Last updated: September 28, 2025
1. Data Controller
The controller of your personal data is:
WEB ELEVATE LIMITED
Company number: 16281693
Address: 8 Hopwood Street, Preston, England, PR1 1UY
Contact:
- Main contact: support@findyou.io
- GDPR/Privacy matters: privacy@findyou.io
- Security incidents: security@findyou.io
- Data Protection Officer: privacy@findyou.io
Creator of the career aptitude test: Piotr Wolniewicz
2. Important statements about our practices
2.1 What we DO NOT do:
- We do not collect sensitive data (health, sexual orientation, political views, racial data)
- We do not use automated decision-making – test results are analyzed by our algorithm with the possibility of verification by experts
- We do not profile users within the meaning of GDPR (Art. 22)
- We do not sell personal data to third parties
- We do not store payment card data – this is handled by Stripe
2.2 What we guarantee:
- Answers to test questions are confidential and used solely to generate results
- Test results are not combined with other data beyond service provision
- Full control over your data – access, corrections, deletion at any time
3. Detailed table of collected data
| Category | Data Examples | Collection Point | Legal Basis | Processing Purpose |
|---|---|---|---|---|
| Identity data | Name, email, date of birth, gender | Account registration | Contract performance (Art. 6.1.b GDPR) | Account creation, test personalization |
| Payment data | Transaction data, billing address | Premium purchase via Stripe | Contract performance (Art. 6.1.b GDPR) | Payment processing for Premium test |
| Test data | Answers to 50-80 questions, completion time | During test | Contract performance (Art. 6.1.b GDPR) | AI report generation |
| Technical data | IP, browser, operating system | Automatically during visit | Legitimate interest (Art. 6.1.f GDPR) | Security, analytics |
| Marketing data | Email, communication preferences | Consent during registration | Consent (Art. 6.1.a GDPR) | Newsletter, ad personalization |
| Communication data | Messages to support | Contact forms | Legitimate interest (Art. 6.1.f GDPR) | Technical support |
Data minimization: We collect only data necessary to provide the career aptitude test service.
4. Details of collected data
4.1 Data collected during registration
Data: name, email address, date of birth, gender (optional)
Purpose: user account creation, test personalization, communication
Legal basis: contract performance (Art. 6 para. 1 lit. b GDPR)
4.2 Data collected during test completion
Data: answers to test questions (approx. 50-80 questions), test completion time, career preferences
Purpose: generate career aptitude analysis report using AI algorithms
Legal basis: contract performance (Art. 6 para. 1 lit. b GDPR)
Important: Questions are general in nature, not invasive or specific to private life
4.3 Payment data (Premium test – 245 PLN)
Data: transaction data via Stripe (we do not store card data)
Purpose: payment processing for Premium test
Legal basis: contract performance (Art. 6 para. 1 lit. b GDPR)
Important: All payment card data is collected and stored by Stripe. Please review Stripe’s privacy policy.
4.4 Technical data
Data: IP address, browser type, operating system, visit time
Purpose: service security, operation optimization, analytics (Google Analytics)
Legal basis: legitimate interest (Art. 6 para. 1 lit. f GDPR)
4.5 Marketing data
Data: email address, communication preferences
Purpose: newsletter, information about new features, remarketing (Facebook Pixel)
Legal basis: consent (Art. 6 para. 1 lit. a GDPR)
5. Automatic deletion of inactive accounts
5.1 Automatic deletion policy:
- Accounts inactive >45 days may be automatically deleted
- Inactivity definition: no login, no interaction with the service
- Notifications: 30 days and 7 days before deletion
- Purpose: data security – unnecessary data is not stored
5.2 Exceptions:
- Premium accounts – data stored for 5 years
- Legal obligations – data required by regulations (VAT invoices – 7 years)
- Active subscriptions – until service completion
5.3 Account restoration:
- Up to 30 days after deletion, restoration is possible
- After 30 days data is irreversibly deleted
6. User age and protection of minors
Minimum 12 years old.
6.1 Protection of minors’ data:
- We do not knowingly collect data from children <13 years old
- Persons 12-17 years: parental/legal guardian consent required
- Additional protection: limited marketing cookies for minors
- Verification: confirmation email from parent or payment with their card
6.2 Procedure if child’s data <13 years is detected:
- Immediate deletion from our database
- No use for any purposes
- No sharing with third parties
7. Location and data transfers
7.1 Hosting and processing:
- Main hosting: Poland (EU infrastructure)
- Processing: WEB ELEVATE LIMITED, United Kingdom
- Payments: Stripe (EU/USA with appropriate safeguards)
- Analytics: Google (USA), Facebook (USA)
7.2 International transfers:
To USA:
- Google Analytics, Facebook Pixel, Stripe
- Legal basis: EU-US Data Privacy Framework, Standard Contractual Clauses
- Additional safeguards: end-to-end encryption, data minimization
To UK (post-Brexit):
- Main processing by WEB ELEVATE LIMITED
- Legal basis: UK Adequacy Decision (for some transfers), Standard Contractual Clauses
- Status: United Kingdom as “adequate country” for some transfers
8. International transfers and framework compliance
Some data may be transferred outside the EU under:
- USA – Google Analytics, Facebook Pixel, Stripe
- Legal basis: EU-US Data Privacy Framework, Standard Contractual Clauses (SCC)
- Additional safeguards: end-to-end encryption, data minimization
Data Privacy Framework Compliance: We plan EU-US Data Privacy Framework certification for maximum protection of international transfers. In case of privacy disputes, we offer:
- 30 days of mediation with the data controller
- Independent arbitration by an accredited body
- Right to file a complaint with the competent supervisory authority
9. Data retention period
| Data Type | Retention Period |
|---|---|
| User account | Until account deletion by user |
| Test results | 5 years from last login |
| Payment data | 7 years (accounting requirements) |
| Marketing data | Until consent withdrawal |
| Technical logs | 12 months |
| Anonymous statistics | Unlimited |
10. Data retention criteria
We use the following criteria to determine data retention periods:
10.1 Main criteria:
(a) Active relationship with user
- Open account or active subscription
- Pending transactions or requests
- Regularly used account
(b) Legal obligations
- VAT invoices – 7 years (accounting regulations)
- Transaction data – according to financial law
- Security logs – 12 months
(c) Other obligations
- Contractual requirements with partners
- Legal proceedings (litigation hold)
- Statute of limitations for claims
10.2 Automatic actions:
- Anonymization of data after retention period expires
- Aggregation for trend analysis without user identification
- Pseudonymization of statistical data
11. Data sharing
Your data may be shared with:
11.1 Technology subprocessors:
- Stripe – payment processing
- Hosting provider – data storage in Poland
- Google – site analytics (Analytics)
- Facebook/Meta – remarketing (Pixel)
11.2 Government authorities:
Only when required by Polish or British law.
