Privacy Policy

1. Data Controller

The controller of your personal data is:

We do not have a dedicated Data Protection Officer (DPO). For any data-related questions, write directly to hello@dimantika.com with the subject line "Data Protection."

2. What Data We Collect

Account Information

When you create an account on ViralFaceless.io or CompliCode, we collect your email address, display name, and a hashed password (we never store passwords in plain text). If you sign up via Google OAuth, we receive your name, email, and profile picture from Google — we don't see your Google password.

Usage and Activity Data

We log which features you use, when you use them, and how often. For ViralFaceless.io, this includes video generation requests, selected templates, and output formats. For CompliCode, this includes repository scans and license check results. We use this data to improve the product, diagnose bugs, and understand what matters to users.

Payment Data

Payments are handled by Stripe. We never see your full card number, CVV, or bank account details — Stripe handles all of that. We do store your subscription plan, billing email, payment status, and Stripe customer ID so we can manage your subscription and handle invoices.

Technical and Device Data

When you visit our websites, our servers receive your IP address, browser type and version, operating system, referring URL, and the pages you view. This is standard HTTP log data. We also use cookies and similar technologies (see Section 7 below).

Communications

If you email us or submit a contact form, we store the content of that message and your email address so we can respond and keep a record of the conversation.

3. Legal Basis for Processing

Under GDPR (Article 6), we rely on the following legal bases:

• Contract performance
• Processing your account data and payment data is necessary to provide you with the services you signed up for. Without this data, we cannot operate your account or deliver the product.
• Legitimate interest
• We process usage data and technical logs under our legitimate interest in improving our products, securing our systems, and detecting fraud. Where we rely on legitimate interest, we've balanced it against your privacy rights and concluded that our interest doesn't override yours.
• Consent
• For non-essential analytics cookies (e.g., Google Analytics), we process data on the basis of your consent, which you can withdraw at any time through your browser settings or our cookie controls.
• Legal obligation
• We retain invoices and financial records because Polish law (Ustawa o rachunkowości) requires it.

4. How We Use Your Data

• •Service delivery. Running your account, processing video generation requests, executing license scans, and providing support.
• •Billing. Charging your subscription, issuing invoices, and handling refunds or disputes.
• •Product improvement. Analyzing usage patterns to decide what to build next, fix, or remove.
• •Transactional email. Sending you receipts, password reset links, and service notifications. You cannot opt out of these because they're part of the service contract.
• •Marketing email. Occasional product updates or announcements. You can unsubscribe at any time using the link in any marketing email.
• •Security. Detecting and blocking abuse, unauthorized access, and fraudulent activity.

We do not sell your personal data. We do not share it with third parties for their own marketing purposes.

5. Data Retention

When the retention period expires, we delete or anonymize the data. Financial records are retained for the legally mandated 5-year period even if you close your account, because we're obligated to under Polish law.

6. Third-Party Services

We use the following sub-processors and third-party services that may access your data as part of delivering our services:

• Stripe

  Payment processing. Stripe collects and stores your payment card data directly. We share your email and billing name with Stripe for invoicing purposes. Stripe is GDPR compliant and certified under PCI DSS Level 1. Stripe Privacy Policy

• Google Analytics (GA4)

  Web analytics. We use GA4 to understand how visitors navigate our website. IP anonymization is enabled. Analytics data is only processed with your consent. Google Privacy Policy

• Cloud Hosting (Hetzner / Vercel)

  Our infrastructure runs on servers provided by Hetzner (Germany, EU) and Vercel (US — covered by Standard Contractual Clauses). Your data at rest is stored in the EU where possible.

• Email Delivery

  Transactional emails (receipts, password resets) are delivered via an email service provider. They process your email address on our behalf under a data processing agreement.

We sign data processing agreements (DPAs) with all sub-processors where required by GDPR Article 28. Data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) or an adequacy decision.

7. Cookies

Cookies are small text files stored on your device. We use them for the following purposes:

Strictly Necessary Cookies

These are required for the site and our apps to function. They include session cookies that keep you logged in and CSRF protection tokens. You cannot opt out of these — without them, the service doesn't work. No consent is required for strictly necessary cookies under GDPR.

Analytics Cookies

Google Analytics cookies (e.g., _ga, _ga_*) help us measure traffic and understand how people use our sites. These are only set if you consent. You can withdraw consent at any time by clearing cookies or adjusting your browser settings.

Preference Cookies

We may store your UI preferences (e.g., selected theme, language) in browser local storage. This data never leaves your device and is not shared with anyone.

To manage or delete cookies, use your browser's built-in cookie controls. Clearing all cookies will log you out of any active sessions.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, email us at hello@dimantika.com. We'll respond within 30 days.

• Right of access (Art. 15)

  You can ask us for a copy of the personal data we hold about you, including what it is, where it came from, and who we've shared it with.

• Right to rectification (Art. 16)

  If any of your data is inaccurate or incomplete, you can ask us to fix it. For account details, you can also update most things directly from your account settings.

• Right to erasure (Art. 17)

  You can request deletion of your personal data. We'll delete it within 30 days, subject to legal retention obligations (e.g., we must keep financial records for 5 years). Deleting your account also triggers this process.

• Right to data portability (Art. 20)

  Where processing is based on your consent or a contract, you can ask for your data in a structured, machine-readable format (JSON or CSV). We'll export what's technically feasible.

• Right to object (Art. 21)

  You can object to processing based on legitimate interest. We'll stop unless we have compelling legitimate grounds that override your interests. You can always unsubscribe from marketing emails.

• Right to restrict processing (Art. 18)

  In some circumstances (e.g., while a complaint is pending), you can ask us to pause processing your data without deleting it.

• Right to withdraw consent

  If we're processing data based on your consent (e.g., analytics cookies), you can withdraw consent at any time. Withdrawal doesn't affect the lawfulness of prior processing.

9. Right to Lodge a Complaint

If you believe we've mishandled your personal data, you have the right to lodge a complaint with the Polish data protection authority:

We'd prefer you contact us first — most issues can be resolved quickly — but you have the unconditional right to go to the supervisory authority at any time.

10. Security

We use industry-standard measures: HTTPS everywhere, bcrypt password hashing, database encryption at rest, access controls limited to people who need the data to do their job, and regular dependency updates to patch known vulnerabilities. We're a small team, which means fewer people have access to production data — not more.

In the event of a data breach that poses a risk to your rights and freedoms, we'll notify UODO within 72 hours and notify affected users without undue delay, as required by GDPR Article 33.

11. Children

Our services are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, contact us and we'll delete it.

12. Changes to This Policy

We'll update this policy as our data practices change. When we make material changes, we'll notify registered users by email and update the "Last updated" date at the top of this page. Continuing to use our services after a policy update means you've had the opportunity to review the new version.