This Privacy Policy describes how FUMO – Mateusz Fajst ("Elean", "we", "us", or "our") collects, uses, and protects your personal data when you use the Elean platform at elean.app.
We process your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Act of 10 May 2018 on the Protection of Personal Data.
We do not make decisions about you based solely on automated processing (profiling) that would produce legal effects or similarly significantly affect you.
1. Data Controller
The controller of your personal data is:
FUMO – Mateusz Fajst
al. Jana Pawła II 43A/37B, 01-001 Warsaw, Poland
NIP: 7292752057 | REGON: 526628843
Email: [email protected]
2. Definitions
-
Personal data — any information relating to an identified or identifiable natural person.
-
Controller — FUMO – Mateusz Fajst, who determines the purposes and means of processing your personal data.
-
Sub-processor — a third-party service provider processing personal data on our behalf.
-
Cookies — small text files stored on your device when you visit elean.app.
-
Service — the Elean platform accessible at elean.app.
-
User — any person visiting elean.app or using the Service.
3. What Data We Collect
We collect only the data necessary to provide the Service.
Our Service is not directed to individuals who have not reached the age of majority in their jurisdiction. We do not knowingly collect personal data from individuals under the age of majority. If you are a parent or guardian and you are aware that your child has provided us with personal data without your consent, please contact us at [email protected]. If we become aware that we have collected personal data from any individual who has not attained the age of majority, we will take immediate steps to remove that information from our servers and terminate the associated account.
3.1 Data you provide directly
- Email address — required for registration and authentication;
- First and last name — optional on Free Plan, required on Paid Plan;
- Company name, NIP (tax number), correspondence address — collected only when required for invoicing on a Paid Plan;
- Workspace and Project names and slugs — created by you during onboarding;
- Content and tasks — any data you create, upload, or generate within the Service.
3.2 Data collected automatically
- IP address and approximate location — collected by our server infrastructure (SkyPass / Cloudflare);
- Browser type and operating system — collected via server logs and analytics;
- Usage data — pages visited, time spent, actions taken within the platform — collected via Umami (self-hosted analytics, no data shared with third parties);
- Authentication data — login events, session tokens — processed by Stytch Inc.
3.3 Data we do NOT collect
- We do not collect phone numbers;
- We do not collect bank account numbers — payments are handled entirely by DodoPayments as Merchant of Record;
- Social media profiles — links to X and Discord in our footer are simple redirects. Clicking them does not activate any social media tracking widgets or transmit any additional personal data to us.
4. How We Use Your Data
We process your data only for specific, legitimate purposes. Below is a full list of purposes and the legal basis for each under GDPR.
| Purpose | Legal basis |
|---|---|
| Creating and maintaining your account | Art. 6(1)(b) — performance of a contract |
| Providing access to the Service | Art. 6(1)(b) — performance of a contract |
| Processing payments via DodoPayments | Art. 6(1)(b) — performance of a contract |
| Responding to support requests | Art. 6(1)(b) — performance of a contract |
| Sending service-related notifications | Art. 6(1)(b) — performance of a contract |
| Fulfilling legal obligations (e.g. tax, accounting) | Art. 6(1)(c) — legal obligation |
| Notifying users about data breaches and security incidents | Art. 6(1)(c) — legal obligation |
| Establishing or defending legal claims | Art. 6(1)(f) — legitimate interest |
| Improving the Service via anonymized analytics (Umami) | Art. 6(1)(f) — legitimate interest |
| Sending marketing communications | Art. 6(1)(a) — consent |
5. How Long We Store Your Data
We retain your personal data only for as long as necessary for the purposes described in this Policy or as required by applicable law.
