1. Introduction & Scope

Welcome to Brevitive (the "Platform"), a global crowdsourced service for publishing, discovering and sharing news and articles. Brevitive is operated by Stanisław Brzeski IT ("we", "us", or "our"), a sole proprietorship registered in Poland.

This Privacy Policy ("Policy") explains what personal data we collect, why we collect it, how we process and protect it, with whom we share it, and what rights you have in relation to it. It applies to all users of the Platform, whether accessed via our website at brevitive.com, our iOS application, or our Android application (collectively the "Services").

By creating an account or otherwise using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Services.

This Policy is intended to comply with, among others:

• Regulation (EU) 2016/679 (GDPR) and its UK equivalent (UK GDPR)
• Swiss Federal Act on Data Protection (nFADP / revDSG)
• California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA)
• Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec Law 25
• Australian Privacy Act 1988 and the Australian Privacy Principles (APPs)
• Japan Act on the Protection of Personal Information (APPI, 2022 amendments)
• U.S. Children's Online Privacy Protection Act (COPPA) and relevant state laws
• Polish Act of 10 May 2018 on the Protection of Personal Data and applicable sector-specific legislation

2. Identity of the Controller / Business

As we are established in the European Union, Stanisław Brzeski IT acts as the data controller within the meaning of the GDPR and as the business within the meaning of the CCPA/CPRA for all personal data processed in connection with the Services.

3. Age Restrictions

The Services are intended for users who are at least 13 years of age. Users between the ages of 13 and 17 (or the applicable age of digital consent in their jurisdiction, whichever is higher) must have verifiable parental or guardian consent before creating an account and providing personal data. In the European Economic Area, the minimum age for consent without parental authorisation is 16 years unless Member State law provides otherwise, in which case the applicable minimum age (but no lower than 13) shall apply.

We do not knowingly collect personal data from children under the age of 13. If we become aware that a user under the age of 13 has provided us with personal data, we will promptly delete that information. If you believe that a child under 13 has provided us with personal data, please contact us immediately at brzeski.it@gmail.com.

4. Personal Data We Collect

4.1 Account & Identity Data

• Full name — provided during registration.
• Email address — provided during registration; used for account management and communications.
• Profile picture — an avatar or photograph voluntarily uploaded by you.
• User identifier — an internal unique ID assigned at account creation.
• Authentication tokens — session tokens and device identifiers issued upon sign-in, stored in encrypted cookies.

4.2 Financial & Donation Data

If you choose to enable the voluntary donation feature, we collect your PayPal account identifier (e-mail address or PayPal username). We do not store payment card numbers, bank account details, or full financial account credentials. Payment transactions are processed exclusively by PayPal, Inc., which acts as an independent data controller under its own privacy policy.

4.3 Content & Activity Data

• Articles, news items, drafts, and sources you publish or save on the Platform.
• Categories you select for your content.
• Images and media you upload in connection with content.

4.4 Technical & Usage Data

• IP address (truncated where technically feasible).
• Device type, operating system version, and browser type.
• Session data, access logs, and timestamps.
• Referral URLs and page-navigation patterns within the Services.
• Crash reports and performance diagnostics.

4.5 Third-Party Sign-In Data

When you register or sign in using Sign in with Apple or Sign in with Google, we receive from those providers only the data you authorise: typically your name and email address (or Apple's anonymised relay email). We do not receive your Apple ID or Google Account password. For further details on what those providers share, please review their respective privacy policies.

4.6 Special Categories of Data

We do not intentionally collect special categories of personal data (e.g. racial or ethnic origin, political opinions, health data, biometric data for identification purposes) as defined under the GDPR or equivalent legislation. If you choose to include such information in user-generated content, you do so voluntarily and acknowledge that such content may be publicly visible.

5. How We Collect Data

• Directly from you — during registration, profile editing, content creation, or when you contact us.
• From third-party identity providers — Apple and Google, when you use their single-sign-on services.
• Automatically — through server logs, cookies, and similar technologies when you access or use the Services (see Section 14).
• From cloud infrastructure providers — AWS S3 (image storage), which may log access metadata.

