Privacy Policy

Last Updated: November 9, 2025
Version: 1.1
Effective Date: November 9, 2025

This Privacy Policy describes how DevNotes.IT collects, uses, stores, and protects your personal data when you visit our website and use our services. We are committed to protecting your privacy and handling your data in an open and transparent manner.

1. General Provisions

1.1 Data Controller

The controller of your personal data is:

MODUS Dariusz Luber
DevNotes.IT
TAX ID (NIP): PL 9372425143
Poland

(hereinafter referred to as "we", "us", "our", or "the Controller")

• Website: devnotes.it

1.2 Contact Information

You can contact the Controller regarding all matters related to the protection of your personal data:

• Email: dataprotection@mdscloud.it

1.3 Data Protection Officer

Given the nature and scale of our processing activities, we are not required to appoint a Data Protection Officer under GDPR Article 37. For all data protection inquiries, please contact us at the email address provided above.

1.4 Commitment to Data Protection

We act with due diligence when selecting and applying appropriate technical and organizational measures to protect personal data being processed. We protect personal data against unauthorized access and processing in violation of applicable regulations.

1.5 Legal Framework

Your personal data is processed by us in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR)
• National data protection laws implementing GDPR
• Other applicable data protection regulations

1.6 Data Processing Principles

Personal data collected by DevNotes.IT is:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Kept in a form that permits identification of data subjects for no longer than necessary
• Processed in a manner that ensures appropriate security

2. Purposes and Legal Basis for Data Processing

2.1 Overview

The purpose, scope, and recipients of personal data processed by DevNotes.IT depend on your relationship with us (website visitor, registered user, newsletter subscriber, or donor).

2.2 Authentication and Account Management

Purpose: To enable you to create an account and access personalized features using OAuth 2.0 authentication via Google, GitHub, or Facebook.

Legal Basis: Contract performance (GDPR Article 6(1)(b)) - necessary to take steps at your request before entering into a contract and to perform the contract.

Data Processed: User ID from provider, name, email address, profile picture (optional), account creation date, role, terms acceptance status.

2.3 Newsletter Subscription

Purpose: To send you educational content, blog updates, tutorials, and other relevant information about software development.

Legal Basis: Consent (GDPR Article 6(1)(a)) - you provide explicit consent by subscribing through our newsletter form.

Data Processed: Email address, name (optional), subscription date, subscription status, subscription identifier.

2.4 Payment Processing (Donations)

Purpose: To process donations securely via Stripe and maintain transaction records.

Legal Basis: Contract performance (GDPR Article 6(1)(b)) and legal obligation (GDPR Article 6(1)(c)) for financial record-keeping.

Data Processed: Payment information (processed by Stripe), transaction amount, date, payment status, email address (for receipt).

2.5 Cookie Consent Management

Purpose: To comply with GDPR requirements by recording and managing your cookie consent choices.

Legal Basis: Legal obligation (GDPR Article 6(1)(c)) - we are required to keep records of consent.

Data Processed: Session ID, consent choices, timestamp, IP address (anonymized after 90 days), browser user agent, consent version.

2.6 Communication and Support

Purpose: To answer your questions, requests, and feedback submitted through contact forms or email.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) - necessary to respond to inquiries and maintain our relationship with users.

Data Processed: Name, email address, message content, date of contact.

2.7 Website Functionality and Security

Purpose: To provide core website functionality, maintain security, prevent fraud, and improve user experience.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) and technical necessity for service delivery.

Data Processed: Session cookies, IP address (for security), browser information, access logs.

2.8 Analytics and Website Improvement (Future Use)

Purpose: To understand how visitors use our website and improve content and functionality.

Legal Basis: Consent (GDPR Article 6(1)(a)) - if implemented in the future.

Data Processed: Anonymized usage statistics, page views, navigation patterns.

2.9 Legal Compliance

Purpose: To comply with legal obligations relating to accounting, taxation, and record-keeping.

Legal Basis: Legal obligation (GDPR Article 6(1)(c)).

Data Processed: Financial records, consent records, user account data.

2.10 Legal Claims

Purpose: To establish, exercise, or defend legal claims if necessary.

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)).

Data Processed: Relevant personal data depending on the nature of the claim.

