IT service providers** - for technical infrastructure maintenance
### 5.3 Do we transfer data outside the EU?
**YES - data may be transferred outside the European Economic Area (EEA):**
- **Google LLC (Firebase)** - data may be processed in the USA and other countries
- **Security:** Google applies standard contractual clauses approved by the European Commission and participates in the EU-US Data Privacy Framework
- **More information:** [https://firebase.google.com/support/privacy](https://firebase.google.com/support/privacy)
---
## 6. HOW LONG DO WE STORE DATA?
### 6.1 Retention periods
| Data category | Retention period |
|--------------|------------------|
| **Account data** (email, password, name) | Until account deletion by User |
| **Device data** (entered by User) | Until deletion by User or account deletion |
| **Activity logs** | 12 months from log creation |
| **Subscription data** | Until end of subscription period + 6 years (according to tax regulations) |
| **Correspondence (complaints, questions)** | Until case resolution + 3 years (in case of claims) |
| **Marketing data** | Until consent withdrawal or objection |
| **Claims data** | Until claims prescription (according to Civil Code) |
### 6.2 Account deletion
After account deletion by the User:
1. Account and device data are **permanently deleted within 14 days**
2. Data necessary for billing and accounting purposes are retained for **6 years** (legal requirement)
3. Anonymized statistics may be retained without User identification possibility
---
## 7. DATA SECURITY
### 7.1 Technical and organizational measures
The Controller has implemented appropriate technical and organizational measures ensuring data security:
**Technical measures:**
1. **Data encryption:**
- Data transmitted via secure HTTPS/TLS connection
- Passwords stored in encrypted form (hash + salt)
- Firebase database uses AES-256 encryption
2. **Access control:**
- Only authorized persons have data access
- Strong passwords and two-factor authentication (for Controller)
- Regular access rights audit
3. **Backup and recovery:**
- Regular data backups (Firebase Backup)
- Emergency data recovery plan
4. **Monitoring:**
- Detection and response to security incidents
- System access logs
- Suspicious activity alerts
**Organizational measures:**
1. Personal data protection training
2. Incident response procedures
3. Confidentiality agreements with persons having data access
4. Regular security policy updates
### 7.2 User obligations
The User is required to:
1. Keep account access password secret
2. Immediately inform the Controller of suspected account security breach
3. Use strong password (min. 8 characters, letters, numbers, special characters)
**The Controller is not responsible for consequences of sharing password with third parties.**
### 7.3 Security incidents
In case of personal data breach, the Controller will:
1. Notify the President of the Personal Data Protection Office within **72 hours** (if breach poses risk)
2. Notify affected Users if breach poses high risk to their rights
3. Take corrective and preventive actions
---
## 8. YOUR RIGHTS
### 8.1 Right of access to data (Art. 15 GDPR)
You have the right to obtain:
- Confirmation whether we process your data
- Access to data and copy of processed data
- Information about processing purposes, data categories, recipients, retention period
**How to exercise:** Send request to itstorageapp@gmail.com with subject "Access to personal data"
### 8.2 Right to rectification (Art. 16 GDPR)
You have the right to request correction of incorrect data or completion of incomplete data.
**How to exercise:**
- In Application: Settings → Profile → Edit data
- Email: itstorageapp@gmail.com
### 8.3 Right to erasure "right to be forgotten" (Art. 17 GDPR)
You have the right to request data deletion when:
- Data is no longer necessary for purposes for which it was collected
- You withdrew consent and there is no other processing basis
- You objected to processing
- Data is processed unlawfully
**How to exercise:**
- In Application: Settings → Account → Delete account
- Account deletion form + send to itstorageapp@gmail.com
**Limitations:** We will not delete data if processing is necessary e.g., for claims pursuit.
### 8.4 Right to restriction of processing (Art. 18 GDPR)
You have the right to request processing restriction when:
- You contest data accuracy
- Processing is unlawful but you oppose deletion
- Controller no longer needs data but you need it for claims
- You objected - pending verification
**How to exercise:** Email to itstorageapp@gmail.com with situation description
### 8.5 Right to data portability (Art. 20 GDPR)
You have the right to receive your data in structured, commonly used format and transmit it to another controller.
**Applies to:** Data provided by you (email, device data)
**Export format:** JSON, CSV (in future Premium versions)
**How to exercise:** Email to itstorageapp@gmail.com with data export request
### 8.6 Right to object (Art. 21 GDPR)
You have the right to object to data processing for:
- Marketing purposes - **unconditional objection** (always honored)
- Based on legitimate interest - objection with justification
**How to exercise:**
- Marketing: Unsubscribe from newsletter (link in email) or disable in Settings
- Other: Email to itstorageapp@gmail.com
### 8.7 Right to withdraw consent (Art. 7(3) GDPR)
If processing is based on consent, you can withdraw it at any time.
