WebappskiWebappski

Website Privacy Policy

For webappski.com and TypelessForm Marketing Website

Last Updated: March 13, 2026

Website Owner: Victoria Isayeuskaya, sole proprietorship (jednoosobowa działalność gospodarcza) ul. Staniszewskiego 19b 81-603 Gdynia, Poland VAT ID (EU): PL5862405795 Email: info@webappski.com

1. Introduction

This Privacy Policy explains how we collect, use, and protect your personal information when you visit our marketing websites at webappski.com, typelessform.com, or related subdomains (collectively, the "Website"), and when you use the TypelessForm portal and related services.

Scope: This Privacy Policy applies to our Websites (webappski.com, typelessform.com) and the TypelessForm portal. It does NOT apply to:

  • End users of TypelessForm widget on third-party websites (see "Privacy Policy for End Users")
  • Business clients using TypelessForm services (see "Terms of Service" and "Data Processing Agreement")

2. Data We Collect

2.1 Information You Provide

When you interact with our Website, you may provide:

Forms (Process Form, Early Access Form, Pilot Form, Product Form):

  • Name
  • Email address
  • Phone number
  • Company name
  • Website URL
  • Project details
  • Billing address
  • Tax ID
  • Message or inquiry

Forms are submitted via Formspree, a third-party form processing service (US-based). By submitting a form, you consent to your data being processed by Formspree in accordance with their privacy policy.

Legal basis: Art. 6(1)(a) GDPR (consent via checkbox on each form).

Retention: As long as needed to process the inquiry, then deleted.

Portal Account Registration (via Google OAuth):

  • Firebase UID
  • Email address
  • Display name
  • Profile photo URL

Account registration is handled through Firebase Authentication using Google OAuth. We do not collect or store your Google account password.

Legal basis: Art. 6(1)(b) GDPR — performance of contract (providing portal access and services).

Retention: Until account deletion. Users can request account deletion at any time by contacting info@webappski.com.

Newsletter Subscription (not yet active):

  • Email address
  • Name (optional)

Support Inquiries:

  • Name, email, account details
  • Technical information about your issue
  • Screenshots or attachments (if you provide them)

2.2 Automatically Collected Information

When you visit our Website, we automatically collect:

Technical Data:

  • Timestamps of page visits
  • IP addresses are stored ONLY in server access/error logs for 90 days for security and fraud prevention purposes
  • Server logs (access logs for security purposes; retention see §5)
  • Error logs (if technical issues occur)

Legal basis for technical logging: Legitimate interests (GDPR Art. 6(1)(f), Recital 49 — network and information security).

2.3 Website Analytics (Google Analytics 4)

With your consent (via our cookie consent banner), we use Google Analytics 4 (provided by Google LLC / Google Ireland Limited) to understand how visitors interact with our Website.

Data Collected by Google Analytics:

  • Pages visited and navigation paths
  • Session duration and bounce rate
  • Referral source (how you found our Website — search engine, direct link, social media, etc.)
  • Device type (desktop, mobile, tablet)
  • Operating system and browser type/version
  • Screen resolution
  • Approximate geographic location (city-level, derived from IP address)
  • Language preference

What Google Analytics Does NOT Collect (as configured by us):

  • ❌ Your name, email, or any form data
  • ❌ Precise geolocation (GPS coordinates)
  • ❌ Cross-site tracking or advertising profiles

IP Anonymization: Google Analytics 4 does not log or store IP addresses. Google uses IP addresses transiently for geographic approximation and then discards them.

Google Signals: Google Signals is disabled in our configuration. We do not collect cross-device tracking data or demographic/interest data from Google accounts.

Data Sharing with Google: We have disabled data sharing for Google advertising products. Analytics data is NOT used for Google Ads personalization or remarketing.

Legal basis: Consent (GDPR Art. 6(1)(a)) — Analytics cookies are set ONLY after you click "Accept" on our cookie consent banner. If you decline or ignore the banner, no analytics data is collected.

Opt-out: You can withdraw consent at any time via the cookie settings link in our Website footer, or by installing the Google Analytics Opt-out Browser Add-on.

Retention: See Section 5 (Data Retention).

2.4 Subscription & Billing Data

If you subscribe to a paid plan, we collect and store:

  • Subscription tier (Pilot, Starter, Professional, or Enterprise)
  • Billing cycle dates
  • Usage metrics (form-fill counts)
  • Subscription status

All payment processing is handled by Stripe, Inc., which is PCI DSS Level 1 compliant. We do NOT store credit card numbers or payment card details. Stripe handles all card data directly. We receive only a confirmation of payment status and subscription identifiers from Stripe.

