Last updated: April 21, 2026
Effective date: April 21, 2026
This Privacy Policy explains how WebCrafters Sp. z o.o. ("GetPureProof", "we", "us", "our") collects, uses, stores, and shares personal data when you use the GetPureProof platform, website, dashboard, recording widget, embed widgets, and related services (the "Service").
We take privacy seriously. This document is written to comply with the EU General Data Protection Regulation (GDPR), the Polish Personal Data Protection Act, and the EU ePrivacy Directive.
If anything is unclear, email us at contact@getpureproof.com.
1. Who we are (Data Controller)
The Service is operated by:
WebCrafters Spółka z ograniczoną odpowiedzialnością
ul. Niedźwiedzia 19/1 02-737 Warszawa, Poland
- KRS: 0000696763
- NIP: 5252724527
- REGON: 368410075
- Share capital: PLN 5,000.00 (fully paid)
- Registry court: Sąd Rejonowy dla m.st. Warszawy w Warszawie, XIII Wydział Gospodarczy KRS
For all privacy-related inquiries, including data subject rights requests under GDPR:
Email: contact@getpureproof.com
We have not appointed a formal Data Protection Officer (DPO), as we are not legally required to do so under Article 37 GDPR. The person responsible for data protection matters can be reached at the email above.
2. Roles: Controller vs Processor
GetPureProof acts in two distinct roles depending on the data:
2.1 We are the Data Controller for:
- Data of our Customers (the people who register accounts and pay for subscriptions) — including account, billing, and usage data.
- Data of website visitors (analytics, cookies, marketing data).
2.2 We are a Data Processor for:
- Data submitted by End Users of our Customers (typically people recording video testimonials through Spaces created by Customers).
- In this scenario, our Customer is the Data Controller and we process the data on their behalf, in accordance with our Terms of Service and any applicable Data Processing Agreement (DPA).
This distinction matters because it determines who is responsible for what — for example, our Customer is responsible for obtaining valid consent from their End Users to record testimonials.
3. What data we collect
3.1 Data you provide (Customer account)
- Account data: name, email address, password (stored as a one-way hash — we never see your plaintext password).
- Billing data: company name, billing address, VAT/tax ID, payment method details. Card details are processed and stored by Stripe — we never see or store your full card number.
- Branding data: logos, colors, company information you upload to customize your Spaces.
- Communication data: messages you send to support, feedback, survey responses.
3.2 Data your End Users provide (testimonials)
When End Users record testimonials through your Spaces, we process on your behalf:
- Video and audio recordings.
- Respondent metadata: name, email, role, company, and any custom fields you configure.
- Consent records: confirmation of agreement to your terms and recording consent.
- Technical metadata: timestamp, browser type, country (derived from IP, not stored as IP).
3.3 Data we collect automatically
- Usage data: pages viewed, features used, clicks, session duration, dashboard activity.
- Device and connection data: IP address (hashed for rate-limiting purposes — see §6), browser type and version, operating system, screen resolution, language, time zone.
- Cookies and similar technologies — see §7 below for the full breakdown.
3.4 Data we do NOT collect
- We do not buy or enrich your data from third-party data brokers.
- We do not collect special categories of personal data (race, religion, political opinions, health) intentionally. If you submit such data through testimonials, it is your responsibility to ensure proper consent and lawful basis.
- We do not use your Content or your End Users' Content to train AI models. Ever.
4. Why we collect data and on what legal basis
Under Article 6 GDPR, every processing activity must have a legal basis. Here is ours:
| Purpose | Data used | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Provide the Service (account creation, login, video hosting) | Account, usage, technical data | Contract performance — Art. 6(1)(b) |
| Process payments and manage subscriptions | Billing, payment method | Contract performance — Art. 6(1)(b) |
| Comply with tax, accounting, and legal obligations | Billing, invoice data | Legal obligation — Art. 6(1)(c) |
| Customer support and communication | Account, communication data | Contract performance — Art. 6(1)(b) |
| Service improvement, analytics, security monitoring | Usage data, IP (hashed), aggregated metrics | Legitimate interest — Art. 6(1)(f) |
| Marketing emails about our Service | Email, name | Consent — Art. 6(1)(a), with opt-out |
| Cookies for analytics and marketing (GA4, Meta Pixel) | Cookie identifiers, device data | Consent — Art. 6(1)(a), via cookie banner |
| Process End User testimonials on Customer's behalf | Video, audio, respondent metadata | Acting as Processor on Customer's instructions |
When we rely on legitimate interest, we balance our interest against your rights. You can object at any time by emailing contact@getpureproof.com.
