Privacy Policy

Last Updated: December 15, 2025
Effective Date: December 15, 2025

Data Controller

apqa Tomasz Kozakiewicz
ul. Józefa Sarego 5/4
31-047 Kraków, Poland
Email:

Supervisory Authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: www.uodo.gov.pl

Introduction

FireSoul ("we", "our", "us") operates the website https://firesoul.me. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR/RODO) and Polish data protection law.

By using FireSoul, you agree to the collection and use of information in accordance with this policy.

What Data We Collect

Newsletter Subscribers

When you subscribe to our newsletter, we collect:

  • Email address (required)
  • Subscription date (automatic)
  • Confirmation status (pending, active, unsubscribed)
  • IP address (for double opt-in verification only, deleted after 30 days)
  • Preferences (optional, if you select specific interests)

User Accounts (Planned Feature)

When user accounts are implemented, we will collect:

  • Username (required)
  • Email address (required)
  • Password (hashed with bcrypt, we cannot read your password)
  • Reading lists and bookmarks (optional, user-created content)

Server Logs (Security)

Our servers automatically collect:

  • IP address
  • Browser type and version (User-Agent)
  • Pages visited
  • Date and time of access
  • Referring website

This data is collected for security purposes only and is automatically deleted after 30 days.

Cookies

We use essential cookies to operate the website:

  • sessionid - Django session cookie (login state, 2 weeks)
  • csrftoken - CSRF protection (security, 1 year)

These cookies are strictly necessary for website functionality and do not require consent under GDPR.

Planned: We may add cookieless analytics (Plausible) in the future, which is GDPR-exempt as it collects no personal data.

Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Consent (Article 6(1)(a))

  • Newsletter subscription (you explicitly opt-in with double opt-in confirmation)
  • Future analytics cookies (if implemented, with explicit consent)

Contract (Article 6(1)(b))

  • User account services (when implemented, performance of contract with you)

Legitimate Interest (Article 6(1)(f))

  • Server logs for security and fraud prevention (i.e., protecting FireSoul from external attacks, unauthorized access, and investigating potential abuse)
  • We have performed a Legitimate Interest Assessment (LIA) and determined this processing is necessary and proportionate
  • Protection of our systems and users

Legal Obligation (Article 6(1)(c))

  • Compliance logs retained for 5 years (legal defense, statute of limitations)

How We Use Your Data

Newsletter

  • Send you updates about FireSoul (new books, features, spiritual content)
  • Delivered via Brevo (EU-based email service provider, GDPR-compliant)

User Accounts (When Implemented)

  • Provide account functionality (bookmarks, reading lists, collections)
  • Authenticate your login sessions
  • Personalize your experience

Security

  • Prevent fraud and abuse
  • Protect our systems from attacks
  • Investigate security incidents

Service Improvement

  • Analyze aggregated usage patterns (no individual tracking)
  • Improve website performance and features

We do NOT:

  • Sell your data to third parties
  • Share your data for third-party marketing
  • Track you across other websites

Data Sharing

Brevo (Email Service Provider)

  • Purpose: Newsletter delivery
  • Location: European Union
  • Compliance: GDPR-compliant processor agreement
  • Data shared: Email address, subscription status

Server Hosting

  • Provider: Akamai (formerly Linode)
  • Location: Frankfurt, Germany (European Union)
  • Purpose: Website hosting, database storage
  • Compliance: GDPR-compliant, all data stored within the EU

We do NOT share your data with:

  • Advertisers
  • Data brokers
  • Social media platforms
  • Third-party marketers

Your Rights Under GDPR (Articles 15-22)

You have the following rights regarding your personal data:

Right to Access (Article 15)

Request a copy of all personal data we hold about you. We will provide it in JSON format (machine-readable) within 30 days.

Right to Rectification (Article 16)

Correct any inaccurate or incomplete personal data.

Right to Erasure (Article 17) - "Right to be Forgotten"

Request deletion of your personal data. We will comply within 30 days, with a 30-day backup retention period, after which all data is permanently deleted.

Exceptions: We may retain data if required by law (e.g., compliance logs for legal defense).

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format (JSON) and transmit it to another service provider.

Right to Object (Article 21)

Object to processing based on legitimate interest. You can unsubscribe from newsletters at any time.

Right to Restriction of Processing (Article 18)

Request temporary limitation of processing in specific circumstances (e.g., while disputing data accuracy).

Right to Lodge a Complaint

If you're unsatisfied with how we handle your data, you can file a complaint with the Polish Data Protection Authority (UODO):

UODO Contact:
ul. Stawki 2
00-193 Warszawa, Poland
Phone: +48 22 531 03 00
Website: www.uodo.gov.pl

How to Exercise Your Rights

Email:

Subject Line: "GDPR Request - [Your Request Type]" (e.g., "GDPR Request - Data Access")

Include:

  • Your email address
  • Subscription date OR last login date (for identity verification)
  • Specific request (access, erasure, portability, objection, etc.)

Response Time: 30 days maximum (GDPR requirement)

Identity Verification: For your security, we will verify your identity before fulfilling requests.