Legal basis: Art. 6(1)(b) GDPR — performance of contract.

Retention: Billing records are kept for 5 years per tax and accounting requirements.

2.5 API Key Management

Developer accounts may generate API keys for integration purposes:

  • API keys are stored as cryptographic hashes (not in plaintext)
  • The full API key is shown only once upon creation
  • Keys can be regenerated at any time; the old key is immediately invalidated
  • Per-key domain allowlists are stored for access control

Retention: Until account deletion or key regeneration.

2.6 Usage Tracking

We track the following data to provide and maintain our services:

  • Monthly form-fill counts per account
  • Lifetime usage totals
  • Rate limit counters (to prevent abuse)
  • Per-key domain allowlists (for access control)

Legal basis: Art. 6(1)(b) GDPR (contract — providing the subscribed service) and Art. 6(1)(f) GDPR (legitimate interest — abuse prevention and rate limiting).

3. How We Use Your Data

3.1 Purpose

We use your data for:

  1. Provide Services:
  • Respond to form inquiries
  • Process account registrations
  • Manage subscriptions and billing
  • Provide customer support
  • Generate and manage API keys
  1. Marketing Communications:
  • Send newsletters (if you subscribed)
  • Send product updates and announcements
  • Send promotional offers (with opt-out option)
  1. Website Analytics (with your consent):
  • Understand how visitors use our Website (pages visited, navigation patterns, session duration)
  • Measure effectiveness of marketing campaigns and referral sources
  • Identify popular content and areas for improvement
  • Improve Website design and user experience
  • Identify technical issues
  1. Legal Compliance:
  • Comply with tax and accounting requirements
  • Respond to legal requests (court orders, subpoenas)
  • Prevent fraud and abuse

3.2 Legal Basis (GDPR Article 6)

  • Consent (Article 6(1)(a)): Form submissions (via checkbox), newsletter subscriptions, website analytics cookies (Google Analytics — only with your explicit consent via cookie banner)
  • Contract (Article 6(1)(b)): Account management, subscription and billing, API key management, usage tracking, customer support
  • Legitimate Interests (Article 6(1)(f)): Security logging (IP, timestamps), fraud prevention, abuse prevention (rate limiting)
  • Legal Obligation (Article 6(1)(c)): Tax records, billing record retention, legal requests

4. Data Sharing & Third Parties

4.1 Service Providers (Sub-processors)

We share your data with the following trusted third-party service providers:

Sub-processor Purpose Data Processed Location
Google Cloud Platform / Firebase Hosting, Authentication, Database (Firestore) All portal and account data EU (europe-central2)
Google LLC / Google Ireland Ltd (Google Analytics 4) Website analytics (with user consent) Pages visited, session data, device/browser info, approximate location (city-level) — see §2.6 EU/US
Stripe, Inc. Payment processing Billing data, payment card information EU/US
Formspree Contact/inquiry form processing Name, email, phone, project details US
Google Fonts Web font delivery IP address (implicit with font requests) Global CDN

All service providers:

  • Are bound by contracts requiring GDPR compliance
  • Use data only as instructed by us

4.2 Legal Disclosures

We may disclose your data if required by law:

  • Court orders or subpoenas
  • Law enforcement requests
  • Protection of our rights or safety
  • Fraud investigations

4.3 Business Transfers

If we are acquired or merge with another company:

  • Your data may be transferred to the new owner
  • You will be notified as soon as reasonably practicable (confidentiality requirements may delay notification)
  • New owner must honor this Privacy Policy or obtain your consent for changes

4.4 No Sale of Data

We do NOT sell your personal data to third parties for marketing purposes.

5. Data Retention

Data Type Retention Period
Form inquiries (Process, Early Access, Pilot, Product) As long as needed to process the inquiry
Portal account data (active) Duration of account
Portal account data (deleted) 30 days after deletion request
Newsletter subscriptions Until you unsubscribe + 30 days
Billing and subscription records 5 years (tax/accounting requirements)
API keys Until account deletion or key regeneration
Usage metrics Duration of account
Server logs (IP, timestamps, errors) 90 days
Google Analytics data 14 months (configurable; default GA4 retention)

After retention period, data is permanently deleted.

