PeekDesk Privacy Policy

Effective from 25 February 2026

Table of Contents

  1. Data Controller
  2. Purposes and Legal Bases of Processing
  3. Categories of Data
  4. Data Recipients
  5. Data Transfers
  6. Retention Period
  7. Rights of Data Subjects
  8. Cookies and localStorage
  9. Security
  10. Profiling
  11. Changes to the Policy
  12. Microsoft Clarity
  13. Google Tag Manager
  14. Google Analytics 4

§ 1 Data Controller

The controller of personal data is:

Life Automation Przemysław Wywigacz
ul. Morska 6C/18, 84-240 Reda
NIP: 7422089612, REGON: 363795969
E-mail: hello@peekdesk.com

For any matters related to the processing of personal data, you may contact the Controller at the e-mail address provided above.

§ 2 Purposes and Legal Bases of Processing

Personal data is processed on the following legal bases:

Purpose of Processing Legal Basis (GDPR)
Provision of services (Account registration, handling co-browsing sessions, managing subscriptions) Art. 6(1)(b) — performance of a contract or taking steps prior to entering into a contract
Ensuring the security of the Service, detecting abuse, maintaining system logs Art. 6(1)(f) — legitimate interests of the Controller
Handling complaints and claims, tax and accounting settlements Art. 6(1)(c) — compliance with a legal obligation incumbent on the Controller

§ 3 Categories of Data

The Controller processes the following categories of personal data:

Account Data

  • E-mail address (account identifier).
  • Password hash (bcrypt) — the Controller does not store passwords in plain text.

Technical Data

  • IP address.
  • Browser User-Agent header.

Co-browsing Session Data

  • DOM (Document Object Model) snapshots of the web page shared during a session — transmitted in real time between session participants.

Data We Do NOT Process

The Service does not record and does not store:

  • audio or video recordings;
  • third-party cookies of websites visited by Users;
  • co-browsing session content after the session ends (DOM snapshots are not saved on the server).

§ 4 Data Recipients

Personal data may be disclosed to the following categories of recipients:

Recipient Scope of Data Purpose
Hetzner Online GmbH (Germany) All data processed on the server Server infrastructure hosting
Stripe, Inc. Data necessary for payment processing Payment processing for the Pro Plan

Data may also be disclosed to public authorities where required by applicable law.

§ 5 Data Transfers Outside the EEA

  1. The Service's servers are located in Germany (Hetzner Online GmbH), i.e. within the European Economic Area (EEA).
  2. The payment processor Stripe may process data on servers in the USA. Such transfer is carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission and/or an adequacy decision (EU-US Data Privacy Framework).
  3. The Controller does not transfer data to third countries other than as described above.

§ 6 Retention Period

Category of Data Retention Period
Account data (e-mail, password hash) For the duration of the service + 3 months after account deletion
Co-browsing session data (DOM snapshots) Not stored — transmitted in real time only
System logs (IP, User-Agent) 90 days
Billing data (invoices) In accordance with tax legislation (5 years from the end of the tax year)

§ 7 Rights of Data Subjects

Under the GDPR, you are entitled to the following rights:

  1. Right of access — to obtain information about the processing of your data and a copy of such data (Art. 15 GDPR).
  2. Right to rectification — to request correction of inaccurate data or completion of incomplete data (Art. 16 GDPR).
  3. Right to erasure — to request deletion of data where they are no longer necessary for the purposes for which they were collected (Art. 17 GDPR).
  4. Right to restriction of processing — to request restriction of processing in the cases specified in Art. 18 GDPR.
  5. Right to data portability — to receive data in a structured format and to have them transmitted to another controller (Art. 20 GDPR).
  6. Right to object — to object to processing based on the legitimate interests of the Controller (Art. 21 GDPR).
  7. Right to withdraw consent — at any time, without affecting the lawfulness of processing carried out prior to the withdrawal (Art. 7(3) GDPR).
  8. Right to lodge a complaint — with the supervisory authority:

    President of the Personal Data Protection Office (UODO)
    ul. Stawki 2, 00-193 Warsaw, Poland
    uodo.gov.pl

To exercise the above rights, please contact us at: hello@peekdesk.com. A response will be provided without undue delay, and no later than one month from receipt of the request.

