1. Data Controller
The controller of your personal data is MAKE IT REMOTE Adam Naworski, a sole proprietorship registered in the Central Register and Information on Economic Activity (CEIDG) of the Republic of Poland.
- Address: ul. Jodlowa 40/22, 55-200 Olawa, Poland
- NIP (Tax ID): 9121950969
- REGON: 542153497
For any data protection inquiries, you may contact us by using the contact details published on the platform or via the official CEIDG registry entry.
2. Alpha Release Notice
LockIner is currently in alpha release. Registration is available exclusively to invited users who possess a valid voucher code. The platform is under active development, and features, data structures, and policies may change. We will notify registered users of any material changes to this privacy policy.
3. Personal Data We Collect
During registration we collect the following information:
- Display name — a name or nickname you choose to identify yourself on the platform. We strongly recommend using a nickname or first name only, rather than your full legal name. The display name is visible to other members of your household.
- Email address — used solely for account verification purposes. Your email address is stored exclusively in an irreversibly hashed (SHA-256) format. This means the platform cannot read, display, send emails to, or otherwise use your email address in any way. The hash is used only to verify that you are the owner of a given account when you manually type your email address during login. No one — including the platform administrators — can recover or access your original email address from the stored hash.
- Password — stored in a securely hashed format using the bcrypt algorithm. Your plaintext password is never stored.
- Voucher code — the invitation code used during registration, stored to track invitation usage.
4. Data Generated Through Usage
As you use the platform, the following data may be created and stored:
- Financial records (transactions, receipts, budgets, categories)
- Fitness data (workouts, exercises, weight measurements)
- Food and recipe information
- Journal entries
- Skills and learning progress
- Household membership and shared data
All usage data is associated with your account and is stored on servers located within the European Union.
5. Legal Basis for Processing (GDPR Art. 6)
- Performance of a contract (Art. 6(1)(b)) — processing is necessary to provide the services you registered for, including account authentication, data storage, and household features.
- Legitimate interest (Art. 6(1)(f)) — we process minimal technical data (cookies for authentication and UI preferences) to ensure the platform functions correctly and securely.
6. Cookies and Local Storage
LockIner uses only strictly necessary cookies. We do not use any third-party tracking, analytics, or advertising cookies.
| Cookie Name | Purpose | Duration | Type |
|---|
| scrooge_access_token | Authentication token (JWT) to keep you logged in | 30 minutes | Strictly necessary |
| scrooge_refresh_token | Token used to renew your session without re-entering credentials | 7 days | Strictly necessary |
| sidebar-collapsed | Remembers whether the navigation sidebar is collapsed or expanded | Session | Functional |
| scrooge_household_context | Stores your currently selected household | Session | Functional |
Since all cookies used are either strictly necessary for the platform’s operation or purely functional (UI preferences), they are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive (2002/58/EC).
7. Data Sharing and Third Parties
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Your data may be shared only in the following circumstances:
- Household members — if you join a household, certain data (display name, shared financial records) is visible to other household members.
- Legal obligations — if required by applicable law, regulation, or valid legal process.
- Infrastructure providers — our hosting and database providers process data on our behalf under appropriate data processing agreements in compliance with GDPR.
8. Data Retention
Your personal data is retained for as long as your account is active. If you request account deletion, all personal data and associated usage data will be permanently deleted within 30 days of your request, unless retention is required by law.
9. Your Rights Under GDPR
As a data subject under the General Data Protection Regulation (EU) 2016/679, you have the following rights:
- Right of access (Art. 15) — you may request confirmation of whether your personal data is being processed and obtain a copy of it.
- Right to rectification (Art. 16) — you may request correction of inaccurate personal data. Note: since your email is stored in hashed form, it cannot be “corrected”; instead, you would need to re-register with the correct email.
- Right to erasure (Art. 17) — you may request deletion of your personal data (“right to be forgotten”).
- Right to restriction of processing (Art. 18) — you may request that we limit the processing of your data under certain conditions.
- Right to data portability (Art. 20) — you may request your data in a structured, commonly-used, and machine-readable format.
- Right to object (Art. 21) — you may object to processing based on legitimate interest.
- Right to lodge a complaint — you have the right to file a complaint with a supervisory authority. In Poland, the competent authority is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warsaw, Poland.
To exercise any of these rights, please contact the Data Controller using the details provided in Section 1.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Irreversible hashing of email addresses (SHA-256) — your email cannot be recovered or misused even in the event of a data breach.
- Secure password hashing using the bcrypt algorithm with salt.
- JWT-based authentication with short-lived access tokens (30 minutes).
- Optional two-factor authentication (TOTP) for additional account security.
- Encrypted data transmission via HTTPS/TLS.
11. Changes to This Policy
We reserve the right to update this privacy policy at any time. As the platform is in alpha release, changes may occur more frequently as features evolve. Material changes will be communicated to registered users through the platform’s notification system. The “last updated” date at the top of this page reflects the most recent revision.
12. Applicable Law
This privacy policy is governed by the laws of the Republic of Poland and the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Polish Act on the Protection of Personal Data of 10 May 2018.