6. Your Rights (GDPR)

As a data subject in the European Union, you have the following rights:

6.1 Right to Access (Article 15)

You can request a copy of your personal data we hold.

How: Email info@webappski.com with subject "GDPR Access Request"

6.2 Right to Rectification (Article 16)

You can request correction of inaccurate data.

How: Email info@webappski.com or update your account settings

6.3 Right to Erasure (Article 17 - "Right to be Forgotten")

You can request deletion of your data, including your portal account and all associated data.

How: Email info@webappski.com with subject "GDPR Deletion Request"

Exceptions: We may retain data if legally required (e.g., billing records for 5 years per tax requirements)

6.4 Right to Restrict Processing (Article 18)

You can request we limit how we use your data.

How: Email info@webappski.com with subject "GDPR Restriction Request"

6.5 Right to Data Portability (Article 20)

You can receive your data in machine-readable format (JSON, CSV).

How: Email info@webappski.com with subject "GDPR Portability Request"

6.6 Right to Object (Article 21)

You can object to:

  • Direct marketing (unsubscribe link in emails)
  • Processing based on legitimate interests
  • Automated decision-making (we do NOT use automated decisions)

6.7 Right to Withdraw Consent (Article 7(3))

For consent-based processing (form submissions, newsletter, analytics cookies):

  • Analytics cookies: Click the "Cookie Settings" link in the Website footer to change your preferences at any time. You may also install the Google Analytics Opt-out Browser Add-on.
  • Newsletter: Click unsubscribe link in any email
  • Form data: Contact us to request deletion of your submitted form data

Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.

6.8 Right to Lodge a Complaint

You can file a complaint with your data protection authority:

Poland: Urząd Ochrony Danych Osobowych (UODO) Website: https://uodo.gov.pl/ Email: kancelaria@uodo.gov.pl

Your Country: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en

Response Time: We will respond to your requests within 30 days (may extend to 60 days for complex requests). We will inform you of any extension within the first 30 days, along with reasons for the delay.

7. International Data Transfers

Some of our sub-processors operate outside the European Union. We ensure that all international transfers are protected by appropriate safeguards:

  • Google Cloud Platform / Firebase: Data is stored in the EU region (europe-central2). Google LLC complies with the EU-US Data Privacy Framework.
  • Google Analytics 4: Analytics data may be processed in the EU and US. Google LLC complies with the EU-US Data Privacy Framework. IP addresses are NOT logged or stored by GA4. Analytics data is collected only with your consent (cookie banner). We have configured GA4 to disable Google Signals, disable data sharing for advertising, and set data retention to 14 months.
  • Stripe: Payment data may be processed in the EU and US. Stripe, Inc. complies with the EU-US Data Privacy Framework and maintains PCI DSS Level 1 certification.
  • Formspree: US-based service. Data transfer is based on Standard Contractual Clauses (SCCs).
  • Google Fonts: Font files are served from a global CDN. Google LLC complies with the EU-US Data Privacy Framework. Only IP addresses are transmitted with font requests; no personal data is stored by the service.

Additional Safeguards:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256)
  • Access controls
  • Data minimization
  • Regular security audits

8. Security Measures

We implement industry-standard security measures:

Technical Measures:

  • Encryption: HTTPS (TLS 1.2+) for all website traffic
  • Secure hosting: Google Cloud Platform with DDoS protection
  • Access control: Multi-factor authentication for admin accounts
  • API key security: Keys stored as cryptographic hashes, not plaintext
  • Regular updates: Security patches applied promptly

Organizational Measures:

  • Staff training: GDPR awareness training for all staff
  • Data minimization: Collect only necessary data
  • Access limitation: Data accessible only to authorized personnel
  • Incident response plan: 72-hour breach notification to authorities (GDPR Article 33)

Limitations: No security is 100% perfect. We cannot guarantee absolute security, but we use commercially reasonable efforts.

9. Cookies & Local Storage

9.1 What Are Cookies?

Cookies are small text files stored on your device by websites you visit. Local storage is a similar browser mechanism for storing data locally.

9.2 Cookie Consent

When you first visit our Website, a cookie consent banner is displayed. You may:

  • Accept all cookies — strictly necessary + analytics cookies are set
  • Accept only necessary cookies — only strictly necessary cookies are set; no analytics
  • Change preferences later — click the "Cookie Settings" link in the Website footer at any time

No analytics cookies are set until you explicitly consent. If you dismiss or ignore the banner, only strictly necessary cookies are used.

