Cookie Policy

Cookies are small text files that a website stores on your device (computer, smartphone, tablet) while you browse. They allow the site to remember your preferences, ensure proper functionality, and help us understand how you use our website. This policy also covers similar client-side storage technologies (including browser localStorage), which we treat as the functional equivalent of cookies under Art. 5(3) of the ePrivacy Directive (2002/58/EC).

The data controller for personal data processed through cookies is: EPKO Spółka z ograniczoną odpowiedzialnością (EPKO sp. z o.o.) - a Polish limited liability company ul. Podleśna 2, 05-270 Marki, Poland KRS: 0000908693 - District Court for the Capital City of Warsaw, 14th Commercial Division of the National Court Register Tax ID (NIP): 1251720637 Statistical number (REGON): 389307530 Share capital: PLN 6,300.00 (fully paid up) Data protection contact: biuro@epko.tech A Data Protection Officer (DPO) has not been appointed - appointment is not mandatory in our case (Art. 37 GDPR). For data protection matters, please contact the controller directly at biuro@epko.tech.

The use of cookies on our website is based on the following legal provisions: • Art. 398 of the Polish Electronic Communications Act of July 12, 2024 (Journal of Laws 2024, item 1221) - requirement to obtain consent for storing information on the user's end device or accessing such information. The Act entered into force on 10 November 2024 and replaced Art. 173 of the former Telecommunications Law. • Art. 6(1)(a) GDPR - consent as the legal basis for processing personal data (analytical and marketing cookies) • Art. 6(1)(f) GDPR - legitimate interest of the controller (cookies essential for website operation and cookieless server-side analytics) • Directive 2002/58/EC (ePrivacy Directive) - European regulations on electronic communications; the Polish Electronic Communications Act is its national transposition Cookies (and other forms of terminal-equipment storage) strictly necessary to provide the service you have requested do not require your consent (Art. 398(5)(2) of the Electronic Communications Act, previously Art. 173(3)(2) of the Telecommunications Law). All other categories require your prior, voluntary consent.

Our website uses a custom-built consent management system (Cookie Consent Banner v2) that: • Appears automatically on your first visit • Lets you choose exactly which cookie categories you consent to • Provides "Accept all" and "Only necessary" buttons - both equally visible and accessible • Allows detailed configuration through a settings panel • Stores your preferences for 30 days, then asks again • Works in both Polish and English • Can be accessed at any time via the "Manage cookies" button in the footer We do NOT use dark patterns on our website. We do not pre-check consent boxes, do not make it harder to refuse, and do not hide the option to reject cookies.

Before you consent to analytical and marketing cookies, no third-party tracking scripts are loaded on the website. This applies to: • Google Analytics (gtag.js) - the script only loads after you consent to analytical cookies • Facebook Pixel (fbq) - the script only loads after you consent to marketing cookies • TikTok Pixel (ttq) - the script only loads after you consent to marketing cookies • Meta Conversions API (server-to-server) - data is sent only when the form was submitted with active marketing consent (event_id passed from the browser) • Google Ads - the script only loads after you consent to marketing cookies This means that on your first visit, your browser does not download or execute any third-party tracking scripts until you consciously consent. Google Consent Mode v2 runs in the background, so even after Google scripts load, the default consent signals remain set to "denied" until you decide. Independent of cookie consent, our cookieless server-side analytics (Umami, described below) operates. Umami does not write cookies or any other identifiers to your browser; it only reads the "umami.disabled" key in localStorage that you set yourself (opt-out mechanism). Its legal basis is Art. 6(1)(f) GDPR (legitimate interest), not consent.

If you consent to analytical or marketing cookies, your data may be transferred to servers operated by Google LLC, Meta Platforms Inc. (USA), and TikTok (global infrastructure). Independent of cookies, selected technical server-side flows are handled by our processors (Supabase, Resend) - the full list is in the Privacy Policy. Legal basis for data transfers: • Google LLC - participates in the EU-U.S. Data Privacy Framework (DPF), ensuring an adequate level of data protection per the European Commission's adequacy decision • Meta Platforms Ireland Limited - data processed in the EU by Meta Ireland; transfers to Meta Inc. (USA) based on Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework • TikTok Technology Ltd (Ireland) - controller in the EU, global infrastructure. Transfer outside the EEA safeguarded by SCC. Without your consent to the relevant cookie categories, no data is transferred to these advertising providers. For the full list of other processors (Supabase, Sanity, Resend, self-hosted n8n) please see Section 5 of the Privacy Policy.

