Privacy Policy

1. Data Controller

The controller of your personal data is:
BeastieCode
ul. 3 Maja
62-052 Komorniki, Poland
E-mail: hello@beastiecode.com

For any questions regarding the processing of your personal data, please contact us at the e-mail address above.

2. What data we collect and why

2.1 Privacy audit tool

The core function of CookieSmog — scanning websites for privacy issues — does not require you to provide any personal data. You only need to submit the URL of the website you want audited.

To perform an audit, we process the following data:

• The URL submitted for scanning.
• Your IP address — required to protect against abuse and security attacks; stored in multiple locations with different retention periods (see section 4).
• A Cloudflare Turnstile CAPTCHA token — required to verify that requests come from real users and not automated bots. This token is transmitted to Cloudflare for verification; see section 5 for details.

Audit results are cached in an in-memory caching system for 10 minutes and then deleted automatically.

2.2 Contact form

If you use the contact form ("Talk to an expert"), we process the following data:

• Full name,
• E-mail address,
• Phone number (optional),
• Company name (optional),
• Message content (optional),
• URL of the audited website (optional),
• Whether marketing consent was given.

Contact form submissions are delivered to the data controller by e-mail and are not stored in any database or CRM system. The only copy of the data is the e-mail in our inbox.

The contact form is also protected by Cloudflare Turnstile CAPTCHA to prevent spam and automated submissions.

3. Legal bases for processing

• Art. 6(1)(b) GDPR — processing is necessary to perform the service (running the audit) at your request.
• Art. 6(1)(a) GDPR — consent — for data submitted via the contact form and for optional marketing communication.
• Art. 6(1)(f) GDPR — legitimate interests of the controller — security of the service (bot protection, abuse prevention, attack mitigation).

4. Data retention

• Audit results (URL, IP — cache): automatically deleted after 10 minutes (automatic cache expiry).
• Audit results (statistical database): completed audit results (scanned URL, score, number of violations) are stored in our database for statistical and analytical purposes indefinitely.
• Application HTTP logs (IP, method, path, status): written to server log files and retained for up to 90 days, after which they are rotated and deleted automatically.
• Web server access logs: your IP address and HTTP request details are written to standard server access logs and retained for up to 90 days, after which they are rotated and deleted automatically.
• Contact form data: messages submitted via the contact form are delivered to and stored in our email inbox. We do not maintain a separate database of contact inquiries — data persists for as long as it remains in our email system. You may request deletion at any time by contacting us directly.

5. Recipients of your data

Your data may be shared with the following processors:

• OVH SAS (France, EU) — hosting and server infrastructure provider. Servers are located within the European Union; data transfer is lawful under Art. 44–49 GDPR.
• Cloudflare, Inc. (USA) — provider of the Turnstile CAPTCHA service used to protect both the audit form and the contact form from automated abuse. When you submit either form, a CAPTCHA token is sent to Cloudflare's servers for verification. Cloudflare applies Standard Contractual Clauses (SCCs) as the safeguard for transfers to third countries (Art. 46 GDPR). More information: Cloudflare Privacy Policy.
• EmailLabs (Poland, EU) — provider of the SMTP relay service used to deliver contact form submissions to the data controller. Personal data included in the contact form (name, e-mail address, phone number, message content) is transmitted through EmailLabs infrastructure. EmailLabs is headquartered in Poland and processes data within the European Union. More information: EmailLabs Privacy Policy.

6. Cookies and tracking technologies

CookieSmog does not use its own cookies for analytics or marketing purposes.

Cloudflare Turnstile is embedded on this site to protect forms against bots and spam. As part of its bot-detection process, Cloudflare may set strictly necessary functional cookies or use browser storage. These are not used for tracking or advertising. For full details see the Cloudflare Privacy Policy and the Turnstile FAQ.

7. Your rights

Under GDPR you have the following rights:

• Right of access (Art. 15) — request information about what data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate data.
• Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18) — request that we limit how we use your data.
• Right to data portability (Art. 20) — request your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent — at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at: hello@beastiecode.com

You also have the right to lodge a complaint with a supervisory authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

8. Security

We apply appropriate technical and organisational security measures, including: encrypted transmission (HTTPS/TLS), SSRF attack protection, bot mitigation via Cloudflare Turnstile, and minimal data retention.

9. Changes to this policy

We reserve the right to update this Privacy Policy. Material changes will be communicated by updating the effective date at the top of this document.