**Does not affect processing legality before withdrawal.**
**How to exercise:**
- Newsletter: "Unsubscribe" link in email footer
- Other consents: Settings in Application or email to itstorageapp@gmail.com
### 8.8 Right to lodge a complaint
You have the right to lodge a complaint with supervisory authority:
**Personal Data Protection Office (UODO)**
- Address: ul. Stawki 2, 00-193 Warsaw, Poland
- Phone: +48 22 531 03 00
- Email: kancelaria@uodo.gov.pl
- Website: [https://uodo.gov.pl](https://uodo.gov.pl)
### 8.9 Rights implementation
1. We process requests **free of charge**
2. We respond within **14 days** (maximum 30 days in complex cases)
3. We may request identity confirmation (for your data security)
4. In case of manifestly unfounded requests, we may refuse or charge a fee
---
## 9. COOKIES AND TRACKING TECHNOLOGIES
### 9.1 What are cookies?
Cookies are small text files saved on User's device. IT-Storage mobile Application **DOES NOT use traditional browser cookies**, but uses similar technologies for local data storage on the device.
### 9.2 What technologies do we use?
**1. Local Storage**
- **Purpose:** Storing Application settings, authorization token (user session)
- **Duration:** Until logout or Application uninstall
- **Can be disabled:** NO - necessary for Application operation
**2. Firebase Analytics (if implemented)**
- **Purpose:** Collecting Application usage statistics, user behavior analysis
- **Data:** Anonymized feature usage information
- **Can be disabled:** YES - in Settings → Privacy → Analytics
**3. Crashlytics (error reporting)**
- **Purpose:** Automatic Application crash and error reporting
- **Data:** Error logs, device information (anonymized)
- **Can be disabled:** YES - in Settings → Privacy → Error reporting
### 9.3 Consent management
Upon first Application launch, you will be asked to consent to:
- Necessary cookies/local data - **no refusal option** (necessary for operation)
- Analytics - **optional**
- Error reporting - **optional**
**Change settings:** Settings → Privacy
---
## 10. MARKETING AND NEWSLETTER
### 10.1 Marketing consent
The Controller may send marketing information (newsletter) **only after obtaining your voluntary consent**.
**Communication scope:**
- Application news
- Promotions and discounts
- IT equipment management tips
- New feature information
### 10.2 Legal basis
- **Consent** (Art. 6(1)(a) GDPR)
- **Legitimate interest** (Art. 6(1)(f) GDPR) - for important Application changes information
### 10.3 How to give consent?
- Checkbox during registration: "I want to receive newsletter"
- In Settings: Settings → Notifications → Newsletter
### 10.4 How to opt out?
- "Unsubscribe" link in every newsletter email
- Settings → Notifications → Newsletter (disable)
- Email to itstorageapp@gmail.com with subject "Newsletter unsubscribe"
**Opt-out is immediate and free.**
---
## 11. PROFILING AND AUTOMATED DECISION-MAKING
### 11.1 Do we profile data?
**NO** - The Controller does not use profiling or automated decision-making producing legal effects or similarly significantly affecting Users.
### 11.2 Behavior analysis (in the future)
In future Application versions, we may analyze:
- Most popular features (anonymized statistics)
- Usage patterns (e.g., average number of devices)
**Purpose:** Application improvement, experience personalization
**Always:** Based on consent or legitimate interest with objection possibility
---
## 12. THIRD-PARTY DATA
### 12.1 Sharing data of other persons
If you enter data of other persons into the Application (e.g., employee data, family members), you agree to:
1. Inform these persons about data processing
2. Obtain consent (if required)
3. Provide them with this Privacy Policy content
**The Controller is not responsible for User's violation of above obligations.**
---
## 13. CHANGES TO PRIVACY POLICY
### 13.1 Right to make changes
The Controller reserves the right to make changes to the Privacy Policy.
**Reasons for changes:**
- Changes in legal regulations
- Application functionality development
- Introduction of new services
- Security improvement
### 13.2 Notification of changes
About significant changes, we will inform **at least 7 days** before they take effect through:
- Notification in Application (popup)
- Email to account's assigned address
- Login message
### 13.3 Acceptance of changes
Continuing to use the Application after changes take effect means acceptance of new Privacy Policy.
**In case of non-acceptance:** You can delete account before changes take effect.
---
## 14. LINKS TO THIRD-PARTY SITES
The Application may contain links to external websites (e.g., documentation, support).
**The Controller is not responsible for:**
- Third-party privacy policies
- Data processing practices of these entities
- Content presented on third-party sites
**We recommend:** Familiarizing yourself with privacy policies of visited sites.
---
## 15. FINAL PROVISIONS
### 15.1 Language
The Privacy Policy is prepared in Polish. In case of translations, the Polish version is binding.
### 15.2 Effective date
Privacy Policy effective from: **February 1, 2026**
### 15.3 Previous versions
Previous versions of Privacy Policy are available upon request at: itstorageapp@gmail.com
### 15.4 Additional information
For matters not regulated in this Privacy Policy, the following apply:
- GDPR
- Personal Data Protection Act
- Civil Code
- Other applicable Polish law regulations
---
## 16. CONTACT
For matters concerning personal data processing and exercising your rights:
**Email:** itstorageapp@gmail.com
**Correspondence address:** ul.Wędrowna 12/20 20-819 Lublin, Poland
**We respond within 14 business days.**
---
**Thank you for trusting and using IT-Storage!**
*Last update date: February 1, 2026*