Your cookie preferences are stored in two places - locally in your browser and on our server (audit trail). Both records are required by GDPR Art. 7(1) and Art. 5(2) (accountability principle). 9.1. Locally in your browser (localStorage) • Key "epko-cookie-consent" - whether consent was given, timestamp, detailed preferences for each of the four categories, and consent system version. Expires after 30 days. • Key "epko-cookie-consent-id" - a persistent, anonymous identifier (UUID) that links successive changes to your consent into a single audit trail. Stored until you clear your browser data. • Key "umami.disabled" - optional opt-out flag for our cookieless Umami analytics. You set it yourself ("true" disables Umami); the script only reads it, never writes it. It is not created by us by default. 9.2. Server-side (consent_logs table) Every decision you make (accept all, accept necessary, custom save, reset) is also written to our database. We log: • Anonymous consent_id (links to localStorage, no identity attached) • Consent payload (which categories were accepted) • Policy version at the time of consent • Action (accept_all / accept_necessary / custom_save / reset) • Interface language, browser user-agent, referer • Hashed IP address (SHA-256 with salt - we never store IP addresses in plain text) • Date and time of the entry The consent log is stored on Supabase infrastructure (Supabase Inc., Delaware, USA), acting as a processor under a Data Processing Agreement (DPA). The database is hosted physically in the EU region (Frankfurt). Any access from outside the EEA is safeguarded by the European Commission Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework. We retain the consent log for 5 years - the statute of limitations for civil claims under Polish law (Art. 118 of the Civil Code). Entries are deleted after this period. 9.3. After consent expires After 30 days the consent banner reappears so you can update your preferences. This is in line with European Data Protection Board (EDPB Guidelines 03/2022).

You have full control over cookies on our website. You can change your preferences at any time: 10.1. On our website • Click "Manage cookies" in the footer - the settings panel will open • Click "Manage cookie settings" at the top of this page • The banner will appear automatically when consent expires (every 30 days) 10.2. In your browser settings Every browser lets you manage cookies: • Chrome: Settings > Privacy and security > Cookies • Firefox: Settings > Privacy & Security > Cookies • Edge: Settings > Cookies and site permissions • Safari: Preferences > Privacy > Manage Website Data 10.3. What happens when you disable cookies? • Necessary cookies - disabling may prevent the website from functioning • Functional cookies - you will lose your A/B test variant assignment • Analytical cookies - the site works normally; we just won't know how to improve it • Marketing cookies - you will see generic ads instead of tailored ones

Under the GDPR, you have the right to: • Give or refuse consent for optional cookies (Art. 7 GDPR) • Withdraw consent at any time - without affecting the lawfulness of prior processing (Art. 7(3) GDPR) • Access information about processed data (Art. 15 GDPR) • Rectify your data (Art. 16 GDPR) • Erase your data, including cookies (Art. 17 GDPR) • Restrict processing (Art. 18 GDPR) • Data portability (Art. 20 GDPR) • Object to processing (Art. 21 GDPR) • Lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl To exercise any of these rights, contact us at: biuro@epko.tech For the server-side consent log (Section 9.2), the identifier linking your entries is the "epko-cookie-consent-id" key stored in your browser's localStorage. Without that identifier we cannot locate specific entries (the log does not contain your identity).

We may update this Cookie Policy in response to changes in legislation, the technologies we use, or the development of our website. We inform about changes through: • Updating the effective date and version number at the top of this document • Refreshing consent every 30 days - the banner reappears with the then-current policy version (consistent with EDPB Guidelines 03/2022) • Stamping the policy version in the server-side consent log - every entry shows which policy version was in force when consent was given Change history: • Version 1.0 (November 6, 2025) - initial Cookie Policy • Version 2.0 (April 7, 2026) - expanded with legal bases, Google Consent Mode v2, prior blocking, and international data transfers • Version 2.1 (April 26, 2026) - disclosed A/B tests under functional cookies (epko-ab-*), gated on functional consent • Version 2.2 (May 13, 2026) - full GDPR/ePrivacy compliance audit: corrected cookie inventory (NEXT_LOCALE replaces epko-language, theme and epko-cookie-consent-id stored in localStorage), disclosed server-side consent log (consent_logs, 5y retention, hashed IP), disclosed Supabase as processor, clarified policy scope to include localStorage (ePrivacy Art. 5(3)), stated no DPO appointment (Art. 37 GDPR), identified consent_id as the handle for exercising Art. 15-17 GDPR rights against the server log, updated GA4 note (default IP anonymization), synced COOKIE_CONSENT_VERSION with the policy number • Version 2.3 (May 13, 2026) - updated legal basis from Art. 173 of the Telecommunications Law (repealed on 10.11.2024) to Art. 398 of the Electronic Communications Act (Journal of Laws 2024, item 1221); removed LinkedIn cookies (li_sugr, bcookie, lidc, UserMatchHistory) from the inventory because the LinkedIn Insight Tag is not active on the site; added TikTok Pixel to the prior blocking list; described Meta Conversions API as a separate server-side conversion channel; added umami.disabled as a read-only opt-out key in the necessary category; clarified Supabase hosting (Frankfurt, EU) with SCC and DPF; expanded Section 8 to include TikTok and a reference to the Privacy Policy for the full processor list; removed em-dashes and en-dashes