12. Your rights
You have the right to:
12.1 Access to data
You can request a copy of all data we process about you.
12.2 Data rectification
You can correct incorrect or incomplete data.
12.3 Data deletion (“right to be forgotten”)
You can request deletion of data unless we have a legal obligation to retain it.
12.4 Restriction of processing
You can request restriction of processing in certain situations.
12.5 Data portability
You can receive your data in a format that allows transfer to another service.
12.6 Objection
You can object to data processing for marketing purposes.
12.7 Withdrawal of consent
You can withdraw consent for newsletter or remarketing at any time.
To exercise your rights, write to the appropriate address:
- General matters: support@findyou.io
- GDPR/Privacy matters: privacy@findyou.io
- Security incidents: security@findyou.io
13. Enhanced data security
13.1 Technical and organizational measures:
We implement appropriate and reasonable technical and organizational security measures designed to protect all personal data we process.
13.2 Applied safeguards:
- SSL/TLS encryption of all connections
- Regular backups stored in Poland
- Access restriction to data only to authorized persons
- Security monitoring and audits
- Password hashing in the database
- Attack protection (firewall, DDoS protection)
13.3 Important disclaimers:
No transmission over the Internet is 100% secure. We cannot guarantee absolute security. Use the service only in a secure environment
Despite our safeguards, we cannot promise that hackers or other unauthorized persons will not be able to defeat our security measures and improperly collect, access, steal, or modify your information.
14. Complaint to supervisory authority
You have the right to file a complaint with the competent supervisory authority:
14.1 Main authority:
- Information Commissioner’s Office (ICO) – United Kingdom
- Website: ico.org.uk
- Reason: WEB ELEVATE LIMITED is a British company
14.2 Local authorities (for EU users):
- Germany: BfDI (bfdi.bund.de)
- France: CNIL (cnil.fr)
- Poland: President of UODO (uodo.gov.pl)
- List of all: edpb.europa.eu
14.3 Other countries:
Check the local data protection authority in your country.
15. Security breach reporting procedure
15.1 For users:
Discovered a security problem?
- Email: security@findyou.io
- Subject: [SECURITY] Brief problem description
- Content: Detailed description with steps to reproduce
15.2 Our commitments:
- 24 hours – first response to report
- 72 hours – notification to supervisory authorities (if required)
- 48 hours – user notification of serious incidents
15.3 Reward program:
Responsible disclosure of security vulnerabilities may be rewarded with Premium access or a voucher.
16. Changes to privacy policy
We will inform you of significant changes by email to the address provided during registration, at least 14 days before implementing changes.
17. Additional information for users from different countries
Users from UK (main jurisdiction)
UK GDPR: As a British company (WEB ELEVATE LIMITED), we are primarily subject to UK GDPR. You have all rights under UK GDPR, including the right to file a complaint with ICO (ico.org.uk).
Data transfers: Data may be processed in the EU (hosting in Poland) and transferred to the USA (Stripe, Google, Facebook) with appropriate safeguards.
Users from EU/EEA
EU GDPR: For EU users, we also apply EU GDPR. Your data may be transferred to the UK (company headquarters) and USA with full safeguards:
- Standard Contractual Clauses (SCC)
- Data Privacy Framework for transfers to USA
- UK Adequacy provisions for some transfers
Legal bases for processing:
- Consent (Art. 6.1.a GDPR) – newsletter, marketing
- Contract performance (Art. 6.1.b GDPR) – test service provision
- Legitimate interest (Art. 6.1.f GDPR) – security, analytics
Users from USA
Data location: Your data is stored primarily in the EU (hosting in Poland) and processed by a British company. Some services (Stripe, Google, Facebook) may store data in the USA.
State-specific rights:
- California: CCPA/CPRA, Shine the Light law
- Virginia, Colorado, Connecticut, Utah: Own privacy rights
- Details: contact privacy@findyou.io
Users from other countries
Applicable law: Primarily British law, taking into account local consumer laws where applicable.
Data protection: We apply the highest data protection standards regardless of your place of residence.