6. Legal Bases for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we rely on the following legal bases:

7. How We Use Your Data

We use personal data for the following purposes:

• Providing and operating the Services — creating and managing your account, enabling content publishing, displaying your profile.
• Authentication and security — verifying your identity on login, detecting and preventing fraudulent or abusive activity.
• Personalisation — displaying your name and profile picture on your published content and profile page.
• Donation functionality — displaying your PayPal link to readers who wish to support your work.
• Communications — sending transactional emails (e.g. account-related notifications). We do not send unsolicited marketing email without separate consent.
• Platform analytics and improvement — understanding how users interact with the Platform to improve features, fix bugs, and optimise performance. Where possible, we use aggregated or anonymised data.
• Legal compliance — complying with applicable law, responding to valid legal requests, and enforcing our Terms of Service.
• Content moderation — reviewing flagged content and user reports to maintain a safe and lawful platform environment.

We will not use your personal data to serve behavioural advertising, sell it to data brokers, or share it with third-party advertisers without your explicit prior consent.

8. Sharing & Disclosure of Personal Data

We may share personal data with the following categories of recipients:

8.1 Service Providers (Data Processors)

We engage trusted third-party processors who act solely on our instructions and are bound by data processing agreements meeting GDPR Article 28 requirements:

• Amazon Web Services (AWS) — cloud hosting and S3 object storage for media files. Data may be stored in the EU (eu-central-1 or eu-west-1 regions).
• PayPal, Inc. — donation payment processing, acting as an independent controller for its own platform.
• Apple Inc. — Sign in with Apple authentication service.
• Google LLC — Sign in with Google authentication service.

8.2 Public Display

Your display name, profile picture, and published articles or news items are publicly visible to all visitors of the Platform by default. You may adjust certain settings in your profile, but published content may be indexed by search engines and cached by third parties.

8.3 Legal Disclosure

We may disclose personal data to public authorities, courts, regulators, or law enforcement agencies when we are legally obliged to do so or when such disclosure is necessary to protect the vital interests of a person, prevent serious harm, or enforce our legal rights.

8.4 Business Transfers

In the event of a merger, acquisition, restructuring, asset sale, or insolvency proceeding, personal data may be transferred to the acquiring entity, provided that the acquirer is bound by equivalent data protection obligations. We will notify you of any such transfer in advance where required by law.

8.5 No Sale of Personal Data

We do not sell, rent, or trade your personal data to any third party for monetary or other valuable consideration, as those terms are defined under the CCPA/CPRA and analogous legislation.

9. International Data Transfers

Because Brevitive is a global platform, your personal data may be transferred to and processed in countries outside your country of residence, including the United States, where some of our service providers are headquartered. The United States and other third countries may not provide the same level of data protection as your home jurisdiction.

For transfers from the EEA, UK, or Switzerland, we ensure an adequate level of protection through one or more of the following mechanisms:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU);
• The EU-U.S. Data Privacy Framework (DPF) where the recipient is DPF-certified;
• The UK International Data Transfer Agreement (IDTA) for transfers subject to UK GDPR;
• An adequacy decision issued by the European Commission.

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

After the applicable retention period, data is securely deleted or anonymised so it can no longer be attributed to any individual.

11. Security

We implement a combination of technical and organisational measures designed to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:

• Transport-layer encryption (TLS 1.2 or higher) for all data in transit;
• Encrypted storage of authentication credentials and session tokens;
• Secure, HttpOnly, and appropriately scoped cookies for session management;
• Access controls limiting data access to authorised personnel on a need-to-know basis;
• Regular security reviews of our codebase and infrastructure;
• Incident response procedures to detect, investigate, and notify in the event of a personal data breach.

Despite our efforts, no system connected to the internet is completely immune to attack. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33) and affected individuals without undue delay where required (GDPR Art. 34).

