Fox's Nest Privacy Policy

Last updated: 28 February 2026

§ 1. General information

This Privacy Policy sets out the rules for processing personal data by CALMFOX Sp. z o.o. in connection with the use of the Fox's Nest service available at foxsnest.com.

The data controller is CALMFOX Sp. z o.o. with its registered office in Bydgoszcz, ul. Dluga 47, 85-034 Bydgoszcz, Poland, KRS: 0001163844, NIP: 9532810342. Contact: kontakt@calmfox.pl.

§ 2. Role of the Controller vs. the Processor

CALMFOX Sp. z o.o. acts in a dual capacity with regard to personal data processing:

  • Data Controller – With regard to personal data of Service Users — account data, billing data, and data related to the operation of the service. Legal bases: Art. 6(1)(b), (c) and (f) GDPR.
  • Data Processor – With regard to data of visitors to Users' websites, collected through Fox's Nest widgets (cookie banner, accessibility widget). The User is the controller of such data.

Processing of visitor data is carried out on the basis of a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR, which forms an integral part of the Terms of Service.

§ 3. Types of processed data

We process the following categories of personal data:

  • Account data Email address, first and last name (optional), company name, tax identification number (for invoices), password (hashed with bcrypt).
  • Payment data Payments are handled by Stripe Inc. We do not store credit card numbers — we only store transaction references and Stripe subscription identifiers.
  • Authentication data 2FA codes (if enabled), social login tokens (Google, GitHub).
  • Technical data IP address, browser identifier (user agent), browser language, screen resolution, time zone.
  • Consent records (cookies) Pseudonymized visitor identifier (visitor_id, 64 characters), consent choices, timestamp, page URL path.
  • WCAG audit data URLs of scanned pages, accessibility assessment results, details of detected violations, audit reports.
  • GDPR scan data URLs of scanned pages, detected cookies and tracking technologies, GDPR compliance assessment, privacy policy analysis results, scan reports.
  • Cookie Monitor data Cookie scan history, categorization of detected cookies (necessary, analytics, marketing, preferences, uncategorized), risk level assessment, changes in cookies used.
  • Team data Email addresses of invited team members, assigned roles (owner, admin, editor, viewer), join dates, invitation tokens, access permissions for individual domains.
  • Organization data Company name, tax identification number, registered office address, contact phone number, country — collected during the onboarding process, including through the GUS registry API (Central Statistical Office of Poland) for auto-completing company data based on the tax identification number.
  • AI Act declaration data Descriptions of artificial intelligence systems, AI risk level classifications, declaration compliance statuses, published statement data.
  • Developer task list data Task identifiers (fingerprint), completion statuses, developer notes, share tokens.

§ 4. Purposes of data processing

We process personal data for the following purposes:

  • Provision of the Fox's Nest service — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • User account management — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • Payment and subscription management — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • Fulfillment of legal obligations, including invoicing and tax settlements — legal basis: Art. 6(1)(c) GDPR (legal obligation).
  • Service improvement and analysis of service usage — legal basis: Art. 6(1)(f) GDPR (legitimate interest).
  • Ensuring security and preventing abuse — legal basis: Art. 6(1)(f) GDPR (legitimate interest).
  • Marketing communications — legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.
  • Team management and access control — legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest of the account owner).

§ 5. Data retention period

We retain personal data for the following periods:

  • Account data: for the duration of the service + 30 days after account deletion.
  • Consent records (cookies): 24 months — requirement to demonstrate consent under the GDPR.
  • WCAG audit results: 12 months.
  • Page tracking data: 12 months.
  • Invoices and billing data: 5 years (requirement of Polish tax law).
  • Server logs: 90 days.
  • Marketing consents: until withdrawn.
  • Cookies: session (authentication) up to 365 days (consent preferences).
  • GDPR scan results: 12 months.
  • Cookie Monitor data: 12 months from the scan date.
  • Team data (invitations, roles): for the duration of team membership + 30 days after its termination.
  • AI Act declarations: for the duration of the service + 30 days after account deletion.
  • Developer task list data: 12 months from the creation date or until deleted by the user.

§ 6. User rights

Under the GDPR, you have the following rights:

  • Right of access The right to obtain information about your processed personal data (Art. 15 GDPR).
  • Right to rectification The right to correct inaccurate or incomplete data (Art. 16 GDPR).
  • Right to erasure The right to request deletion of data (Art. 17 GDPR). Account deletion is available in the service settings.
  • Right to restriction The right to restrict data processing in certain situations (Art. 18 GDPR).
  • Right to data portability The right to receive data in a structured, commonly used, machine-readable format (Art. 20 GDPR).
  • Right to object The right to object to processing based on legitimate interest (Art. 21 GDPR).
  • Right to withdraw consent The right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal (Art. 7(3) GDPR).
  • Right to lodge a complaint The right to lodge a complaint with the President of the Personal Data Protection Office (UODO) or another competent supervisory authority.

