Last updated: March 13, 2026
The data controller is Itlight Maciej Wawryszuk, ul. Wspólna 13, 21-540 Małaszewicze, Lubelskie, Poland, NIP (Tax ID): 5372684078, REGON: 529613090, operating the DiabloLead platform (diablolead.pl). Data protection contact: contact@diablolead.pl.
Email address, encrypted password (bcrypt), subscription info (plan, status), search history, CRM data you enter, email templates, email send logs, account settings, GDPR consents with full change history.
We process data to: provide the service (business search, CRM, email), process payments, send account notifications, improve the platform (analytics), and marketing communications (consent only).
Art. 6(1)(b) — contract performance: providing the service, account management, payments. Art. 6(1)(a) — consent: analytics cookies (GA4, Clarity), marketing communications, email open tracking (1×1 pixel). Art. 6(1)(f) — legitimate interest: platform security, fraud prevention, aggregating publicly available B2B data from public directories and search engines.
We aggregate publicly available business data (name, address, phone, website, contact email) from public sources: business directories (PKT.pl), search engines (DuckDuckGo), Google CSE API. Processing involves B2B data only (businesses, not individuals). Interest: enabling users to find business contacts. Safeguards: we respect robots.txt, do not collect sensitive data, data comes exclusively from publicly available sources.
Data stored in Firebase/Firestore (Google Cloud, EU servers). Encryption at-rest (AES-256) and in-transit (TLS 1.3). Retention periods: account profile — until account deletion; scan history — 365 days; email logs — 180 days; CRM leads — until deleted by user; GDPR consent log — 3 years; analytics data — per Google (26 months) / Microsoft (30 days) policy. After account deletion: profile, history, CRM data, subscription — deleted immediately; support messages — anonymised (content preserved as proof of GDPR erasure request execution, without personal data, with a pseudonymised HMAC identifier).
Payments processed by Stripe, Inc. (USA, EU). We never store credit card data — handled directly by Stripe (PCI DSS Level 1 compliant). Stripe retains transaction data per their retention policy.
We use: (1) essential session cookies — always active; (2) Google Analytics 4 — with user consent; (3) Microsoft Clarity — with user consent. Analytics tools load ONLY after consent in the cookie banner. Consents are stored locally and in the database with full change log.
Sent emails may contain a tracking pixel (1×1 image) to detect opens. When opened, we record the event, timestamp, and recipient's IP address. Tracking requires prior consent (disabled by default). You can enable/disable this in Settings → Privacy. When disabled, no pixel is embedded.
You have the right to: (a) access your data — Settings → Privacy → Download my data; (b) rectification — edit your profile; (c) erasure — Profile → Delete account; (d) restrict processing; (e) data portability (JSON export); (f) object to processing. Fulfilled within 30 days. Contact: contact@diablolead.pl. Complaint to UODO: ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).
Google LLC (Firebase/Firestore, Analytics) — DPA: https://firebase.google.com/terms/data-processing-terms; Stripe, Inc. (payments) — DPA: https://stripe.com/en-pl/privacy; Microsoft (Clarity) — DPA: https://privacy.microsoft.com/en-us/privacystatement. Data is not transferred outside the EEA without appropriate safeguards (SCCs, Privacy Shield).
In case of a data breach, we will notify the supervisory authority (UODO) within 72 hours and affected users if the breach poses high risk.
We will notify you of material privacy policy changes via email. Continued use after a change constitutes acceptance.
Privacy and data protection: kontakt@diablolead.pl / contact@diablolead.pl