5mGrid

Privacy Policy

Data Controller

The controller of personal data is Piotr Skiba, Sikorz 21, 89-400 Sępólno Krajeńskie, e-mail: [email protected].

Scope of processed data

• Account data: e‑mail address, password (hash), optionally first and last name.
• In‑app operational data: tasks, productivity markers, notes, time‑grid layouts.
• Technical data: identifiers of necessary sessions/cookies, server logs (IP address, timestamp) — for security purposes only.
• Local data in IndexedDB/local storage — stored on the User’s device for offline features.

Purposes and legal bases (Article 6 GDPR)

1. Account creation and maintenance, ensuring the Application’s functionality — Article 6(1)(b) GDPR (performance of a contract).
2. Security and fraud prevention (logs, rate‑limiting, backups) — Article 6(1)(f) GDPR (legitimate interests of the Controller).
3. Handling inquiries (support) — Article 6(1)(b)/(f) GDPR.
4. Legal obligations (e.g., accounting, incident archiving) — Article 6(1)(c) GDPR.
5. Establishment, exercise or defence of claims — Article 6(1)(f) GDPR (legitimate interest of protecting against and pursuing claims).

The Application does not conduct analytics and does not send marketing communications without a separate, voluntary consent.

Data recipients (processors)

Data may be disclosed to processors acting on behalf of the Controller:

• Hetzner (Germany, EEA) — hosting/application server; processing under a DPA.
• Google Ireland Limited / Google LLC (Google Workspace) — sending transactional emails (confirmations, e‑mail verification, password reset); processing under a DPA; potential transfers outside the EEA pursuant to the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs).
• Cloudflare, Inc. (USA) / Cloudflare Ltd. (United Kingdom) – content delivery network (CDN), DNS, security, and traffic optimization services; processing based on a Data Processing Addendum (DPA); potential data transfers outside the EEA in accordance with the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs).

Transfers outside the EEA

1. As a rule, we process data within the European Economic Area (EEA).
2. Due to the use of Google Workspace for sending e‑mails (e.g., address verification, password reset), data may be transferred to the USA to Google LLC.
3. Such transfer is based on the EU–US Data Privacy Framework (DPF), and, where necessary, on Standard Contractual Clauses (SCCs). Information on safeguards is available via contact at [email protected].

Retention periods

• Account data and user content – stored until the User deletes their Account or the contract is terminated. Database backups may be retained for up to 30 days (until they are overwritten as part of the retention cycle).
• Security logs – stored for up to 30 days for system security and incident analysis purposes. Older data is automatically rotated or deleted.
• Backups – created daily and retained according to the retention cycle for up to 30 days, after which they are automatically overwritten. The Administrator does not store older copies.
• IndexedDB / local storage data – stored locally on the User’s device until cleared by the User or the application is reset. The Administrator has no access to this data.

User rights

The User has the right to access, rectification, erasure (“right to be forgotten”), restriction, portability, and objection — where provided by law. Requests may be sent to [email protected]. We will respond without undue delay, no later than one month, in accordance with Article 12(3) GDPR. The User also has the right to lodge a complaint with the Polish DPA.

Requirement to provide data

Providing an e‑mail address and password is necessary to create an Account; without this data we cannot provide the Service that requires logging in. Additional data is optional.

Data security

• Passwords stored only as bcrypt hashes with a unique salt,
• Encryption (HTTPS/TLS), access control, security event logging,
• Regular software updates and backups,
• Data minimization and privacy by design.

Cookies and local storage

The Application uses only strictly necessary cookies/sessions to maintain login and IndexedDB/local storage to store data required for functionality (e.g., drafts, offline data). We do not use cookies for analytics or marketing. All cookies are first-party. The User can manage cookies via browser settings.

1. Legal bases:
   • Necessary cookies (including auth-token, is-logged-in): GDPR Art. 6(1)(b) (performance of a contract/providing the service); under the ePrivacy Directive, no consent is required for strictly necessary cookies.
   • Preference and security cookies (c_banner, l_tag, “sentinel”): GDPR Art. 6(1)(f) (legitimate interests: preserving preferences, security and abuse prevention).
2. Cookie list:
   • c_banner – stored for 30 days; purpose: remember banner acceptance; type: preferences/experience; attributes: SameSite=Lax, Secure, accessible to JS (not httpOnly), first-party.
   • l_tag – stored for 360 days; purpose: remember selected language; type: preferences; attributes: SameSite=Lax, Secure, accessible to JS (not httpOnly), first-party.
   • auth-token – stored for 7 days; purpose: maintain login session; type: strictly necessary; attributes: httpOnly, SameSite=Lax, Secure (in production), first-party; deleted on logout.
   • a_m_e_sentinel, a_d_sentinel, a_t_sentinel, a_c_sentinel, a_a_sentinel, a_e_sentinel – stored for 7 days; purpose: protect against abuse/limit mass downloads (rate-limiting initial fetch); type: security; attributes: httpOnly, SameSite=Lax, Secure (in production), first-party; deleted on logout.
   • is-logged-in – stored for 7 days; purpose: ensure immediate transition to the dashboard and proper application operation in SSG + SW architecture without BE contact (client-side login state detection); type: strictly necessary technical; attributes: SameSite=Lax, Secure (in production), accessible to JS (not httpOnly), first-party; deleted on logout.
3. IndexedDB/local storage
   • We store functional data required to operate the Application, including restoring state after refresh and enabling offline use (e.g., drafts). This storage happens solely on the User’s device; we do not use it for analytics, profiling, or marketing.
   • Data scope: parts of the application state (e.g., diary notes: text and date, tasks list: content/categories, settings/day matrix: time slots linked to tasks and emotion icons, UI preferences such as filters and dates). Login data (token) is not stored here.
   • Location/recipients: data is stored locally in the User’s browser (IndexedDB/local storage); it is not automatically shared with us or third parties.
   • Legal basis: GDPR Art. 6(1)(b) (performance of the contract – providing core application features) and Art. 6(1)(f) (legitimate interests: continuity of use and convenience, including offline work). Under the ePrivacy Directive, consent is not required where storage is strictly necessary for the service requested by the User.
   • Retention: until the User clears the website data in the browser (website data/IndexedDB) or resets it within the app (if available).
   • Control: the User can delete this data in the browser settings (site data/IndexedDB/local storage).
   • Security: this data is not additionally encrypted by the app in the browser; anyone with access to the device/browser account may access it. We recommend securing the device and browser.
4. Managing cookies: most browsers allow blocking and deleting cookies (see browser help). Disabling strictly necessary cookies may prevent login and the use of some features.

Automated decision‑making

No automated decision‑making or profiling within the meaning of the GDPR takes place.

Contact and Data Protection Officer

For personal‑data matters please contact: [email protected]. The Controller has not appointed a Data Protection Officer.

Changes to the Policy

The Policy may change for legal or functional reasons. Material changes will be announced via the Application/e‑mail before the new version takes effect.

E‑mail address verification

To confirm registration we send a message with a verification link. We store a technical verification identifier/token (and timestamp and event IP address) for up to 24 hours from generation — to prevent abuse (Article 6(1)(f) GDPR).

Technical requirements

Using the Service requires a device with an up‑to‑date web browser, internet access, and enabled session cookies (necessary for login).

Complaints

Complaints concerning the Service can be sent to [email protected]. The Controller will reply within 14 days of receipt, in accordance with applicable consumer‑protection laws.