Privacy Policy · frozy.lol

01 Information We Collect

When you register for and use the frozy.lol platform, we collect only the information necessary to provide and improve our services. We operate on a data minimization principle — we never ask for more than we need.

Account Information

When you create an account, we collect:

Username — Required. Used for profile identification and login.
Email address — Required. Used for account verification, password recovery, and essential service communications.
Password — Stored as a hashed value (bcrypt). We never store or have access to your plaintext password.

Profile Content

Any content you upload or create on your profile is stored at your direction:

Profile images, banners, and media files
Bio, description, links, and custom profile fields
Decorations, badges, and theme customizations
Any other content you explicitly choose to add

                Note: Profile content you make public is, by definition, publicly accessible. Do not upload sensitive personal information to your public profile.
            

Technical Data

When you access the platform, we automatically collect certain technical information:

IP address — Logged for security monitoring and rate-limiting purposes.
Browser user agent — Used for analytics and compatibility optimization.
Session activity — Login timestamps, page views, and feature usage for service improvement.
Device type and operating system — Aggregated for performance tuning.

02 How We Collect Data

We collect information through the following methods:

Direct Registration: Information you provide when creating an account via register.html.
Profile Management: Content you upload or modify through your profile settings.
Automated Logging: Server logs, login records (userslogin.json), and analytics.
Cookies: Session cookies and essential functional cookies (see Section 08).

We do not use third-party analytics services, tracking pixels, or advertising networks. We do not sell your data to anyone.

03 Purpose of Processing

We process your personal data exclusively for the following purposes:

Account Management: Creating and maintaining your account, authenticating login sessions.
Service Delivery: Rendering your profile page, storing your content, and providing platform features.
Security: Monitoring for unauthorized access, abuse prevention, rate-limiting, and protecting platform integrity.
Communication: Sending essential account-related notifications (password resets, security alerts, service updates).
Service Improvement: Analyzing aggregated usage patterns to optimize performance and user experience.
Legal Compliance: Fulfilling obligations under Polish law and GDPR/RODO regulations.

04 Legal Basis for Processing (GDPR)

In accordance with Article 6 of the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services under the Terms of Service — account creation, profile hosting, and feature access.
Consent (Art. 6(1)(a)): For optional data processing activities where you have given explicit consent (e.g., non-essential cookies).
Legal Obligation (Art. 6(1)(c)): Processing required to comply with Polish legal obligations, including data retention and law enforcement cooperation.
Legitimate Interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement — where our interests do not override your fundamental rights.

05 Data Sharing & International Transfers

Third-Party Sharing

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

Service Providers: Hosting infrastructure providers (server hosting) who process data on our behalf under strict data processing agreements.
Legal Requirements: If required by Polish law, court order, or regulatory authority, we may disclose necessary information.
Protection of Rights: To protect our legal rights, enforce our Terms of Service, or investigate potential violations.

International Transfers

Your data is stored on servers located within the European Union. In the event that any data transfer occurs outside the EEA, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions under Article 45 of the GDPR
Binding Corporate Rules where applicable

06 Data Retention

We retain your personal data only as long as necessary to fulfill the purposes described in this policy:

Account Data: Retained for the duration of your account's existence. Upon deletion, all associated data is removed within 30 days.
Login Logs: Retained for 12 months for security auditing purposes, after which they are anonymized or deleted.
Server Logs: Retained for 6 months for security and troubleshooting.
Backup Copies: Retained for up to 90 days and securely overwritten thereafter.

                Data Minimization: We regularly review our data retention schedules to ensure we are not holding data longer than necessary.
            

07 Your GDPR Rights

Under the General Data Protection Regulation (GDPR/RODO), you have the following rights regarding your personal data. These rights are exercisable free of charge:

1. Right of Access (Art. 15)

You have the right to request confirmation of whether we process your data, and if so, access to that data along with information about the processing purposes, categories of data, recipients, retention periods, and your other rights.