3. Categories of Personal Data Collected

The Controller processes different personal data depending on the purpose and legal basis of the processing. We may collect and process the following categories of personal data:

3.1 Account and Profile Information

• User ID from OAuth provider (Google, GitHub, Facebook)
• Full name
• Email address
• Profile picture URL (optional)
• Account creation date and time
• User role (user, admin)
• Terms acceptance status and timestamp
• Registration status

3.2 Communication Data

• Name (when you contact us)
• Email address
• Message content
• Date and time of contact

3.3 Newsletter Subscription Data

• Email address
• Name (optional)
• Subscription date and time
• Subscription status (active, unsubscribed, bounced)
• AWS SNS subscription ARN (technical identifier)
• Subscription source

3.4 Payment and Donation Data

• Transaction amount
• Transaction date and time
• Payment status
• Email address (for receipt)
• Stripe session ID (technical identifier)
• Note: Payment card information is processed directly by Stripe and never stored on our servers

3.5 Cookie Consent Records

• Session ID (anonymous browser identifier)
• Consent choices for different cookie categories
• Timestamp of consent
• Consent method (banner, settings page, implicit)
• IP address (anonymized after 90 days)
• Browser user agent
• Consent version number

3.6 Technical and Usage Data

• IP address (for security purposes, anonymized after 90 days)
• Browser type and version
• Operating system
• Device type
• Referring website
• Pages visited and time spent
• Session information
• Access logs (for security and debugging)

4. Data Retention Periods

The period of personal data processing depends on the purpose and legal basis of the processing. We do not retain personal data longer than necessary.

4.1 User Account Data

Retention: Stored for the duration of your account existence. Deleted within 30 days of account deletion request or automatic deletion after 3 years of inactivity (with prior notification).

4.2 Cookie Consent Records

Retention: 7 years from the date of consent to comply with GDPR documentation requirements. IP addresses are anonymized after 90 days.

4.3 Newsletter Subscriptions

Retention: Until you unsubscribe or request deletion. Unsubscribed email addresses are retained in a suppression list to honor your unsubscribe request.

4.4 Payment and Transaction Records

Retention: Retained for 6 years to comply with financial and tax record-keeping obligations, then securely deleted.

4.5 Communication Records

Retention: Processed for the duration of communication or until an objection is raised, but no longer than 6 months from the last contact, unless another legal basis applies.

4.6 Session and Authentication Cookies

Retention: Session cookies deleted when you close your browser. Persistent authentication cookies expire after 7 days or when you log out.

4.7 Legal Claims

Retention: If data is necessary to establish, exercise, or defend legal claims, it may be retained until the claim is resolved and any appeal periods have expired.

5. Data Sharing and Recipients

5.1 General Principles

DevNotes.IT may disclose your personal data to third parties only when necessary and justified for the specific purposes described in this Privacy Policy. We take utmost care to ensure that any data shared with third parties is processed in accordance with GDPR and this policy.

5.2 Service Providers and Processors

We may share your personal data with the following categories of recipients:

Authentication Services

• Google OAuth: When you sign in with Google, we receive your profile information (name, email, profile picture) to create and manage your account. Google Privacy Policy
• GitHub OAuth: When you sign in with GitHub, we receive your profile information (username, name, email, avatar). GitHub Privacy Statement
• Facebook OAuth: When you sign in with Facebook, we receive your public profile information (name, email, profile picture). Facebook Privacy Policy

Payment Processing

• Stripe: We use Stripe to process donations securely. When you make a donation, Stripe processes your payment information. We receive only transaction metadata (amount, status, email for receipt). Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy

Email and Communication Services

• Email Service Provider: We use a trusted email service provider to manage newsletter subscriptions and send email notifications. The provider processes email addresses and subscription data on our behalf.

Hosting and Infrastructure

• Hosting Provider(s): We use EU-based hosting provider(s) to run our application; they may process technical data (e.g., IP addresses, access logs) as part of delivering services.
• Managed Database Provider: We use a managed database provider to store data securely as a processor.

Technical Service Providers

• Other service providers that help us operate our website, conduct our business, or serve our users, as long as those parties agree to keep this information confidential.

5.3 Legal Obligations

We may disclose your personal data if required by law, court order, or other legal process, or if necessary to:

• Comply with legal obligations or regulatory requirements
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing in connection with the website
• Protect the personal safety of users or the public

5.4 International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) only in cases where:

• The European Commission has issued an adequacy decision for that country, determining that it provides an adequate level of data protection
• Appropriate safeguards are in place, such as:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules (BCRs)
  • Certification mechanisms (e.g., EU-U.S. Data Privacy Framework)
  • Code of conduct or certification
• An exception applies under GDPR Article 49 (e.g., explicit consent, necessary for contract performance)

Our service providers (e.g., authentication, payment, email, hosting, and database providers) have implemented appropriate safeguards for international data transfers.

5.5 No Automated Decision-Making

Your personal data will not be subject to automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.

5.6 Third-Party Websites

Our website contains links to external websites (e.g., social media platforms, OAuth providers, payment processors). We strongly recommend that you read the privacy policy and terms of service of each external site, as they are not within our control or liability.