When we rely on consent, you can withdraw it at any time without affecting prior processing.
5. Sub-processors: who else handles your data
To deliver the Service, we share data with carefully selected third-party processors. All sub-processors are bound by Data Processing Agreements (DPAs) and must comply with GDPR-equivalent standards.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management | Billing data, payment method, transaction details | USA (DPF certified) |
| Cloudflare, Inc. | Content delivery, video storage (R2), DDoS protection | Video files, request metadata, IP for security | USA / global edge (SCC + DPF) |
| Supabase, Inc. | Database, authentication, transactional email delivery | Account data, usage logs, system emails | USA / EU (SCC) |
| Google LLC (Google Analytics 4) | Website and product usage analytics | Cookie identifiers, page views, device data | USA (DPF certified) |
| Meta Platforms, Inc. (Meta Pixel) | Marketing analytics, ad attribution | Cookie identifiers, conversion events | USA (DPF certified) |
| Google LLC (Google Tag Manager) | Tag and consent orchestration | Same as underlying tags fired | USA (DPF certified) |
5.1 Future sub-processors
We may engage additional third-party providers as the Service evolves — for example, dedicated transactional email providers (such as Resend, Postmark, SendGrid, or AWS SES), error monitoring tools, customer support tools, or analytics platforms. We will update this list and notify Customers of material changes via email at least 30 days before any new sub-processor processes Customer data.
If you wish to object to a new sub-processor, you may terminate your Subscription before the change takes effect.
5.2 International data transfers
Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on the following lawful transfer mechanisms under Chapter V GDPR:
- EU-US Data Privacy Framework (DPF) — for sub-processors that are DPF-certified (Stripe, Google, Meta, Cloudflare).
- Standard Contractual Clauses (SCC) — adopted by the European Commission, signed with each sub-processor where DPF does not apply.
- Supplementary measures — including encryption in transit and at rest, where applicable.
You can request a copy of the relevant transfer documentation by contacting us.
6. How long we keep your data (retention)
We keep personal data only as long as necessary for the purposes described above. Specific retention periods:
| Data category | Retention period | Reason |
|---|---|---|
| Account data (active account) | For the duration of your Subscription | Service delivery |
| Account and Content data (after cancellation) | 30 days read-only access for export, then permanent deletion | Grace period (per Terms of Service §7.4) |
| Account data (severe ToS violation) | Immediate deletion of Content; account record retained as needed for legal defense | Legitimate interest, legal claims |
| Billing and invoice data | 5 years from end of fiscal year | Polish Accounting Act (Ustawa o rachunkowości, Art. 74) |
| Tax records | 5 years | Polish Tax Ordinance (Ordynacja podatkowa) |
| Hashed IP addresses (rate limiting, abuse prevention) | 12 months | Legitimate interest — security |
| Server and access logs | 12 months | Legitimate interest — security, debugging |
| Marketing email subscribers | Until you unsubscribe | Consent withdrawal |
| Analytics data (GA4, Meta Pixel) | Up to 14 months (GA4 default) | Consent — see cookie banner |
| Support communication | 3 years after last contact | Legitimate interest — service improvement |
After the applicable retention period, data is permanently and irreversibly deleted from our production systems and from our infrastructure providers (subject to standard backup rotation cycles, typically 30 days).
7. Cookies and similar technologies
We use cookies and similar technologies to operate the Service, understand usage, and (with your consent) measure marketing effectiveness.
7.1 Your cookie choices
When you first visit our website, a cookie banner lets you accept or reject non-essential cookies. You can change your preferences at any time via the cookie settings link in the footer.
We respect GDPR Consent Mode v2 — if you reject analytics or marketing cookies, no tracking pixels fire and no identifiers are sent.
