Privacy Policy

The controller of your personal data is {{COMPANY_NAME}} based in {{COMPANY_ADDRESS}}, NIP: {{COMPANY_NIP}}, KRS: {{COMPANY_KRS}}.

GDPR contact: {{DPO_EMAIL}} (Data Protection Officer) or {{EMAIL_KONTAKT}}.

If you use Cerium as a school's software — the school is a separate controller of its students/parents/teachers data, and Cerium acts as a processor (DPA available in the panel).

Account data: first/last name, email, password (bcrypt-hashed), role in organization.

School data: name, VAT ID, address, billing details.

Operational data: lessons, grades, attendance, notes, invoices, messages, materials — entered by Users.

Technical data: IP address, session ID, browser type, login timestamp (stored in login_audit_logs for {{IP_RETENTION_DAYS}} days — for account security).

Payment data: handled exclusively by Stripe Payments Europe Ltd. — Cerium does not store card numbers.

Cookies: see section 8.

Service provision (art. 6(1)(b) GDPR — contract performance): account, lessons, invoices, communication.

Security (art. 6(1)(f) GDPR — legitimate interest): login logs, abuse monitoring.

Own marketing (art. 6(1)(f) GDPR): existing Users only, regarding service improvements. You may object at any time.

Newsletter (art. 6(1)(a) GDPR): only after explicit consent. Consent revocable at any time.

Legal obligations (art. 6(1)(c) GDPR): accounting, taxes, KSeF.

Account data: contract duration + 90 days after termination (archive), then permanent deletion.

Invoices and accounting data: 5 years (Polish Accounting Act).

Login logs (IP, user-agent): {{IP_RETENTION_DAYS}} days, then auto-deleted.

Complaint data: up to 3 years (statutory limitation).

Database backups: rotation up to 30 days.

Stripe Payments Europe Ltd. (Ireland) — card payments; transfer outside EEA to Stripe Inc. (USA) under SCC.

Hetzner Online GmbH (Germany) — database, file (S3), and Jitsi server hosting. No transfer outside EEA.

Zoho Corporation (ZeptoMail, EU) — transactional email. No transfer outside EEA.

Cloudflare, Inc. (USA) — CDN and Cloudflare Tunnel (HTTPS proxy). Transfer outside EEA under SCC and DPF.

fire-gem.com (Poland) — Cerium technical operator, under processing agreement.

Right of access (art. 15 GDPR).

Right to rectification (art. 16 GDPR).

Right to erasure (art. 17 GDPR) — except data we must retain by law (e.g., invoices).

Right to restriction (art. 18 GDPR).

Right to data portability (art. 20 GDPR).

Right to object (art. 21 GDPR) — for processing based on legitimate interest.

Right to withdraw consent at any time (art. 7(3) GDPR).

Right to lodge a complaint with the Polish DPA (https://uodo.gov.pl).

Email {{DPO_EMAIL}} with your request.

We respond within 30 days — extended to 90 days in exceptional cases (with notice).

Free of charge — except for unfounded or excessive requests (we may charge a reasonable administrative fee).

Cerium uses cookies in two categories:

Essential cookies (always active): logged-in user session (next-auth), tenant switching (activeTenantId), cookie consent (cerium-cookie-consent).

Analytics cookies (optional, require consent): not currently active — future GA4/Meta Pixel with Consent Mode v2.

You can change your decision at any time by clearing cookie settings in your browser — the banner will reappear.

Passwords hashed with bcrypt (10 rounds).

HTTPS (TLS 1.3) on all endpoints.

Rate limiting on critical endpoints (login, contact, support, chat).

Tenant isolation at the SQL query level (tenantId filtering).

Daily database backups with 30-day rotation.

Breach monitoring (login_audit_logs, limit_events).

Privacy matters: write to {{DPO_EMAIL}}.

Mailing address: {{COMPANY_NAME}}, {{COMPANY_ADDRESS}}.

Full Policy effective from {{EFFECTIVE_DATE}}.