6. Your Data Protection Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

6.1 Right to Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not we process your personal data and, if so, to access that data. You can request:

• A copy of your personal data we hold
• Information about the purposes of processing
• Categories of data being processed
• Recipients or categories of recipients
• Retention period or criteria used to determine the retention period

6.2 Right to Rectification (Article 16 GDPR)

You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most information directly in your account settings.

6.3 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data in the following cases:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased for compliance with a legal obligation

Please note that we may be required to retain certain data to comply with legal obligations (e.g., financial records for 6 years).

6.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to restrict processing of your personal data in certain circumstances:

• You contest the accuracy of the data (restriction during verification)
• The processing is unlawful, but you prefer restriction to erasure
• We no longer need the data, but you need it for legal claims
• You have objected to processing (restriction pending verification)

6.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and have the right to transmit that data to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

6.6 Right to Object (Article 21 GDPR)

You have the right to object to processing of your personal data where:

• Processing is based on legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e))
• Processing is for direct marketing purposes (including profiling)
• Processing is for scientific, historical research, or statistical purposes

6.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on your consent (e.g., newsletter subscription, cookie consent), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

You can withdraw consent by:

• Unsubscribing from the newsletter using the link in each email
• Opening Cookie Settings and changing your preferences
• Contacting us at dataprotection@mdscloud.it

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. You can contact:

• Your local data protection authority in the EU/EEA
• The data protection authority in the country where we are established
• The data protection authority in the country where you reside or work

6.9 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

• Email: dataprotection@mdscloud.it
• Subject line: "Data Protection Request"

Please include:

• Your full name
• Email address associated with your account (if applicable)
• Description of the right you wish to exercise
• Any additional information to help us locate your data

We will respond to your request within 30 days as required by GDPR. If we need more time (up to 60 additional days), we will inform you of the reason and extension period.

7. Data Security Measures

7.1 Technical Measures

We implement industry-standard security measures to protect your personal data:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL
• Secure authentication: OAuth 2.0 with trusted providers (Google, GitHub, Facebook)
• Password security: We do not store passwords; authentication is handled by third-party OAuth providers
• Database security: Managed database with authentication, access control, and encryption at rest
• Session management: Secure session cookies with httpOnly and secure flags
• CSRF protection: Cross-Site Request Forgery tokens for all state-changing operations
• Input validation: All user inputs are validated and sanitized to prevent injection attacks
• Access controls: Role-based access control (RBAC) to limit data access
• Regular updates: We keep all software dependencies up to date with security patches

7.2 Organizational Measures

• Access limitation: Only authorized personnel have access to personal data
• Data minimization: We collect only the data necessary for specified purposes
• Staff training: Our team is trained on data protection best practices
• Incident response: We have procedures in place to detect, report, and investigate data breaches
• Vendor management: We carefully select and monitor third-party processors
• Documentation: We maintain records of processing activities as required by GDPR

7.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay if the breach is likely to result in a high risk
• Document the breach, including facts, effects, and remedial actions taken

8. Children's Privacy

DevNotes.IT is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at dataprotection@mdscloud.it. We will delete such information from our systems within 30 days.

9. Changes to This Privacy Policy

9.1 Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices
• Changes in applicable laws and regulations
• Introduction of new features or services
• Feedback from users or supervisory authorities

9.2 Notification of Changes

When we make significant changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this policy
• Increment the version number
• Display a notification on our website about the changes
• Request renewed consent if required by law (e.g., for new processing purposes)
• Notify registered users via email if the changes materially affect their rights

9.3 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our website after changes have been made constitutes your acceptance of the updated policy.

10. International Users

DevNotes.IT is operated from the European Union (EU). If you are accessing our website from outside the EU/EEA, please be aware that your information may be transferred to, stored, and processed in the EU where our primary infrastructure is located.

By using our website and providing your information, you consent to this transfer, storage, and processing. We will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy and GDPR.

11. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or how we process your personal data, please contact us:

Data Controller

DevNotes.IT

Contact Methods

• Email: dataprotection@mdscloud.it
• Website: devnotes.it
• Cookie Settings: Manage Preferences

Response Time

We will respond to all inquiries and data subject requests within 30 days as required by GDPR. If we need additional time (up to 60 additional days), we will inform you of the reason and extension period.

Verification

To protect your privacy and security, we may need to verify your identity before responding to data access, correction, or deletion requests. This may include asking you to provide:

• Proof of identity (e.g., government-issued ID)
• Information that matches our records
• Access to the email address associated with your account

---

Additional Resources

• Cookie Policy - Learn about how we use cookies
• Terms of Service - Read our terms and conditions
• Cookie Settings - Manage your cookie preferences

---

Thank you for trusting DevNotes.IT with your personal data. We are committed to protecting your privacy and ensuring transparency in all our data processing activities.