§ 8 Cookies and localStorage

  1. The Service does not use tracking cookies or advertising cookies.
  2. The Service uses the browser's localStorage mechanism solely for the purpose of storing the JWT (JSON Web Token) required to maintain the User's login session.
  3. The JWT is stored locally in the User's browser and transmitted to the server in HTTP headers for authentication purposes.
  4. The Service does not use third-party analytics tools (e.g. Google Analytics) or tracking pixels.

§ 9 Data Security

The Controller implements appropriate technical and organisational measures to ensure the security of processed data, including in particular:

  • Encryption in transit — all communication is conducted via the TLS (HTTPS) and WSS (WebSocket Secure) protocols.
  • Password hashing — passwords are stored as salted bcrypt hashes, making them unreadable.
  • JWT tokens — authentication relies on JWT tokens with a limited validity period.
  • Access control — access to data on the server is restricted to the minimum necessary for the provision of the service (principle of least privilege).
  • Session isolation — co-browsing session data is transmitted only between participants of the given session and is not stored on the server.

§ 10 Profiling and Automated Decision-Making

The Controller does not engage in profiling or automated decision-making within the meaning of Art. 22 GDPR. Personal data is not used to create behavioural profiles or to make decisions producing legal effects with respect to Users.

§ 11 Changes to the Privacy Policy

  1. The Controller reserves the right to update this Privacy Policy in the event of changes in applicable law, the scope of services provided, or the technical solutions used.
  2. Users will be notified of material changes by electronic means (to the e-mail address associated with their Account) at least 14 days before the changes take effect.
  3. The current version of the Privacy Policy is always available on the Service's website.
  4. Date of last update: 25 February 2026

§ 12 Microsoft Clarity

The Service uses Microsoft Clarity — a user behaviour analytics tool provided by Microsoft Corporation.

Scope of Data Collected

  • Mouse movements, clicks, and page scrolling.
  • Pages visited and time spent on each page.
  • Heatmaps of interactions with page elements.
  • Session recordings (visual playback of interactions without personal data).

Purpose of Processing

Data collected by Microsoft Clarity is used exclusively to improve user experience (UX) and to optimise the Service's interface.

Data Processor

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA.

Legal Basis

Art. 6(1)(f) GDPR — legitimate interests of the Controller consisting in analysing how the Service is used in order to improve it.

Opt-out

Users may block the operation of Microsoft Clarity through appropriate browser settings (e.g. script blocking) or by using the opt-out mechanism. More information: clarity.microsoft.com.

§ 13 Google Tag Manager

The Service uses Google Tag Manager — a tag management system provided by Google LLC.

Nature of the Tool

Google Tag Manager itself does not collect personal data. It is a technical tool used to manage other analytics and marketing tags deployed on the Service. Tag Manager facilitates the deployment and updating of scripts without requiring modifications to the website's source code.

Data Processor

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Legal Basis

Art. 6(1)(f) GDPR — legitimate interests of the Controller consisting in the efficient management of analytics tools on the Service.

§ 14 Google Analytics 4

The Service uses Google Analytics 4 (GA4) — a web analytics service provided by Google LLC.

Scope of Data Collected

  • Page views and events (clicks, scrolling, form interactions).
  • Session data (duration, traffic source, navigation path).
  • Approximate location (country, city) based on IP address.
  • Device information (device type, browser, operating system, screen resolution).

Purpose of Processing

Analysis of traffic on the Service, research into User behaviour, and optimisation of the Service's functionality and content.

Data Processor

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data may be transferred to the USA on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission.

Legal Basis

Art. 6(1)(a) GDPR — consent of the User provided via the cookie management mechanism.

Cookies

Google Analytics 4 uses the following cookies:

  • _ga — user identifier, validity: 14 months.
  • _ga_* — session identifier, validity: 14 months.

Data Retention Period

Data is retained for a period of 14 months from the User's last activity.

IP Anonymisation

The Service has IP address anonymisation enabled, meaning that Google truncates the User's IP address before storing it.

Opt-out

Users may opt out of Google Analytics tracking in the following ways:

  • Changing cookie settings on the Service (consent management mechanism).
  • Installing a browser add-on that blocks Google Analytics: Google Analytics Opt-out Browser Add-on.
  • Blocking cookies in the browser settings.