Privacy & Cookies Policy
Last updated: 13 August 2025
At Templatero, your trust is our highest priority. We collect only the data we genuinely need, never sell personal information, and design every feature with privacy by default. This straightforward policy tells you—in plain language—what we collect, why we collect it, how we protect it, and which rights you can exercise at any moment. If anything remains unclear, simply write to us; we will be happy to help.
The controller of your personal data is Łukasz Sikorski, conducting business under the name Łukasz Sikorski, with its registered at Strycharska 15/4, 25-659 Kielce, Poland. NIP (Tax ID): 9591708763, REGON (Statistical ID): 361970523. You can contact the data controller via email at hello@templatero.com or by contact form.
Data Protection Officer (DPO): Not appointed. Based on our current operations, we do not conduct large‑scale, regular and systematic monitoring, nor process special categories of data on a large scale. We periodically review this assessment. If we appoint a DPO, we will update this Policy with their contact details and notify the competent authority.
Contact Form
Type of data: name and surname, email address, message content, date/time.
Purpose: to reply to your enquiry and maintain correspondence; in some cases to take steps at your request before entering into a contract (e.g., product availability, quote).
Legal basis: our legitimate interest to respond to enquiries (Art. 6(1)(f) GDPR) and—where your enquiry relates to an order or pre-contractual steps—contractual necessity (Art. 6(1)(b) GDPR).
Live chat (Smartsupp)
Type of data: chat transcript, optionally your name or email (if provided), session metadata (browser, operating system, country/city, timestamp) and chat status.
Purpose: real‑time support and customer service.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) to provide support. Cookies used by the chat widget are treated as functional and require your consent under the cookie banner before they load.
Consent management (Cookiebot by Usercentrics)
Type of data: truncated IP address, consent ID, browser type, country, timestamp, consent status.
Purpose: to record and reproduce your cookie preferences and comply with legal obligations.
Legal basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).
Statistics (Google Analytics 4 – GA4)
Type of data: device and browser information, operating system, pages viewed and time on page, referrer URL, general location (country/city). GA4 does not log or store IP addresses; data from EU-based devices is collected via EU domains/servers.
Purpose: audience measurement and site improvement.
Legal basis: your consent given via the Cookiebot banner (Art. 6(1)(a) GDPR).
Retention in GA4 property: 14 months (unless a shorter period is set).
Opt-out: you can withdraw your consent at any time via the cookie settings.
Behaviour analytics (Hotjar)
Type of data: interaction data (clicks, taps, scrolls, mouse movements), pages visited and timestamps, referrer, device and browser information (device type, OS, screen size), country/city (no precise GPS), console errors; a pseudonymous Hotjar User ID; first‑party cookies and local/session storage items. Keystrokes in input fields are suppressed by default and not sent to Hotjar. Hotjar respects the Do Not Track browser signal.
Purpose: to understand aggregate behaviour (heatmaps, session recordings) and to collect optional feedback/surveys so we can improve UX and troubleshoot issues.
Legal basis: your consent given via the Cookiebot banner (Art. 6(1)(a) GDPR).
Retention: recordings & heatmaps kept up to 365 days from capture, then deleted; survey responses remain until we remove them.
Server logs (hosting – Framer)
Hosting provider: Framer B.V. (see also Processors below).
Type of data: truncated or anonymised IP address, URL, headers, date/time, error codes.
Purpose: to secure the website (fraud/abuse prevention, debugging) and for operational continuity.
Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Retention: typically up to 30 days unless needed to investigate incidents.
Payments & billing (Lemon Squeezy — Merchant of Record)
Type of data: name, email, billing address and country, order details (product, price, currency), invoice data, refund/support history, and anti‑fraud/session identifiers. Card details are handled by Lemon Squeezy; we do not store full card numbers.
Purpose: process orders and subscriptions, issue invoices, handle taxes and compliance, fraud prevention, chargebacks and refunds, customer support.
Legal basis: contract performance (Art. 6(1)(b)), legal obligation for invoicing/tax (Art. 6(1)(c)), and legitimate interest in fraud prevention (Art. 6(1)(f)).
Role: Lemon Squeezy acts as Merchant of Record and independent data controller for checkout, payments and tax; we receive only the information necessary to deliver your purchase and provide support.
Email marketing (Lemon Squeezy)
Type of data: email address, name (optional), subscription status, campaign events (e.g., opens, clicks, bounces, unsubscribes), timestamp and technical headers required for delivery.
Purpose: send newsletters, product updates and offers; measure aggregate performance to improve messaging.
Legal basis: your consent (Art. 6(1)(a)); you can withdraw it at any time via the unsubscribe link or Cookie settings (where applicable).
Anti-spam: we permit only permission‑based emails; abuse may be reported via any campaign footer.
We use first‑party cookies and similar technologies (local/session storage). On your first visit you will see our consent banner (Cookiebot) where you can Accept all, Reject non‑essential or Customise your choices. You can change settings at any time via the Cookie settings button or your browser options.
Categories:
Necessary – enable the basic operation and security of the site; set without your consent. This includes third‑party cookies strictly necessary for checkout when you initiate payment via Lemon Squeezy (e.g., session and fraud‑prevention cookies on
lemonsqueezy.com).Preference/functional – remember your settings (e.g., language, chat state); require consent.