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us at brzeski.it@gmail.com. We will respond within the timeframe required by applicable law (generally 30 days under GDPR, 45 days under CCPA).

We may need to verify your identity before fulfilling a request. We will not charge a fee for reasonable requests unless they are manifestly unfounded or excessive.

13. Third-Party Services & SDKs

Our Services integrate with the following third-party platforms, each with their own privacy policies:

We are not responsible for the privacy practices of these third parties. We encourage you to review their policies. On our iOS and Android apps, Apple and Google may also collect certain device-level data in accordance with their respective platform privacy frameworks and App Tracking Transparency / Privacy Sandbox requirements.

14. Cookies & Tracking Technologies

The Brevitive website uses cookies and similar technologies to provide and improve the Services. The following categories of cookies are used:

Strictly Necessary cookies do not require consent under the ePrivacy Directive (2002/58/EC) as they are essential for the provision of the Services. We do not currently use analytical, advertising, or social-media tracking cookies. Should we introduce non-essential cookies in the future, we will implement a consent management mechanism and update this Policy accordingly.

You may control or delete cookies through your browser settings. Please note that disabling essential cookies will prevent you from signing in and using authenticated features of the Platform.

15. Donations & Financial Data

Brevitive offers a voluntary donation feature that allows readers to financially support content creators. Participation is entirely optional. If you choose to enable this feature:

• You must connect a PayPal account by providing your PayPal-registered email address or PayPal.me username.
• This information will be displayed on your public profile solely to facilitate donations from other users.
• Payment processing, fraud prevention, and financial compliance for donation transactions are handled exclusively by PayPal, acting as an independent controller.
• We do not store, process, or have access to full payment card numbers, bank account numbers, or any other sensitive financial account information.
• If you are resident in a jurisdiction that classifies PayPal account data as financial information (e.g. under the California Financial Information Privacy Act, Gramm-Leach-Bliley Act, or PSD2), we rely on your explicit consent as the basis for collecting and publishing this data, which you may withdraw at any time through your profile settings.

16. User-Generated Content

Brevitive is a crowdsourced platform and a significant portion of content is created and published by users. Please be aware of the following:

• Public visibility: Articles and news items you publish, along with your display name and profile picture, are publicly accessible, including to unauthenticated visitors, and may be indexed by search engines.
• Responsibility for content: You are solely responsible for ensuring that any personal data about third parties that you include in your content is published lawfully (e.g. with appropriate consent or in the public interest) and does not infringe the privacy rights of others.
• Retention of published content: Content you publish may remain accessible even after you delete it or your account, where it has been cached by third parties or shared by other users. We will take reasonable steps to remove or anonymise publicly accessible content upon a valid erasure request.
• Content moderation: We may review flagged content and process associated personal data to enforce our Terms of Service and comply with applicable law, including online safety and press regulatory obligations.

17. Children's Privacy

We take the protection of children's privacy seriously and operate in compliance with COPPA (United States), the UK Children's Code (Age Appropriate Design Code), and equivalent provisions in the GDPR and national legislation.

The Services are directed at individuals aged 13 and over. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you are a parent or guardian and believe your child under 13 has registered on the Platform, please contact us at brzeski.it@gmail.com and we will delete the account and all associated data promptly.

For users aged 13–17, we apply additional protections:

• No behavioural advertising based on minor users' data;
• Enhanced privacy defaults (e.g. content is set to limited visibility where technically feasible);
• The donation feature is not available to users under the age of 18.

18. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA) affords you specific rights:

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete — You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct — You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — We do not sell or share personal information as defined by CCPA/CPRA. Should this change, we will provide a "Do Not Sell or Share My Personal Information" link.
• Right to Limit Use of Sensitive Personal Information — We process sensitive personal information (e.g. financial account data) only as necessary to provide the Services.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a verifiable consumer request, contact us at brzeski.it@gmail.com. You may designate an authorised agent to make a request on your behalf; we may require verification of the agent's authorisation.