To exercise the above rights, please contact us at: kontakt@calmfox.pl.

§ 7. Data recipients

Personal data may be disclosed to the following categories of recipients:

  • Stripe Inc. – Payment processing (USA). Transfer based on Standard Contractual Clauses (SCC) and certification under the EU-US Data Privacy Framework (DPF).
  • Vercom S.A. (EmailLabs) – Email delivery (Poland).
  • Anthropic – AI analysis for WCAG audits and GDPR scans (USA). Transfer based on Standard Contractual Clauses (SCC).
  • OpenAI – AI analysis for WCAG audits and GDPR scans (USA). Transfer based on Standard Contractual Clauses (SCC).
  • Google LLC – Web analytics via Google Analytics (USA). Transfer based on Standard Contractual Clauses (SCC) and certification under the EU-US Data Privacy Framework (DPF).
  • PostHog Inc. – Dashboard analytics and service usage research (USA). Transfer based on Standard Contractual Clauses (SCC).
  • State authorities, where required by law.

§ 8. Cookies

The Fox's Nest service uses the following cookies:

  • Session (JWT) Authentication token. Duration: session. Category: necessary.
  • Refresh token Authentication token refresh. Duration: 30 days. Category: necessary.
  • Cookie consent Cookie consent preferences. Duration: 365 days. Category: necessary.
  • Google Analytics Service usage analytics. Duration: 2 years. Category: analytics — only with user consent.
  • PostHog Dashboard analytics and user behavior research. Duration: 365 days. Category: analytics — only with user consent.

You can manage cookies in your browser settings. Disabling necessary cookies may limit the functionality of the service.

§ 9. Data security

We apply the following security measures:

  • Encryption of data in transit using TLS/SSL.
  • Encryption of data stored on servers.
  • Access control and role-based permissions.
  • Regular security audits and software updates.
  • Pseudonymization of visitor identifiers (visitor_id).

§ 10. Data transfers outside the EEA

Some of our data processors are based in the USA. For each transfer of data outside the European Economic Area, we apply appropriate safeguards:

  • Stripe Inc. — Standard Contractual Clauses (SCC) and certification under the EU-US Data Privacy Framework (DPF).
  • Anthropic — Standard Contractual Clauses (SCC).
  • OpenAI — Standard Contractual Clauses (SCC).
  • Google LLC — Standard Contractual Clauses (SCC) and certification under the EU-US Data Privacy Framework (DPF).
  • PostHog Inc. — Standard Contractual Clauses (SCC).

Consent records are stored on servers located within the European Union.

The European Commission Implementing Decision of 10 July 2023 on the adequate level of protection of personal data under the EU-US Data Privacy Framework serves as an additional legal basis for data transfers to entities certified under the DPF.

§ 11. AI-based processing

As part of WCAG audit and GDPR scan services, we use artificial intelligence to analyze the accessibility of websites and their compliance with the GDPR.

Details regarding AI-based processing:

  • AI analyzes the structure of web pages for accessibility violations (WCAG 2.1/2.2) and GDPR compliance (cookies, tracking technologies, privacy policies).
  • We do not make automated decisions that affect the rights or freedoms of users.
  • AI providers: Anthropic (Claude) and OpenAI — data transfer based on Standard Contractual Clauses (SCC).
  • The user may request human review of AI-generated results.
  • The use of AI in the Service takes into account the requirements of Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence (AI Act). The AI systems used in the Service do not constitute high-risk AI systems.

§ 12. User website visitor data

Fox's Nest widgets (cookie banner, accessibility widget) collect data from visitors to the User's websites. In this regard, the User is the data controller and CALMFOX acts as the processor.

The detailed terms of data processing entrustment are set out in the Data Processing Agreement (DPA).

§ 13. Profiling

We do not profile users for the purpose of automated decision-making.

Anonymous aggregate statistics are used solely for the purpose of improving the service.

§ 14. Public data sharing

Certain features of the Service allow the User to share data publicly. Public data includes: the WCAG audit score displayed on the Badge, the public accessibility report, the developer task list shared via a token, and published AI Act declarations. The User independently decides to activate these features and can disable them at any time in the management panel.

§ 15. Changes to the Privacy Policy

We reserve the right to amend this Privacy Policy. We will notify you of significant changes by email with 14 days' advance notice.

Continued use of the service after changes take effect constitutes acceptance thereof.

§ 16. Contact

For matters related to personal data protection, please contact us:

  • Email: kontakt@calmfox.pl
  • Address: CALMFOX Sp. z o.o., ul. Długa 47, 85-034 Bydgoszcz