2. Right to Rectification (Art. 16)

You have the right to request correction of inaccurate or incomplete personal data. You can update most of your account information directly through your profile settings.

3. Right to Erasure ("Right to be Forgotten") (Art. 17)

You have the right to request deletion of your personal data when it is no longer necessary for the purposes it was collected, you withdraw consent, or you object to processing. Account deletion can be initiated via your account settings or by contacting us directly.

4. Right to Restrict Processing (Art. 18)

You have the right to request restriction of processing in certain circumstances, including contesting data accuracy, objecting to unlawful processing, or while a complaint is being investigated.

5. Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and to transmit that data to another controller without hindrance.

6. Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

7. Rights Related to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal effects. Our platform does not engage in automated decision-making with legal consequences.

8. Right to Lodge a Complaint (Art. 77)

You have the right to lodge a complaint with a supervisory authority, particularly in your Member State of residence. In Poland, the supervisory authority is:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)
Stawki 2, 00-193 Warsaw, Poland
uodo.gov.pl

                Exercising Your Rights: To exercise any of the above rights, contact us at the email address in Section 10. We will respond within 30 days as required by GDPR.
            

08 Cookies & Tracking

We use a minimal number of cookies, all of which are strictly functional or essential. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Cookies We Use

Session Cookie: Essential for maintaining your logged-in session. Expires when you close your browser.
Remember Me Cookie: If you select "Remember Me" on login, a persistent cookie allows your session to persist for up to 30 days.
CSRF Token Cookie: Security cookie to protect against cross-site request forgery attacks.

Cookie Management

You can control cookies through your browser settings. Disabling essential cookies may prevent the platform from functioning correctly. We do not require cookie consent banners because we do not use non-essential cookies.

Local Storage

We may use browser localStorage as a fallback mechanism (e.g., for registration if the server is temporarily unreachable). This data is stored locally on your device and is not transmitted to us unless you complete the registration action.

09 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Technical Measures

Password Hashing: All passwords are hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored.
HTTPS/TLS: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
File Storage: JSON data files are stored with restrictive permissions outside the web root where possible.
Rate Limiting: Login and registration endpoints are rate-limited to prevent brute-force attacks.
Input Validation: All user inputs are validated and sanitized on both client and server sides.
Security Headers: We implement Content Security Policy, X-Frame-Options, X-Content-Type-Options, and other security headers.

Organizational Measures

Regular security audits and vulnerability assessments
Strict access controls — only the platform owner has server-level access
Incident response procedures for data breaches
Regular backup and disaster recovery testing

                Data Breach Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by Articles 33-34 of the GDPR.
            

10 Contact & Owner Rights

Data Controller

The data controller responsible for your personal data is the owner and operator of the frozy.lol platform.

Contact Information

For all privacy-related inquiries, data subject requests, or complaints, please contact:

Email: privacy@frozy.lol
Platform: frozy.lol
Jurisdiction: Poland (Warsaw)

Owner Rights

The platform owner reserves the following rights regarding data and privacy:

Right to Modify: The owner reserves the right to modify this Privacy Policy at any time. Users will be notified of material changes via email or a platform notice.
Right to Process: The owner may process user data as described in this policy for the legitimate operation of the platform.
Right to Delegate: The owner may engage data processors (e.g., hosting providers) under strict data processing agreements.
Right to Enforce: The owner may restrict or terminate accounts that violate the Terms of Service or engage in abusive behavior.
Right to Retain: The owner retains the right to retain certain data where required by Polish law, even after account deletion.

Data Protection Officer (DPO)

As a small-scale platform, we do not maintain a designated Data Protection Officer under Article 37 of the GDPR. However, all privacy-related matters are handled directly by the platform owner. You can reach us at the email address above for any data protection concerns.

                Response Time: We aim to respond to all privacy inquiries within 7 business days. GDPR Article 15-22 requests will be fulfilled within the statutory 30-day period.
            