Legal document

Privacy Policy

Effective: 27 February 2026 Last updated: 27 February 2026
This Privacy Policy applies to the Inscryble platform (inscryble.com) and describes the principles of personal data processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR). Please read this document carefully before using the service.

1. Data Controller

The controller of your personal data is SkyFotoStudio.pl β€” the company operating and managing the Inscryble platform, available at inscryble.com.

Controller contact details:
Website: skyfotostudio.pl
E-mail for data protection matters: privacy@inscryble.com

2. What data we process

Inscryble processes only the data necessary for providing the service (principle of data minimisation, Art. 5(1)(c) GDPR):

a) User account data

  • Email address (used as login)
  • First and last name (optional, provided during registration)
  • Assigned role in the account (admin, analyst, read-only)
  • Date and time of registration and last login

b) Account (tenant) data

  • Account name
  • Subscription plan and billing dates
  • Billing details (passed to Stripe β€” external payment processor)

c) Security event metadata (incidents)

  • Domain of the site where the event occurred (e.g. chatgpt.com)
  • Identifier of the rule that triggered the response
  • Threat level (severity) and action taken (warn/redact/block)
  • SHA-256 hash of the detected content fragment
  • Event timestamp
  • Chrome extension version
⚠️ Important β€” Zero Raw Data principle:
Inscryble never stores the original content entered by the user. Only an irreversible cryptographic hash (SHA-256) is sent to the server. It is not possible to reconstruct content from the stored hash.

d) Technical data

  • IP address (logged by the web server, removed from logs after 7 days)
  • HTTP headers (browser user-agent, language)
  • API authorisation tokens (Sanctum) β€” stored as bcrypt hashes

3. Purposes and legal bases for processing

Purpose of processing Legal basis (GDPR) Retention period
Service provision (login, policy management) Art. 6(1)(b) β€” performance of a contract For the duration of the account
Security event metadata Art. 6(1)(b) β€” performance of a contract 30–90 days (depends on plan)
Invoicing and billing Art. 6(1)(c) β€” legal obligation 5 years (tax requirements)
System security and technical logs Art. 6(1)(f) β€” legitimate interest 7 days (IP logs)
Direct marketing (newsletter) Art. 6(1)(a) β€” consent Until consent is withdrawn

4. Recipients β€” sub-processors

We entrust data processing only to trusted entities providing appropriate protection guarantees:

Entity Role Data location
IONOS SE Application and server hosting, managed by skyfotostudio.pl Germany / EU (data stays within the EEA)
Stripe, Inc. Payment processing USA/EU (SCC)
Google LLC (optional) Font delivery (Google Fonts) USA (SCC)

The full list of sub-processors is available on request at privacy@inscryble.com.

5. International data transfers

The Inscryble application server is hosted by IONOS SE (a company registered in Germany) β€” data is stored in data centres located within the European Union and does not leave the European Economic Area.

The exceptions are Stripe, Inc. (payment processor, USA) and Google LLC (Google Fonts, USA). In these cases, data transfer takes place exclusively on the basis of Standard Contractual Clauses (SCC) approved by the European Commission by decision of 4 June 2021 (2021/914/EU), ensuring an equivalent level of protection.

6. Your rights as a data subject

Under Articles 15–22 GDPR, you have the right to:

  • Access β€” you may request information about which of your data we process (Art. 15)
  • Rectification β€” you may request correction of inaccurate data (Art. 16)
  • Erasure β€” you may request deletion of data ("right to be forgotten") (Art. 17)
  • Restriction of processing β€” you may request suspension of processing (Art. 18)
  • Data portability β€” you may receive your data in JSON/CSV format (Art. 20)
  • Object β€” you may object to processing based on our legitimate interest (Art. 21)
  • Withdraw consent β€” where processing is based on consent, at any time (Art. 7(3))

We fulfil requests within 30 days of receipt. For complex requests, this period may be extended by a further 60 days, of which we will notify you with an explanation. Send requests to: privacy@inscryble.com.

You also have the right to lodge a complaint with a supervisory authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

7. Privacy by Design

Inscryble is built in accordance with the privacy by design principle (Art. 25 GDPR). The most important architectural feature is our Zero Raw Data principle:

  • No raw content on our servers β€” the Chrome extension never transmits the text you type to our servers. Local analysis runs inside your browser. Only a SHA-256 hash of detected fragments and event metadata (date, action, rule type) are sent to the backend.
  • Tenant data isolation β€” multi-tenant architecture with database-level isolation makes it architecturally impossible to access another organisation's data.
  • Data minimisation β€” we collect only the data necessary for the Service to function. We do not build user profiles or analyse message content.
  • Privacy by default β€” the highest privacy settings are active from the moment of registration, with no additional configuration required by the user.

Questions about our architecture or privacy practices? Contact us: privacy@inscryble.com.

8. Data security

We apply appropriate technical and organisational measures (Art. 32 GDPR):

  • TLS (HTTPS) encryption for all communications
  • User passwords stored exclusively as bcrypt hashes (never in plain text)
  • API tokens stored as SHA-256 hashes β€” displayed only once upon creation
  • Data separation between accounts (multi-tenancy with database-level isolation)
  • Automatic expiry of inactive sessions
  • Regular encrypted backups

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR), and if the breach is likely to result in high risk β€” we will inform you directly (Art. 34 GDPR).

9. Cookies and tracking technologies

The Inscryble platform (dashboard panel) uses:

  • Session cookie β€” necessary to maintain a logged-in session (expires on browser close or after 2 hours of inactivity). Basis: Art. 6(1)(b) GDPR (necessary for contract performance).
  • XSRF cookie β€” protection against Cross-Site Request Forgery (CSRF) attacks. Technical, no privacy impact.

We do not use analytical or marketing cookies or any user behaviour tracking tools (Google Analytics, Facebook Pixel, etc.) without explicit consent.

The landing page loads external fonts from Google Fonts. Loading these may involve transmitting your IP address to Google's servers. You can block this through your browser settings or ad-blocking extensions.

10. Chrome Extension β€” data scope

The Chrome extension operating on the user's side processes data exclusively locally in the browser, except for:

  • Synchronising security policies from the Inscryble server (download only β€” no user data sent)
  • Sending incident event metadata (hash + metadata, never raw text)

The extension does not monitor user behaviour beyond detecting patterns in text fields. It does not record browsing history, search history or any other browser activity data.

11. Data retention periods

Data category Retention period Basis
User account data Until account deletion + 30 days (soft-delete) Contract
Incident metadata (Starter plan) 30 days from event Contract
Incident metadata (Business plan) 90 days from event Contract
Incident metadata (Enterprise plan) Configurable (default 365 days) Contract
Billing data 5 years Legal obligation (accounting law)
Server IP logs 7 days Legitimate interest (security)

12. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy. We will notify you of material changes by email (to the address associated with your account) or via a prominent notice in the dashboard, at least 14 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the updated Policy.

Archived versions of the Privacy Policy are available on request at privacy@inscryble.com.

13. Privacy contact

For all matters relating to personal data protection, please contact us:

  • Email: privacy@inscryble.com
  • Subject line: GDPR β€” [subject of request]
  • We respond within 5 business days
Effective from 27 February 2026. Version 1.0
Back to home page