Your consent preference is stored in a cookie (cookie_consent) so we do not ask you again on every visit. This preference cookie is itself strictly necessary (no consent required for it).

9.3 Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the Website to function. They cannot be disabled.

Cookie / Storage Purpose Duration Provider
Firebase Authentication Session Maintains your logged-in session in the portal Session / persistent (until logout) Google Firebase
cookie_consent Stores your cookie consent preference 12 months webappski.com (first-party)
localStorage: language Stores your preferred language (en, de, ru, pl) Persistent (until cleared) webappski.com (first-party)
localStorage: theme Stores your preferred display theme (light/dark) Persistent (until cleared) webappski.com (first-party)

Legal basis: Strictly necessary — GDPR Art. 6(1)(f) and ePrivacy Directive Art. 5(3) exemption. No consent required.

9.4 Analytics Cookies (Consent Required)

These cookies are set only if you click "Accept" on the cookie consent banner. They help us understand how visitors use our Website.

Cookie Purpose Duration Provider
_ga Distinguishes unique visitors (Google Analytics 4) 2 years Google LLC
_ga_<MEASUREMENT_ID> Maintains session state (Google Analytics 4) 2 years Google LLC

What these cookies do:

  • Count the number of visitors and sessions
  • Track which pages are visited and in what order
  • Measure session duration and bounce rate
  • Determine referral sources (search engine, direct link, social media)
  • Collect device/browser/OS information (anonymized)
  • Approximate geographic location (city-level, from IP — IP itself is NOT stored by GA4)

What these cookies do NOT do:

  • ❌ Track you across other websites
  • ❌ Build advertising or marketing profiles
  • ❌ Collect your name, email, or any personal identifiers
  • ❌ Enable Google Ads remarketing or personalization (disabled in our configuration)

Legal basis: Consent (GDPR Art. 6(1)(a)) — set only after explicit user consent via cookie banner.

Opt-out options:

  1. Click "Cookie Settings" in the Website footer and withdraw consent
  2. Install the Google Analytics Opt-out Browser Add-on
  3. Block third-party cookies in your browser settings
  4. Use browser's "Do Not Track" signal (we respect DNT — see §12.4)

9.5 What We Do NOT Use

  • NO marketing cookies
  • NO advertising cookies (Facebook Pixel, Google Ads remarketing, etc.)
  • NO cross-site tracking cookies
  • NO social media tracking pixels
  • NO fingerprinting or similar tracking technologies

9.6 Cookie Management

Via Our Website: Click the "Cookie Settings" link in the Website footer to change your cookie preferences at any time.

Via Browser Settings: You can block cookies and clear local storage via browser settings:

  • Chrome: Settings > Privacy > Cookies
  • Firefox: Settings > Privacy > Cookies
  • Safari: Preferences > Privacy > Cookies

Note: Blocking strictly necessary cookies may break Website functionality (e.g., cannot log in to the portal). Blocking analytics cookies will NOT affect Website functionality.

10. Demo Widget Notice

Our Website includes a live demonstration of the TypelessForm voice-powered form widget. Any voice input provided during the demo is processed according to our separate Privacy Policy for End Users, which covers how voice data is handled, processed, and retained. The demo widget does not store or retain any voice recordings beyond the active session.

11. Children's Privacy

Age Restriction: Our Website is NOT intended for children under 16 years old (or lower age set by your country's law, but no lower than 13 years).

  • We do NOT knowingly collect data from children under the applicable age limit
  • If you are under the applicable age limit, DO NOT use our Website or provide personal data
  • Parents: If you believe your child provided data, contact us immediately at info@webappski.com for deletion

12. Marketing Communications

12.1 Newsletter

Currently not active. Newsletter functionality will be implemented in the future. When available:

  • We will send product updates, blog posts, and promotional offers
  • You will be able to unsubscribe anytime (link in every email)
  • Email open/click tracking will require your explicit opt-in consent during subscription

12.2 Transactional Emails

If you have an account:

  • We send transactional emails (account creation, subscription confirmations, billing notifications)
  • You CANNOT opt-out of transactional emails (necessary for service)

12.3 Promotional Emails

If you are an existing customer:

  • We may send promotional emails about our Services (legitimate interest)
  • You can opt-out anytime

12.4 Do Not Track

We respect "Do Not Track" (DNT) browser signals:

  • If DNT is enabled, we treat it as if you declined analytics cookies — Google Analytics will NOT be loaded, regardless of cookie consent banner state
  • Note: DNT is not a legally binding standard in the EU, but we honor it as a courtesy and as a best practice

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

Notification:

  • Material changes (new processing purposes, new data categories, new recipients): Email notification to registered users + explicit consent required where legally mandated
  • Minor changes (clarifications, contact details, formatting): Updated "Last Updated" date at top

Effective Date: Changes effective immediately upon posting.