| Data type | Retention period |
|---|---|
| Account data (email, name) | Anonymized immediately upon account deletion request. If the account is not deleted, a warning email is sent after 180 days of inactivity; if no login is recorded within 30 days of that notice, the account and all associated data are permanently deleted (total: 210 days from last login). |
| Content and tasks (Client Data) | Anonymized or deleted immediately upon account deletion request |
| Backups | 7 days (rolling) |
| Payment and invoicing data | 5 years from the end of the calendar year in which the tax deadline passed for basic billing data (Company name, NIP, address). Actual payment processing and card data are managed entirely by DodoPayments — see dodopayments.com/legal/privacy-policy |
| Legal claims | For the duration of the statute of limitations, not exceeding 3 years from the termination of the Main Agreement |
| Support correspondence | 3 years from the date of last contact |
| Server logs | 90 days |
| Analytics data (Umami) | Retained on self-hosted infrastructure; no fixed expiry — anonymized by default, no personal identifiers stored |
| Authentication data (Stytch) | For the duration of the account + as per Stytch's retention policy |
6. Recipients
We transfer personal data to other entities only to the extent necessary for the performance of the Agreement, to fulfill legal obligations imposed on the Controller, or within the scope resulting from the legitimate interests pursued by the Controller. Your data may be transferred to the following categories of recipients:
- Infrastructure and Hosting Providers: Entities ensuring server maintenance and secure storage of data and backups (SkyPass Solutions Sp. z o.o., Cloudflare R2).
- Authentication Service Providers: Entities handling secure login and account management (Stytch Inc.).
- Payment and Billing Partners: An independent data controller operating in the Merchant of Record model, responsible for processing transactions, taxes, and issuing invoices (DodoPayments).
- AI Solution Providers: Entities providing artificial intelligence technologies that support platform features (Google LLC – Gemini API); this data is not used for model training.
- Analytics Providers: Self-hosted analytics (Umami) running on our own infrastructure in Poland — no personal data is shared with third parties.
- Collaborators and Advisors: Persons authorized by the Controller to provide technical or legal support for the service, bound by confidentiality obligations.
- Public Authorities: In cases where we are legally obliged to provide your data under applicable law.
In the case of data transfers to third countries (e.g., the USA), such transfers take place based on an adequacy decision (EU-U.S. Data Privacy Framework) or Standard Contractual Clauses.
7. Your Rights
Under GDPR, you have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | You can request a copy of your personal data |
| Rectification (Art. 16) | You can request correction of inaccurate data |
| Erasure (Art. 17) | You can request deletion of your data ("right to be forgotten") |
| Restriction (Art. 18) | You can request we limit processing of your data |
| Portability (Art. 20) | You can request your data in a machine-readable format |
| Objection (Art. 21) | You can object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | You can withdraw consent at any time for consent-based processing (e.g. Meta Pixel, marketing) |
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving your request, in accordance with GDPR Art. 12(3).
You also have the right to lodge a complaint with
the Polish Data Protection Authority (PUODO):
Urząd Ochrony Danych Osobowych
ul. Stawki 2, 00-193 Warsaw
uodo.gov.pl
8. Cookies
Cookies are small text files stored on your device when you visit elean.app. We use strictly necessary cookies only — no analytics or marketing cookies are set without your explicit consent.
Cookies we use
| Cookie | Provider | Purpose | Type |
|---|---|---|---|
| Session token | Stytch | Authentication | Strictly necessary |
| cf_clearance | Cloudflare | Security and DDoS protection | Strictly necessary |
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- encryption of personal data in transit (TLS/SSL);
- encryption of personal data at rest (AES-256), including databases, files, and backups;
- pseudonymisation of personal data where technically feasible;
- storage of data in the European Union (Cloudflare R2, EU region; SkyPass Solutions Sp. z o.o.);
- access controls limiting who can access personal data;
- authentication handled by Stytch, a SOC 2 Type II and ISO 27001 certified provider;
- measures ensuring confidentiality, integrity, availability and resilience of processing systems and services, including access controls, audit logging, network security, and infrastructure redundancy;
- the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident, taking into account defined recovery time and recovery point objectives appropriate to the nature of processing;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing, including periodic backup restoration tests, security assessments, and continuous monitoring and logging;
- daily backups retained for 7 days. Backups kept for 7 days serve solely for disaster recovery purposes; following any system restoration, the Controller/Processor shall promptly re-execute the deletion instructions; after 7 days, restoring the data is technically impossible.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Art. 33-34.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes via email or an in-platform notification at least 14 days before the changes take effect.
The current version is always available at https://elean.app/legal/privacy-policy.
11. Contact
If you have any questions about this Privacy Policy or wish to exercise your rights, contact us:
FUMO – Mateusz Fajst
al. Jana Pawła II 43A/37B, 01-001 Warsaw, Poland
NIP: 7292752057
Email: [email protected]
Website: https://elean.app/contact