7.2 Cookies we use
| Cookie / technology | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
sb-access-token, sb-refresh-token |
Supabase | Keep you logged in to your account | Strictly necessary | Session / 1 week |
cookie-consent |
GetPureProof | Remember your cookie preferences | Strictly necessary | 12 months |
_ga, _ga_* |
Google Analytics 4 | Anonymous usage analytics | Analytics (consent) | 2 years |
_gid |
Google Analytics 4 | Distinguish users across pages | Analytics (consent) | 24 hours |
_fbp |
Meta Pixel | Marketing attribution and remarketing | Marketing (consent) | 3 months |
fr |
Meta Pixel | Ad delivery and measurement | Marketing (consent) | 3 months |
| GTM container | Google Tag Manager | Orchestrates other tags based on consent | Strictly necessary | Session |
Strictly necessary cookies are required for the Service to function and do not require consent under EU law.
Analytics and marketing cookies are loaded only after you grant consent via the cookie banner.
We may add or change cookies as the Service evolves. Material changes will be reflected in this Privacy Policy.
8. Your rights under GDPR
If we hold personal data about you, you have the following rights under Articles 15–22 GDPR:
- Right of access (Art. 15) — request a copy of the data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18) — limit how we use your data in certain cases.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transfer it to another provider.
- Right to object (Art. 21) — object to processing based on legitimate interest, including profiling.
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting prior lawful processing.
- Right not to be subject to automated decision-making (Art. 22) — we do not make decisions about you using fully automated profiling.
8.1 How to exercise your rights
Email contact@getpureproof.com with your request. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
We may need to verify your identity before fulfilling certain requests to prevent unauthorized data disclosure.
8.2 Right to lodge a complaint
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Polish Data Protection Authority:
Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa, Poland Website: uodo.gov.pl
If you reside in another EU member state, you can also lodge a complaint with your local data protection authority.
9. Data security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit — all traffic uses TLS 1.2+ (HTTPS).
- Encryption at rest — videos and database content are encrypted at rest at the infrastructure level (Cloudflare R2, Supabase).
- Access control — role-based access to production systems, principle of least privilege.
- Authentication — passwords stored as one-way hashes (bcrypt/argon2 via Supabase Auth).
- Signed URLs — private videos accessible only via short-lived signed URLs (default 1 hour).
- Network security — Cloudflare DDoS protection, rate limiting, WAF.
- Backup and recovery — automated backups with documented restoration procedures.
- Monitoring — server and application logs reviewed for anomalies.
No system is 100% secure. If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Polish Data Protection Authority (UODO) within 72 hours of becoming aware, as required by Article 33 GDPR.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).
10. Children's privacy
The Service is not directed at children. We do not knowingly collect personal data from anyone under 16 years old (the minimum age for data processing consent under Polish law implementing Article 8 GDPR).
If you become aware that a child has provided us with personal data, contact us at contact@getpureproof.com and we will delete the data without undue delay.
Customers using the Service to collect testimonials are responsible for ensuring that End Users meet the minimum age requirements applicable in their jurisdiction.
11. Marketing communications
We may send you:
- Transactional emails (account confirmations, billing receipts, security alerts, important Service updates) — these are necessary for the Service and cannot be opted out of while your account is active.
- Marketing emails (product updates, blog posts, tips) — sent only with your consent. You can unsubscribe at any time via the link in any marketing email or by emailing contact@getpureproof.com.
12. Third-party links and embedded content
The Service may contain links to third-party websites or display content embedded on third-party sites (e.g., when our widget is embedded on a Customer's website).
We are not responsible for the privacy practices of third-party websites. When you visit a third-party site, that site's privacy policy applies.
When our embed widget loads on a Customer's website, the widget itself does not set tracking cookies on visitors. Video playback may use technical cookies necessary for streaming, which are not used for cross-site tracking.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision.
For material changes (e.g., new categories of data collected, new sub-processors, changes to retention), we will notify Customers by email at least 30 days before the change takes effect.
For non-material changes (clarifications, formatting), we may update without notice.
Continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy.
14. Contact
For any privacy-related question, request, or complaint:
WebCrafters Sp. z o.o. ul. Niedźwiedzia 19/1, 02-737 Warszawa, Poland
Email: contact@getpureproof.com Contact form: getpureproof.com/contact-us
For general terms governing your use of the Service, see our Terms of Service.
Privacy questions? Just ask.
We respond to every email — usually within a day. No legal jargon, no runaround.
Contact us