Shine the Light: California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not make such disclosures.

19. Additional Information for EEA, UK & Swiss Residents (GDPR / UK GDPR / nFADP)

As Stanisław Brzeski IT is established in Poland (EU), the GDPR applies directly. For UK residents, the UK GDPR applies, and for Swiss residents, the revised Federal Act on Data Protection (nFADP/revDSG, in force since September 2023) applies.

19.1 Supervisory Authority

The lead supervisory authority for Stanisław Brzeski IT is the Urząd Ochrony Danych Osobowych (UODO) — Polish Data Protection Authority (ul. Stawki 2, 00-193 Warsaw, Poland; uodo.gov.pl).

If you are habitually resident in another EEA Member State, you may also lodge a complaint with the supervisory authority in your country of residence. UK residents may contact the Information Commissioner's Office (ICO) (ico.org.uk). Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC) (edoeb.admin.ch).

19.2 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority at any time without prejudice to any other administrative or judicial remedy. We nevertheless encourage you to contact us directly first so we may address your concern promptly.

19.3 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required under GDPR Article 35.

20. Additional Information for Canadian Residents (PIPEDA / Québec Law 25)

Canadian residents are protected under PIPEDA and, if resident in Québec, under the Act respecting the protection of personal information in the private sector, as amended by Law 25 (Loi 25).

• We collect, use, and disclose personal information with your knowledge and consent, except where otherwise permitted or required by law.
• You have the right to access your personal information and to challenge its accuracy.
• Québec residents have additional rights under Law 25, including the right to data portability (as of September 2023) and the right to object to automated profiling.
• We may transfer personal information outside of Canada; such transfers are subject to contractual protections comparable to Canadian standards.
• Our privacy contact for Canadian matters is brzeski.it@gmail.com.

21. Additional Information for Australian Residents

Australian residents are protected under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We are committed to handling personal information in accordance with those principles.

• You have the right to access personal information we hold about you and to request correction of inaccurate information (APPs 12 and 13).
• We will not use government-related identifiers as your primary identifier on our Platform.
• If you are dissatisfied with our response to a privacy complaint, you may refer the matter to the Office of the Australian Information Commissioner (OAIC) (oaic.gov.au).
• Cross-border disclosures are made in accordance with APP 8; we take reasonable steps to ensure overseas recipients handle information consistently with the APPs.

22. Additional Information for Japanese Residents (APPI)

Japanese residents are protected under the Act on the Protection of Personal Information (APPI), as substantially amended in 2022.

• We will use personal information within the stated purpose and will not use it for any other purpose without prior notice or consent.
• When providing personal information to third parties outside Japan, we take appropriate measures to ensure that the recipient maintains a level of protection equivalent to the APPI standards.
• You have the right to request disclosure, correction, addition, deletion, suspension of use, and erasure of retained personal information that we hold about you.
• Requests may be submitted to brzeski.it@gmail.com.
• Complaints may be referred to the Personal Information Protection Commission (PPC) (ppc.go.jp).

23. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page;
• Display a prominent notice on the Platform;
• Where required by law or where we consider it appropriate, notify you by email or in-app notification.

We encourage you to review this Policy periodically. Your continued use of the Services after the effective date of any changes constitutes your acknowledgement of the updated Policy. If you do not agree with any changes, you must discontinue your use of the Services and may request deletion of your account.

24. Contact Us & Complaints

If you have any questions, concerns, or requests relating to this Policy or our data processing practices, please contact us:

We aim to respond to all enquiries within 30 calendar days. Complex requests may require up to 90 days; we will inform you within the initial 30-day period if an extension is required and the reasons for it.

You also have the right to lodge a complaint with the competent data protection supervisory authority in your country of residence (see Section 19 for EEA/UK/Swiss authorities, Section 20 for Canada, Section 21 for Australia, and Section 22 for Japan).