Privacy Policy

Effective Date: May 14, 2026
Last Updated: May 14, 2026

1. Who We Are

This Privacy Policy describes how Tomas Yano ("we," "us," or "our") collects, uses, and protects your personal information when you visit tomasyano.com (the "Site") or subscribe to our newsletter (collectively, the "Services").

Data Controller: Tomas Yano
Contact: tomas@tomasyano.com
Jurisdiction: Poland / European Union

For inquiries regarding your personal information or this policy, please contact us at the email address above.

2. Information We Collect

We collect the following categories of personal information:

Information you provide directly:

Email address (when you subscribe to the newsletter)
Name (optional, if you provide it)
Any information you share when contacting us or booking a call

Information collected automatically:

Log and usage data: IP address, browser type, browser settings, request paths, referrer URLs, timestamps, email open/click events
Device data: Browser type, operating system, device class (mobile/desktop), user-agent string
Location data: Approximate location derived from your IP address (typically country and city level)
Cookies: Session cookies for logged-in members, authentication tokens for magic-link login

3. How We Use Your Information

We use your personal information for the following purposes:

To deliver our Services: Sending newsletter emails to subscribers, providing access to subscriber-only content, managing your subscription
To process payments: Facilitating payments for paid services (e.g., consultation calls, courses, memberships) through our payment processor
To respond to inquiries: Replying to messages, scheduling consultation calls, providing customer support
To send administrative information: Welcome emails, account confirmations, magic-link authentication, payment receipts, unsubscribe receipts, important policy updates
To improve our Services: Analyzing aggregated usage patterns, debugging, security monitoring
To comply with legal obligations: Record-keeping required by tax and consumer-protection law

We process your personal information under the following legal bases under the EU General Data Protection Regulation (GDPR):

Consent (Art. 6(1)(a)): When you actively subscribe to our newsletter
Performance of a contract (Art. 6(1)(b)): To deliver the newsletter you subscribed to
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement
Legal obligation (Art. 6(1)(c)): Tax records, consumer protection records

We share your personal information only with the following service providers ("processors"), each bound by data processing agreements:

Provider	Purpose	Data Shared	Location	Privacy Policy
Amazon Web Services (AWS SES)	Newsletter email delivery	Email address, name	Frankfurt, EU (with US parent company)	aws.amazon.com/privacy
Cloudflare	DNS resolution, security, content delivery	IP address, request data	Global CDN (EU + US)	cloudflare.com/privacypolicy
Hetzner Online GmbH	Web hosting infrastructure	Server-level access to all data	Nuremberg, Germany	hetzner.com/legal/privacy-policy
Stripe Payments Europe Ltd.	Payment processing for paid services	Name, email, billing address, payment card details (handled directly by Stripe — we do not store card data)	Dublin, Ireland (EU) with US parent	stripe.com/en-pl/privacy
Cal.com	Booking and scheduling for consultation calls	Name, email, booking details	EU	cal.com/privacy

We do not sell or share your personal information for cross-context behavioral advertising, marketing partnerships, or any commercial purposes outside the operation of our Services.

Payment data: When you make a payment, your card information is collected and processed directly by Stripe. We never see, store, or transmit your full card details. Stripe is PCI-DSS Level 1 certified. For details on how Stripe handles your data, see Stripe's privacy policy: https://stripe.com/en-pl/privacy.

International data transfers: Some providers (AWS, Cloudflare, Stripe) operate globally. Where personal data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and adequacy decisions where applicable.

6. Data Retention

We retain your personal information for as long as necessary:

Newsletter subscribers: Email address retained until you unsubscribe. After unsubscribe, retained for an additional 12 months for legal compliance (proving you consented at one point), then deleted.
Server logs: IP addresses and request data retained for 30 days for security and debugging purposes.
Communications: Email exchanges retained for 24 months for support continuity.
Payment records: Transaction records retained for 5 years as required by Polish tax law. Payment card details are not stored by us — they are held by Stripe under their own retention policies.
Tax records: Retained for the period required by Polish tax law (typically 5 years).

7. Your Rights

If you are located in the EU/EEA, UK, or Switzerland, you have the following rights under GDPR:

Right of access (Art. 15): Request a copy of personal information we hold about you
Right to rectification (Art. 16): Correct inaccurate personal information
Right to erasure (Art. 17): Request deletion of your personal information ("right to be forgotten")
Right to restriction (Art. 18): Restrict our processing of your personal information
Right to data portability (Art. 20): Receive your personal information in a structured, machine-readable format
Right to object (Art. 21): Object to processing based on legitimate interests
Right to withdraw consent (Art. 7): Withdraw consent at any time (e.g., by unsubscribing)
Right to lodge a complaint: Lodge a complaint with the Polish supervisory authority (Urząd Ochrony Danych Osobowych, uodo.gov.pl) or your local EU data protection authority

If you are located in California (CCPA/CPRA), you have additional rights including the right to know, right to delete, right to correct, and right to opt-out of sale/sharing.

To exercise any right: Email tomas@tomasyano.com. We will respond within 30 days.

8. Cookies

We use the following types of cookies:

Strictly necessary cookies: Session management, authentication (magic-link login for members)
Functional cookies: Remember your preferences (e.g., logged-in state)

We do not use advertising or third-party tracking cookies.

You can control cookies through your browser settings. Disabling strictly necessary cookies may impair Site functionality (e.g., you may be unable to log in as a member).

9. Children's Privacy

The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us at tomas@tomasyano.com and we will delete it.

10. Security

We implement reasonable technical and organizational measures to protect your personal information:

Encrypted connections (HTTPS/TLS) for all Site traffic
Encrypted database storage on our infrastructure
Restricted access to personal information (only authorized personnel)
Regular security updates and monitoring
Firewall and intrusion-prevention systems

No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active subscribers and posted on this page with an updated "Last Updated" date. Continued use of the Services after changes constitutes acceptance.

12. Contact Us

For any questions about this Privacy Policy or to exercise your privacy rights:

Email: tomas@tomasyano.com
Website: tomasyano.com

For complaints, you may also contact the Polish Data Protection Authority:
Urząd Ochrony Danych Osobowych (UODO)
Stawki 2, 00-193 Warsaw, Poland
uodo.gov.pl