§1. Data Controller

The controller of your personal data is Shellty IT Tomasz Skorupski, os. Bursztynowe 78/78, 72-005 Warzymice, Poland, Tax ID (NIP): 8513307050, e-mail: shellty@zohomail.eu.

§2. Data We Process

Depending on how you use the platform, we process:

CMS admin user accounts — name, email address and hashed password
CMS content — pages, blog posts, services, products and other assets created by the user
media files — photos and documents uploaded to the platform (stored via Cloudinary)
contact form submissions — message content, name, email address and subject
demo shop orders — order details without processing real payment data
technical data — IP addresses used solely for rate limiting (not stored long-term)

§3. Purpose and Legal Basis

We process your data for the following purposes:

providing and maintaining the CMS platform — Art. 6(1)(b) GDPR (performance of a contract)
handling contact form messages and correspondence — Art. 6(1)(b) GDPR
security and fraud prevention — Art. 6(1)(f) GDPR (legitimate interest)
compliance with legal obligations — Art. 6(1)(c) GDPR

§4. Recipients of Data

Your data may be shared with the following sub-processors:

MongoDB Atlas (MongoDB, Inc.) — database hosting (USA; standard contractual clauses)
Cloudinary Ltd. — media storage and CDN (USA; standard contractual clauses)
Resend Inc. — email delivery for contact form messages (USA; standard contractual clauses)
Vercel Inc. — application hosting (USA; standard contractual clauses)
Upstash Inc. — Redis for rate limiting; data auto-deleted after TTL expiry (USA)

We do not sell personal data to third parties.

§5. Retention Period

CMS admin account data is retained for the duration of the account. Contact form messages are retained for the time needed to respond. IP addresses used for rate limiting are deleted automatically after the time window expires.

§6. Your Rights

Under the GDPR you have the right to:

access your data and obtain a copy
rectify inaccurate data
erasure of data (right to be forgotten)
restriction of processing
data portability
object to processing
lodge a complaint with the supervisory authority (President of the UODO, ul. Stawki 2, 00-193 Warsaw, Poland)

To exercise your rights, contact us at: shellty@zohomail.eu.

§7. Cookies and Local Storage

The platform uses only browser local storage (localStorage) and session cookies for:

admin session — HttpOnly JWT token authenticating access to the CMS panel
cookie consent preference — remembering the user's cookie choice
demo shop cart — temporary storage of selected products

Optionally, only after the user gives consent, Google Tag Manager (GTM) is loaded to enable traffic analysis. We do not use tracking or advertising cookies without prior consent.

§8. Security

We apply technical security measures: connection encryption (HTTPS/TLS), password hashing, short-lived JWT tokens, rate limiting and HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).

§9. Policy Changes

We will notify you of significant changes to this policy via an in-app notice or an email to your registered account address.

§10. Contact

Privacy enquiries: shellty@zohomail.eu. Last updated: 31 May 2026.

§2. Data We Process

Depending on how you use the platform, we process:

CMS admin user accounts — name, email address and hashed password

CMS content — pages, blog posts, services, products and other assets created by the user

media files — photos and documents uploaded to the platform (stored via Cloudinary)

contact form submissions — message content, name, email address and subject

demo shop orders — order details without processing real payment data

technical data — IP addresses used solely for rate limiting (not stored long-term)

§3. Purpose and Legal Basis

We process your data for the following purposes:

providing and maintaining the CMS platform — Art. 6(1)(b) GDPR (performance of a contract)

handling contact form messages and correspondence — Art. 6(1)(b) GDPR

security and fraud prevention — Art. 6(1)(f) GDPR (legitimate interest)

compliance with legal obligations — Art. 6(1)(c) GDPR

§4. Recipients of Data

Your data may be shared with the following sub-processors:

MongoDB Atlas (MongoDB, Inc.) — database hosting (USA; standard contractual clauses)

Cloudinary Ltd. — media storage and CDN (USA; standard contractual clauses)

Resend Inc. — email delivery for contact form messages (USA; standard contractual clauses)

Vercel Inc. — application hosting (USA; standard contractual clauses)

Upstash Inc. — Redis for rate limiting; data auto-deleted after TTL expiry (USA)

We do not sell personal data to third parties.

§6. Your Rights

Under the GDPR you have the right to:

access your data and obtain a copy

rectify inaccurate data

erasure of data (right to be forgotten)

restriction of processing

data portability

object to processing

lodge a complaint with the supervisory authority (President of the UODO, ul. Stawki 2, 00-193 Warsaw, Poland)

To exercise your rights, contact us at: shellty@zohomail.eu.

§7. Cookies and Local Storage

The platform uses only browser local storage (localStorage) and session cookies for:

admin session — HttpOnly JWT token authenticating access to the CMS panel

cookie consent preference — remembering the user's cookie choice

demo shop cart — temporary storage of selected products

Optionally, only after the user gives consent, Google Tag Manager (GTM) is loaded to enable traffic analysis. We do not use tracking or advertising cookies without prior consent.