Fox's Nest Privacy Policy

Last updated: 14 February 2026

§ 1. General Information

This Privacy Policy describes how CALMFOX Sp. z o.o. processes personal data in connection with the use of the Fox's Nest service available at foxsnest.com.

The data controller is CALMFOX Sp. z o.o., ul. Dluga 47, 85-034 Bydgoszcz, Poland, KRS: 0001163844, NIP: 9532810342. Contact: contact@foxsnest.com.

§ 2. Controller vs Processor Role

CALMFOX Sp. z o.o. has a dual role with respect to personal data processing:

  • Data Controller – For personal data of service users — account data, billing data, and data related to service operation. Legal bases: Art. 6(1)(b), (c), and (f) GDPR.
  • Data Processor – For visitor data collected through Fox's Nest widgets (cookie banner, accessibility widget) on users' websites. The user is the data controller for this data.

Processing of visitor data is governed by a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR, which forms an integral part of the Terms of Service.

§ 3. Types of Data Processed

We process the following categories of personal data:

  • Account Data Email address, name (optional), company name, tax ID (NIP) for invoices, password (hashed with bcrypt).
  • Payment Data Payments are processed by Stripe Inc. We do not store credit card numbers — we only retain transaction references and Stripe subscription identifiers.
  • Authentication Data 2FA codes (if enabled), social login tokens (Google, GitHub).
  • Technical Data IP address, user agent, browser language, screen resolution, timezone.
  • Consent Records (Cookies) Pseudonymized visitor identifier (visitor_id, 64 characters), consent choices, timestamp, page URL path.
  • WCAG Audit Data Scanned page URLs, accessibility scores, violation details.
  • pp.s3data7Label pp.s3data7
  • pp.s3data8Label pp.s3data8
  • pp.s3data9Label pp.s3data9
  • pp.s3data10Label pp.s3data10
  • pp.s3data11Label pp.s3data11
  • pp.s3data12Label pp.s3data12

§ 4. Purposes of Data Processing

We process personal data for the following purposes:

  • Provision of the Fox's Nest service — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • User account management — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • Payment and subscription processing — legal basis: Art. 6(1)(b) GDPR (performance of a contract).
  • Compliance with legal obligations, including invoicing and tax reporting — legal basis: Art. 6(1)(c) GDPR (legal obligation).
  • Service improvement and usage analysis — legal basis: Art. 6(1)(f) GDPR (legitimate interest).
  • Security and fraud prevention — legal basis: Art. 6(1)(f) GDPR (legitimate interest).
  • Marketing communications — legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.
  • pp.s4purpose8

§ 5. Data Retention Period

We retain personal data for the following periods:

  • Account data: duration of service + 30 days after account deletion.
  • Consent records (cookies): 24 months — required as proof of consent under GDPR.
  • WCAG audit results: 12 months.
  • Page tracking data: 12 months.
  • Invoices and billing data: 5 years (Polish tax law requirement).
  • Server logs: 90 days.
  • Marketing consents: until withdrawal.
  • Cookies: session (authentication) to 365 days (consent preferences).
  • pp.s5ret9
  • pp.s5ret10
  • pp.s5ret11
  • pp.s5ret12
  • pp.s5ret13

§ 6. User Rights

Under the GDPR, you have the following rights:

  • Right of access The right to obtain information about your personal data being processed (Art. 15 GDPR).
  • Right to rectification The right to correct inaccurate or incomplete data (Art. 16 GDPR).
  • Right to erasure The right to request deletion of your data (Art. 17 GDPR). Account deletion is available in your account settings.
  • Right to restriction The right to restrict processing of your data in certain circumstances (Art. 18 GDPR).
  • Right to portability The right to receive your data in a structured, commonly used, machine-readable format (Art. 20 GDPR).
  • Right to object The right to object to processing based on legitimate interest (Art. 21 GDPR).
  • Right to withdraw consent The right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal (Art. 7(3) GDPR).
  • Right to lodge a complaint The right to file a complaint with UODO (Polish Data Protection Authority) or another competent supervisory authority.

To exercise any of these rights, please contact us at: contact@foxsnest.com.

§ 7. Data Recipients

Personal data may be shared with the following categories of recipients:

  • Stripe Inc. – Payment processing (USA). Transfer based on Standard Contractual Clauses (SCC).
  • Vercom S.A. (EmailLabs) – Email delivery (Poland).
  • Anthropic – AI analysis for WCAG audits (USA). Transfer based on Standard Contractual Clauses (SCC).
  • OpenAI – AI analysis for WCAG audits (USA). Transfer based on Standard Contractual Clauses (SCC).
  • Google LLC – Website analytics via Google Analytics (USA). Transfer based on Standard Contractual Clauses (SCC).
  • pp.s7rec6Label – State authorities when required by applicable law.
  • pp.s7rec7

§ 8. Cookies

The Fox's Nest service uses the following cookies:

  • Session (JWT) Authentication token. Duration: session. Category: essential.
  • Refresh token Authentication token refresh. Duration: 30 days. Category: essential.
  • Cookie consent Cookie consent preferences. Duration: 365 days. Category: essential.
  • Google Analytics Service usage analytics. Duration: 2 years. Category: analytics — with user consent only.
  • pp.s8cookie5Label pp.s8cookie5

You can manage cookies in your browser settings. Disabling essential cookies may limit the functionality of the service.

§ 9. Data Security

We implement the following security measures:

  • TLS/SSL encryption for data in transit.
  • Encryption of data at rest on our servers.
  • Access control and role-based permissions.
  • Regular security audits and software updates.
  • Pseudonymization of visitor identifiers (visitor_id).

§ 10. Data Transfers Outside the EEA

Some of our data processors are located in the USA. For every transfer of personal data outside the European Economic Area, we ensure appropriate safeguards are in place:

  • Stripe Inc. — Standard Contractual Clauses (SCC).
  • Anthropic — Standard Contractual Clauses (SCC).
  • OpenAI — Standard Contractual Clauses (SCC).
  • Google LLC — Standard Contractual Clauses (SCC).
  • pp.s10transfer5

Consent records are stored on servers located within the European Union.

pp.s10p3

§ 11. AI-Assisted Processing

As part of the WCAG audit service, we use artificial intelligence to analyze website accessibility.

Details regarding AI-assisted processing:

  • AI analyzes website structure for accessibility violations (WCAG 2.1/2.2).
  • No automated decisions are made that affect users' legal rights or freedoms.
  • AI providers: Anthropic (Claude) and OpenAI — data transfers based on Standard Contractual Clauses (SCC).
  • Users may request a human review of AI-generated results.
  • pp.s11ai5

§ 12. Visitor Data on User Websites

Fox's Nest widgets (cookie banner, accessibility widget) collect visitor data on users' websites. In this context, the user is the data controller, and CALMFOX acts as the data processor.

Detailed rules for data processing are set out in our Data Processing Agreement (DPA).

§ 13. Profiling

We do not profile users for the purpose of automated decision-making.

Anonymous aggregate statistics are used solely for the purpose of service improvement.

§ 14. Changes to Privacy Policy

We reserve the right to amend this Privacy Policy. We will notify you of material changes via email at least 14 days in advance.

§ 15. Contact

For inquiries related to personal data protection, please contact us:

pp.s15p2

pp.s16Title

pp.s16p1

  • pp.s16contactEmail kontakt@foxsnest.com
  • pp.s16contactAddress CALMFOX Sp. z o.o., ul. Długa 47, 85-034 Bydgoszcz