Privacy Policy

matury-online.pl website
Last updated: April 21, 2026

Table of contents

1. Data controller
2. Contact regarding data protection
3. Categories of processed data
4. Purposes and legal bases of processing
5. Data retention period
6. Data recipients
7. Data transfers outside the EEA
8. Your rights
9. Data of minors
10. Cookies and similar technologies
11. Artificial intelligence and automated decisions
12. Data security
13. Right to lodge a complaint
14. Changes to the privacy policy

1. Data controller

The controller of your personal data within the meaning of Article 4(7) GDPR is:

Hereinafter referred to as the “Controller” or “we”.

2. Contact regarding data protection

The Controller has not appointed a Data Protection Officer (DPO), as this is not legally required for the scope of the business. For all matters concerning the processing of your personal data — including to exercise your rights — you may contact the Controller at kontakt@karol-leszczynski.pl or in writing at the address above.

3. Categories of processed data

In connection with your use of the service, we process the following categories of your personal data:

• Identification and contact data — e-mail address, first name (optional), profile picture (optional, from Google account).
• Authentication data — encrypted password (only for e-mail accounts), Google identifier (for OAuth accounts), verification tokens.
• Subscription and payment data — subscription status, Stripe customer ID, Stripe subscription ID, subscription end date. Payment card data is processed exclusively by Stripe and never reaches our servers.
• Educational activity data — selected subjects, answers to questions, essay content, AI evaluations, test results, time spent in the service, XP points, levels, streaks, achievements, progress statistics.
• Technical data — IP address, device identifier, browser type, operating system, traffic source, cookie data (after consent).
• Communication data — e-mail correspondence, complaints, status of engagement notifications (opens, clicks — after consent).
• Consent data — content and date of consents granted (newsletter, cookies, processing of a minor's data).

4. Purposes and legal bases of processing

4.1. Service provision (contract conclusion and performance)

Legal basis: Art. 6(1)(b) GDPR — necessity to perform the electronic services contract to which you are a party.

Includes: account creation and maintenance, access to educational content, subscription and payment handling, saving of learning progress, AI essay evaluation, communication related to contract performance.

4.2. Legal obligations

Legal basis: Art. 6(1)(c) GDPR — necessity to comply with legal obligations (Polish Accounting Act, VAT Act).

Includes: issuing accounting documents, archiving invoices (5 years — Polish Accounting Act), handling complaints, official correspondence.

4.3. Own marketing and educational communication

Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the Controller in maintaining user relationships and promoting its own services. For marketing e-mails — additionally Article 10(2) of the Polish Act on Providing Services by Electronic Means (consent).

Includes: study reminders, streak notifications, weekly summaries, information about new features. You may withdraw your consent to marketing communication at any time.

4.4. Analytics and service development

Legal basis: Art. 6(1)(a) GDPR — your consent granted via the cookie banner (for analytics and marketing cookies), and Art. 6(1)(f) GDPR — legitimate interest (for anonymous aggregated statistics).

Includes: traffic measurement (Google Analytics 4), service performance optimization, error analysis, user experience improvement.

4.5. Claim protection

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in the ability to pursue claims or defend against claims.

4.6. Security

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring the security of the service and preventing abuse (including reCAPTCHA, request limits).

5. Data retention period

We retain your personal data for the following periods:

• Account and activity data — for the duration of the contract (account existence). After account deletion — up to 30 days (to allow account recovery), then data is permanently deleted or anonymized.
• Billing data (invoices) — 5 years from the end of the tax year in which the tax obligation arose (Art. 112 of the Polish VAT Act, Art. 74 of the Polish Accounting Act).
• Data for claim pursuit — until the limitation period expires (typically 6 years, 3 years for claims from business activity).
• Analytics cookie data — in accordance with cookie policy settings (typically 14 months for GA4).
• E-mail correspondence — 3 years from the last exchange.
• Cookie data — until deletion or expiry of consent (default 12 months).

6. Data recipients

We may transfer your data to the following categories of recipients, acting as processors based on data processing agreements (Art. 28 GDPR):

• Cloud infrastructure providers — Amazon Web Services EMEA SARL (EC2 servers, databases, S3 file storage, SES e-mail, CloudFront) — eu-central-1 (Frankfurt) and eu-north-1 (Stockholm) regions.
• Payment processor — Stripe Payments Europe, Ltd. (Ireland) — card payments, BLIK, Revolut Pay, subscription management.
• Login providers — Google Ireland Limited (Google account login, reCAPTCHA v3).
• Artificial intelligence providers — Anthropic PBC (USA) — AI models for essay evaluation and explanation generation.
• Speech synthesis provider — Google Cloud (Google Ireland Limited / Google LLC) — audio generation for listening comprehension exercises.
• Analytics providers — Google Ireland Limited (Google Analytics 4, Google Ads) — only after you have given consent via the cookie banner.
• Domain and DNS providers — domain registrars, Amazon Route 53.
• Authorized state authorities — only when the transfer obligation arises from the law.