Data Retention

Newsletter Subscribers

  • Active subscribers: Retained until you unsubscribe
  • After unsubscribe: 30-day grace period (in case you change your mind or reactivate)
  • Final deletion: Permanent deletion after 30 days

User Accounts (When Implemented)

  • Active accounts: Retained as long as account is active
  • After account deletion: 30-day backup retention period
  • Final deletion: Permanent deletion after 30 days

Server Logs

  • Retention: 30 days (security purposes)
  • Automatic deletion: Logs older than 30 days are automatically deleted

Compliance Logs

  • Retention: 5 years (legal defense, statute of limitations for copyright and contract disputes)
  • Legal Basis: Retained only to the extent necessary to comply with legal obligations (Article 6(1)(c)) and defend against potential claims (e.g., intellectual property disputes or statutory limitation periods)
  • Content: Audit trails (Project Gutenberg trademark removal compliance, proprietary data deletion logs, AI originality scores)
  • Personal data: Minimal (timestamps, ISBNs, no user identifiers except in GDPR request logs)
  • Justification: These logs contain minimal personal data and are essential for legal defense in the event of copyright disputes or regulatory inquiries

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures

  • HTTPS encryption: All traffic encrypted with SSL/TLS
  • Password hashing: bcrypt algorithm (industry standard, we cannot read your password)
  • Database security: Restricted access, regular backups
  • Server hardening: Firewall, SSH key authentication, regular security updates

Organizational Measures

  • Access control: Limited personnel access to personal data
  • Data minimization: We only collect data necessary for stated purposes
  • Regular reviews: Quarterly security and compliance reviews

Data Breach Notification

In the event of a data breach affecting your personal data:

  • UODO notification: Within 72 hours (GDPR requirement)
  • User notification: Immediate notification if high risk to your rights and freedoms
  • Mitigation: Immediate action to contain and mitigate the breach

International Data Transfers

Current Status (All Within EU)

All processing and hosting of personal data (newsletter, server logs) currently occurs within the European Union. There are no current transfers outside the EU.

  • Brevo (email service): EU-based (France), no transfer outside EU
  • Server Hosting: Akamai/Linode (Frankfurt, Germany - European Union)
  • Database: PostgreSQL hosted on our EU server (Frankfurt, Germany)

Future Safeguards (If Non-EU Services Used)

If we ever use services outside the EU (e.g., US-based analytics, CRM), we will ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements (Article 46(2)(c) GDPR)
  • Adequacy decisions: Countries recognized by EU Commission as providing adequate protection (Article 45 GDPR)
  • User consent: Where required by law (Article 49 GDPR)
  • Policy update: We will update this Privacy Policy and notify subscribers 30 days in advance

Commitment: We prioritize EU-based service providers to minimize cross-border data transfer risks

Children's Privacy

FireSoul is not directed at children under 16 years of age.

GDPR Requirement: Users must be 16 or older to use our service.

Under 16: Parental consent required (not currently implemented, so we do not accept registrations from users under 16).

If We Learn: If we discover we've collected data from someone under 16 without parental consent, we will delete it immediately.

Age Verification: We rely on user-provided information. If you believe a child under 16 has provided us with personal data, please contact us at .

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

Notification:

  • Material changes: Email notification 30 days before effective date
  • Minor changes: Posted on this page with updated "Last Updated" date
  • Continued use: Using FireSoul after the effective date means you accept the updated policy

Your Options:

  • Disagree with changes: Unsubscribe before effective date
  • Questions: Email

Third-Party Links

FireSoul contains links to external websites (e.g., book sellers, Open Library, Wikipedia).

We Are Not Responsible For:

  • Privacy practices of external websites
  • Content on external websites
  • Data collection by external websites

Recommendation: Review the privacy policies of any external website before providing personal data.

Cookies and Tracking

Essential Cookies (No Consent Required)

Cookie Name Purpose Duration Consent Required
sessionid Django session (login state) 2 weeks No (strictly necessary)
csrftoken CSRF protection (security) 1 year No (strictly necessary)

Analytics (Planned)

Plausible Analytics:

  • Cookieless analytics (no cookies placed)
  • Aggregated page views only
  • No personal data collected
  • No tracking across websites
  • GDPR-exempt (no consent required)

Affiliate Cookies (Future)

When we add affiliate links (e.g., Amazon Associates):

  • Cookies placed by third parties (Amazon, etc.)
  • We do not control these cookies
  • See vendor's cookie policy for details

Note: We will update this policy before implementing affiliate cookies.

Legal Basis Summary Table

Data Type Legal Basis Purpose Retention
Newsletter email Consent (Art. 6(1)(a)) Newsletter delivery Until unsubscribe + 30 days
Account data Contract (Art. 6(1)(b)) Account services Until deletion + 30 days
Server logs Legitimate interest (Art. 6(1)(f)) Security, fraud prevention 30 days
Compliance logs Legal obligation (Art. 6(1)(c)) Legal defense 5 years

Contact Us

Data Protection Inquiries:
Email:

General Contact:
Email:

Data Controller:
apqa Tomasz Kozakiewicz
ul. Józefa Sarego 5/4
31-047 Kraków, Poland

Supervisory Authority (Complaints):
UODO - Urząd Ochrony Danych Osobowych
www.uodo.gov.pl

Questions about this document? Contact us at