Analytics – help us understand how you use the site (GA4 and Hotjar); set only with your consent.
On your first visit you will see a Cookiebot banner where you can:
Accept all categories,
Reject non‑essential cookies,
Customise your choices in detail.
You can later change your settings by clicking the “Cookie settings” button or via your browser options.
Global privacy signals: If your browser sends a Global Privacy Control (GPC) or similar recognized opt‑out signal, we treat it as an opt‑out of non‑essential cookies and (for US residents where applicable) as a request to opt out of sale/sharing/targeted advertising.
We do not sell or trade your personal data. We only share data with trusted service providers:
Framer B.V. - website and form hosting + CDN (servers in the EU and USA; transfers safeguarded by EU Standard Contractual Clauses).
CyberFolks S.A. (Poland): email hosting (Poland; data‑processing agreement).
Google LLC (Google Analytics 4): statistics (collection for EU users via EU domains/servers; processing in other locations may occur; SCCs + no IP logging).
Usercentrics A/S (Cookiebot): consent management (EU; SCCs, where applicable).
Smartsupp.com s.r.o.: live chat (EU; data‑processing agreement).
Hotjar Ltd. (Malta/EU): behaviour analytics (data stored in Ireland/EU on AWS eu‑west‑1; SCCs for any extra‑EEA access).
Lemon Squeezy LLC (USA): Merchant of Record for checkout, payments, taxes and fraud prevention (independent controller for buyer/payment data); and email marketing provider (processor) when we send campaigns.
We may disclose data where required by law or to protect our rights, users or the public.
Contact form messages: up to 12 months after the last correspondence.
Smartsupp chat transcripts: up to 12 months.
Cookiebot consent logs: 12 months.
Google Analytics data: 14 months.
Hotjar recordings & heatmaps: up to 365 days; Hotjar surveys/feedback: retained until deleted.
Server logs: up to 30 days (unless required longer for security investigations).
Orders, invoices and payment records (via Lemon Squeezy): retained for the period required by applicable tax and accounting laws (typically several years). We keep only the minimum necessary order information for customer service and warranty/entitlement purposes.
You have the right to access your data; rectify or erase it; restrict or object to processing; data portability; and to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). You also have the right to lodge a complaint with your supervisory authority (in Poland: the President of the Personal Data Protection Office – UODO).
How to exercise: email us at hello@templatero.com or use the contact form.
Automated decision‑making: We do not use decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
Some providers (e.g., Google, Framer) may transfer data outside the European Economic Area. Such transfers occur only with appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs) or other GDPR‑compliant mechanisms.
Lemon Squeezy LLC (USA): where we use Lemon Squeezy, data may be transferred to the United States and other locations necessary to provide payments and email services. Such transfers are based on SCCs and other appropriate safeguards.
We apply technical and organisational measures appropriate to the risk, including HTTPS/TLS, access controls, least‑privilege permissions, logging and monitoring, and data minimisation. No method of transmission or storage is 100% secure.
This section supplements the information above and applies to residents of certain US states with privacy laws (e.g., California CCPA/CPRA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Virginia VCDPA, and similar laws that may take effect). Terms such as “sell,” “share,” and “targeted advertising” have the meanings given in applicable laws.
Categories of personal information we collect
Identifiers: name, email address (you provide directly), billing address (for orders via Lemon Squeezy).
Commercial information: products purchased, order value, currency, subscription status (via Lemon Squeezy).
Internet / electronic activity: pages visited, interactions, session diagnostics (via GA4/Hotjar with your consent).
Geolocation (general): country/city derived from IP at collection time (we do not retain IP addresses).
Hotjar recordings & heatmaps: up to 365 days; Hotjar surveys/feedback: retained until deleted.
Inferences: we do not create inferences about you for marketing.
Sources
Directly from you; automatically via cookies/SDKs (with consent); from our service providers acting on our behalf.
Purposes
Providing and securing the service; communicating with you; analytics and service improvement; managing consent.
Disclosures for a business purpose
We disclose the above categories to our service providers listed in Processors solely to operate our services.
Selling or sharing personal information / targeted advertising
We do not sell personal information and we do not share it for cross‑context behavioral advertising. We do not engage in targeted advertising.
Sensitive personal information
We do not collect or use “sensitive” personal information as defined by applicable state laws.
Retention
As specified in Data retention periods above (e.g., GA4 14 months; Hotjar up to 365 days; contact/chat up to 12 months).
Your US state privacy rights
Depending on your state, you may have the right to know/access, correct, delete, data portability, opt out of sale/sharing/targeted advertising, and appeal a decision (where we decline to act). We will not discriminate against you for exercising these rights.
How to exercise: email hello@templatero.com or use the contact form. For California, you may also use an authorized agent to submit requests. If we deny your request, you may submit an appeal by replying to our decision; instructions will be provided in our response.
Global Privacy Control (GPC): we honor browser‑based opt‑out signals. When detected, we treat them as a request to opt out of sale/sharing/targeted advertising and as a request to disable non‑essential cookies.
We may amend this Policy to reflect changes in law, our technology or how we operate. The “Last updated” date shows the version currently in force. Significant changes will be announced on the site.
Questions about this Policy or your data? Contact us at hello@templatero.com or via the contact form.
Need Help?