7. Transfers outside the European Economic Area (EEA)

Some of our providers are based outside the EEA (in particular Anthropic PBC and in some cases Google LLC, Stripe, Inc.). In such cases, data transfer takes place based on:

• Standard Contractual Clauses (SCC) approved by the European Commission (Implementing Decision (EU) 2021/914),
• Adequacy decisions — in particular the EU–US Data Privacy Framework for certified providers.

We apply additional technical safeguards (encryption in transit and at rest) and organizational ones (processor agreements, vendor audits). A copy of the safeguards is available upon request.

8. Your rights

Under GDPR, you have the following rights:

• Right of access (Art. 15 GDPR) — confirmation of whether we process your data and a copy of it.
• Right to rectification (Art. 16 GDPR).
• Right to erasure (“right to be forgotten”, Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) — receiving your data in a structured format (e.g. JSON) and transferring it to another controller.
• Right to object (Art. 21 GDPR) — to processing based on legitimate interest, including profiling.
• Right to withdraw consent (Art. 7(3) GDPR) — at any time, without affecting the lawfulness of processing prior to withdrawal.
• Right not to be subject to decisions based solely on automated processing (Art. 22 GDPR) — see below.

To exercise any of the above rights, contact us at kontakt@karol-leszczynski.pl. We respond without undue delay, no later than within one month of receiving the request. This period may be extended by a further two months in complex cases, about which we will inform you.

9. Data of minors

The service is directed at adults (18 years old or older). Persons who are 13 or older but not yet adults may use the service only with the consent and under the supervision of a legal representative (parent or legal guardian), who is responsible for contract conclusion, payments, and use of the service.

In accordance with Art. 8(1) GDPR and Art. 22¹ of the Polish Personal Data Protection Act, information society services (including matury-online.pl) may be offered to a child aged 16 or older based on their own consent. For children under 16, the consent of a legal representative is required.

We do not knowingly collect data of children under 13. If we learn that we process such data without parental consent, we will promptly delete it.

10. Cookies and similar technologies

The service uses cookies and similar technologies (including localStorage). Detailed information about the cookies used, their purposes and retention periods is available in the Cookie Policy.

We use Google Consent Mode v2, which by default blocks all analytical and marketing cookies until you give consent. You can change your consents at any time by clicking the 🍪 icon in the lower left corner of the screen.

11. Artificial intelligence and automated decisions

Within the service, we use artificial intelligence models (Anthropic Claude) for:

• evaluating essay content and providing feedback,
• generating explanations for questions,
• generating transcripts and educational content,
• adapting task difficulty (adaptive learning).

AI evaluations do not constitute a binding decision within the meaning of Art. 22 GDPR — they are auxiliary educational tools, and do not replace teacher assessment or state exam (matura) results. They do not produce legal effects concerning you or similarly significantly affect you.

You always have the right to:

• receive an explanation of how AI assessed your work,
• contest the evaluation and request verification,
• express your own opinion,
• request re-evaluation by a human (to the extent technically feasible).

Content sent to AI models is processed in accordance with the privacy policies of the respective providers (Anthropic PBC) and — based on the agreements concluded — is not used to train models in the context of commercial API use.

12. Data security

We apply technical and organizational measures adequate to the risk, including:

• transmission encryption (TLS/HTTPS),
• password encryption using cryptographic algorithms (bcrypt/argon2),
• encryption of data at rest (disk and database encryption),
• restricting data access to the Controller only,
• regular backups,
• access verification (reCAPTCHA v3, e-mail verification),
• log monitoring and anomaly detection.

13. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates GDPR. The competent authority in Poland is:

14. Changes to the privacy policy

This policy may change due to amendments to the law, introduction of new service features, or changes in data processing. We will notify you of material changes at least 7 days in advance via e-mail or a service notice. The current version of the policy along with the date of the last update is always available on this page.

Document version as of: April 21, 2026.
In case of any discrepancy between the Polish and English versions, the Polish version is binding.