Your Consent: For minor changes, continued use of Website after notification = acceptance. For material changes affecting your rights, we will seek your explicit consent where required by law.

14. Contact Information

For Privacy Inquiries: Email: info@webappski.com Subject: "Privacy Inquiry - Website"

For GDPR Requests: Email: info@webappski.com Subject: "GDPR Request - [Type: Access/Deletion/etc.]"

Postal Address: Victoria Isayeuskaya, sole proprietorship (jednoosobowa działalność gospodarcza) ul. Staniszewskiego 19b 81-603 Gdynia, Poland

Data Protection Authority (Poland): Urząd Ochrony Danych Osobowych (UODO) Website: https://uodo.gov.pl/ Email: kancelaria@uodo.gov.pl

15. California Privacy Rights (CCPA)

Applicability: This section applies only if we meet CCPA thresholds (25,000+ California residents/year or 50%+ revenue from data sales). As of the Last Updated date, we are not subject to CCPA requirements but provide this information for transparency.

If you are a California resident (US), you may have additional rights under CCPA:

15.1 Right to Know

You can request disclosure of:

  • Categories of personal information collected
  • Sources of personal information
  • Business purpose for collection
  • Third parties with whom we share data

15.2 Right to Delete

You can request deletion of your personal information (same as GDPR Right to Erasure).

15.3 Right to Opt-Out of Sale or Sharing (CPRA)

We do NOT sell or share your personal information for cross-context behavioral advertising or other purposes. No opt-out required.

15.4 Non-Discrimination

We will NOT discriminate against you for exercising CCPA rights (same prices, same service quality).

To Exercise CCPA Rights: Email: info@webappski.com Subject: "CCPA Request - [Type]"

Response Time: 45 days (may extend to 90 days for complex requests)

APPENDIX: Data Processing Record (GDPR Article 30)

Controller: Victoria Isayeuskaya, sole proprietorship (jednoosobowa działalność gospodarcza) Contact: info@webappski.com DPO: Not appointed (Article 37 GDPR does not require DPO for our current scale of operations. We will appoint a DPO if our processing activities meet the criteria under Article 37(1)(b) or (c).)

Categories of Data Subjects:

  • Website visitors
  • Newsletter subscribers
  • Portal account holders
  • Subscribers (paid plans)
  • Support inquiries

Categories of Personal Data:

  • Identification data: Name, email, Firebase UID, display name, profile photo URL
  • Commercial data: Company name, billing address, tax ID, subscription tier, billing cycle dates
  • Technical data: Browser, device, page views, IP (server logs only)
  • Analytics data (with consent): Pages visited, session duration, referral source, device/browser type, approximate location (city-level) — via Google Analytics 4; IP addresses NOT stored by GA4
  • Usage data: Form-fill counts, rate limit counters, API key hashes

Categories of Recipients (Sub-processors):

  • Google Cloud Platform / Firebase (hosting, authentication, database — EU region)
  • Google LLC / Google Ireland Ltd — Google Analytics 4 (website analytics, with consent — EU/US)
  • Stripe, Inc. (payment processing — EU/US)
  • Formspree (form processing — US)
  • Google Fonts (web font delivery — global CDN)

Transfers to Third Countries:

  • Stripe: EU/US — EU-US Data Privacy Framework
  • Google Analytics 4: EU/US — EU-US Data Privacy Framework; IP addresses NOT stored; data collected only with consent
  • Formspree: US — Standard Contractual Clauses (SCCs)
  • Google Fonts: Global CDN — EU-US Data Privacy Framework (IP address only)
  • Google Cloud / Firebase: EU region (europe-central2) — no transfer outside EU for stored data

Retention Periods:

  • See Section 5 (Data Retention)

Security Measures:

  • See Section 8 (Security Measures)

BY USING OUR WEBSITE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.

Last Updated: March 13, 2026 Version: 2.2