Privacy Policy

We care about your privacy. This document explains how we process your personal data in a lawful, fair and transparent way while you use our application.

This Policy describes which data we collect, on what legal basis, how we store and use it, and what rights you have.

Legal basis for processing

We process personal data in accordance with the GDPR (Regulation (EU) 2016/679) and applicable Polish data protection laws.

Data Controller

The controller of your personal data is the owner and operator of the capsy application (“we”). Full identification details and contact information can be found in the footer of the service and in the “Contact” section.

Contact regarding personal data

If you have any questions regarding how we process your personal data or you wish to exercise your rights, you can contact us by e-mail (details in the “Contact” section) or by postal mail sent to the correspondence address indicated on our website.

§ 1. Definitions

  • Personal Data – information relating to an identified or identifiable natural person (e.g. name, surname, e-mail address, online identifiers, IP address, location data).
  • Policy – this document describing how personal data is processed within the capsy application.
  • Application – the capsy platform enabling the sale and purchase of digital products and services, in particular ebooks, courses, webinars, consultations, vouchers and other digital products.
  • Service – the functionalities of the capsy application made available to the User.
  • User – any person using the Application. Within this Policy we distinguish:
    • Seller – a User who has an account and offers products/services,
    • Customer – a User who makes a purchase without creating an account.
  • Account – the User area in the Application available after logging in (e.g. via Google / Facebook).
  • Offer – information published by the Seller regarding products/services and purchase conditions.
  • Products – digital content and services offered for sale (ebooks, courses, webinars, consultations, vouchers and other digital items).
  • Sales Agreement – an agreement concluded between a Customer and a Seller through the Application.
  • Customer Panel – the area where the Customer can access purchased materials/services.

§ 2. Logging in and using the Application by Sellers

Sellers can log in to capsy through external identity providers (e.g. Google / Facebook). During login you provide us with data necessary to create your account.

Scope of Seller data may include in particular: name, surname, e-mail address, profile picture and business details if you choose to provide them.

Purposes and legal bases for processing:

  • performance of a contract for the provision of electronic services (Art. 6(1)(b) GDPR) – maintaining the account and handling sales,
  • analytical and statistical purposes (legitimate interest – Art. 6(1)(f) GDPR) – analysing activity and developing the Service,
  • establishment, exercise or defence of legal claims (legitimate interest – Art. 6(1)(f) GDPR),
  • direct marketing based on your consent (Art. 6(1)(a) GDPR),
  • compliance with legal obligations (Art. 6(1)(c) GDPR).

§ 3. Using the Application by Customers (without registration)

Customers can purchase products without creating an account by providing the data necessary to complete the order.

Scope of Customer data:

  • e-mail address (required to complete the purchase and deliver the product),
  • optionally a phone number (if such a feature is enabled),
  • other data necessary for tax and accounting purposes (e.g. VAT ID if an invoice is requested).

Purposes and legal bases are analogous to those in § 2 and include contract performance, analytics (legitimate interest), legal obligations and marketing based on consent.

§ 4. Marketing

We send marketing content (for example information about new features or products) only if you have given your consent. We do not use profiling for marketing purposes.

§ 5. Data retention

The period for which we process personal data depends on the purpose and type of service. As a rule, we process data for as long as we provide the Service, until you withdraw your consent or effectively object (where the legal basis is our legitimate interest).

We may store data for longer where it is necessary to establish, exercise or defend legal claims or where longer storage is required by law. After the relevant retention periods expire, data is permanently deleted or anonymised. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

§ 6. Your rights

  • right to be informed about data processing,
  • right of access and to obtain a copy of your data,
  • right to rectification of inaccurate data,
  • right to erasure (“right to be forgotten”), subject to limitations set out in the GDPR,
  • right to restriction of processing,
  • right to data portability (where processing is based on consent or on a contract),
  • right to object to processing based on our legitimate interest (including analytics and statistics),
  • right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal,
  • right to lodge a complaint with the competent supervisory authority (in particular in Poland with the President of the Personal Data Protection Office).

You can exercise your rights by submitting a request via e-mail or postal mail using the contact details provided in the Service. We will respond without undue delay and no later than within one month. Where necessary, we may ask you to clarify or specify your request.

§ 7. Recipients of data

We cooperate with entities to which we may disclose personal data where necessary, in particular providers of IT and cloud services, hosting, accounting, mailing services and payment service providers (such as Stripe). We require these entities to ensure the security and confidentiality of personal data.

Where required by law, we may disclose data to competent public authorities. Apart from the situations described above, we do not sell or otherwise make personal data available to third parties.

§ 8. Transfers outside the EEA

As a rule, we seek to process personal data within the European Economic Area (EEA). If, in exceptional cases, data is transferred outside the EEA (for example by a payment or cloud provider), we ensure appropriate safeguards required by the GDPR, such as standard contractual clauses or other valid transfer mechanisms.

§ 9. Data security

We regularly assess risk and apply appropriate organisational and technical measures to protect data against unauthorised access, loss, alteration or destruction. We also require our processors and service providers to use adequate security measures.

§ 10. Changes to this Policy

We may update this Policy whenever necessary. Information about changes will be published in the Application, and in case of material changes we may send a separate notice to your e-mail address. This Policy does not limit your rights arising from the Terms of Service or from applicable law.

The capsy Terms of Service are available at: https://capsy.io/terms.

§ 11. Final provisions

In matters not regulated by this Policy, the provisions of generally applicable laws of Poland shall apply. In the event of any inconsistency, the provisions of applicable law shall prevail.