GDPR — Your Rights

You have the right to know what data we process about you (art. 15 GDPR).

You have the right to rectification of inaccurate data (art. 16 GDPR).

You have the right to erasure — "right to be forgotten" (art. 17 GDPR).

You have the right to restrict processing (art. 18 GDPR).

You have the right to receive your data in machine-readable format and transfer it to another controller (art. 20 GDPR).

You have the right to object to processing (art. 21 GDPR).

{{DPO_NAME}} acts as DPO at {{COMPANY_NAME}}.

Contact: {{DPO_EMAIL}}.

The DPO answers all GDPR questions and handles user requests.

Most data is stored in the EU (Hetzner Online GmbH — Germany).

Stripe Inc. (USA) — payments: transferred under Standard Contractual Clauses (SCC) and Data Privacy Framework.

Cloudflare, Inc. (USA) — HTTPS proxy: SCC + DPF.

ZeptoMail (Zoho EU) — email: no transfer outside EEA.

Full processor list in Privacy Policy (section 5).

Email {{DPO_EMAIL}} with your request (e.g., "I'd like a copy of my data", "please delete my account").

Attach identity confirmation (an email from the address linked to your account is sufficient).

We respond within 30 days. In complex cases we may extend to 90 days — we'll notify you.

First request per year is free. Repeated or excessive requests may be subject to an administrative fee.

If you believe processing of your data violates GDPR, you may lodge a complaint with the President of the Polish Personal Data Protection Office:

Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl

We encourage you to contact our DPO first ({{DPO_EMAIL}}) — we can often resolve issues faster.

If you use Cerium as a school (SaaS client), your school is the controller of student/parent/teacher data, and Cerium acts as a processor.

We sign a Data Processing Agreement (DPA) with you — available in the panel under Settings → Documents.

You as controller are responsible for informing your users about processing and handling their GDPR requests.