Cookie Policy

1. Legal Framework

This Cookie Policy complies with:

• ePrivacy Directive 2002/58/EC, Article 5(3): prior consent required for storing or accessing information on terminal equipment, except for strictly necessary purposes
• GDPR Article 4(11): valid consent must be freely given, specific, informed, and unambiguous
• CJEU Planet49 ruling (C-673/17, October 2019): pre-checked boxes are invalid; active affirmative consent is required
• Polish Telecommunications Law (Prawo telekomunikacyjne) of 16 July 2004: implementation of the ePrivacy Directive, enforced by UODO
• EDPB Guidelines 05/2020 on consent and EDPB Guidelines 03/2022 on dark patterns

Note: Legislative proposals under consideration at EU level (including the Digital Omnibus package and the long-pending ePrivacy Regulation) may in future introduce standardised cookie banner formats and mandatory recognition of automated privacy signals. Until any such amendments enter into force, current rules under the ePrivacy Directive and GDPR fully apply. We do not treat pending proposals as if they were already in force.

2. What Are Cookies and Tracking Technologies

Under the ePrivacy Directive and EDPB guidelines, "cookies" encompasses any technology that stores or accesses information on a user's terminal equipment, including:

• HTTP cookies and Flash cookies
• LocalStorage and sessionStorage
• Device fingerprinting and pixel tags
• Mobile identifiers (IDFA, AAID)
• Any other tracking or storage technology operating on the same legal basis

3. Consent Requirements

3.1 Valid Consent Criteria

Per Article 4(11) GDPR and EDPB enforcement guidance, consent must be:

• Freely given: No cookie walls conditioning access to the Service on acceptance of non-essential cookies. Consent must not be a precondition for using the Service.
• Specific: Granular consent by purpose. Analytics and advertising must be consented to separately and independently.
• Informed: Clear information on purposes, duration, and third parties must be provided before consent is collected.
• Unambiguous: A clear affirmative action is required. Implied consent via scrolling, continued browsing, or inactivity is not valid.

3.2 Equal Prominence

Consistent with CNIL enforcement practice and EDPB Guidelines 03/2022 on dark patterns, our consent interface provides:

• "Accept All" and "Reject All" buttons with identical size, colour weight, and visual hierarchy — no asymmetry that makes rejection harder
• The same number of clicks to accept or to reject all non-essential cookies
• No pre-ticked boxes for any cookie category
• No manipulative design, misleading wording, or emotional nudging

4. Cookie Categories

5. Consent Management

5.1 Consent Records

Under the Article 7(1) GDPR accountability requirement, we maintain consent logs including:

• Timestamp and date of consent action
• Categories accepted or rejected
• Version of the consent banner displayed at time of consent
• Anonymized or pseudonymized user identifier

Consent records are retained for 3 years from the date of consent, to demonstrate compliance with Article 7(1) GDPR.

5.2 Withdrawal of Consent

Withdrawal must be as easy as giving consent (Article 7(3) GDPR):

• Preference centre accessible via the "Cookie Settings" link in our website footer — available on every page
• Withdrawal takes effect immediately; no cookies continue to operate after a valid withdrawal
• No detriment to the user — the Service remains functional for all essential features after withdrawal

6. Third-Party Processors

Note: The EU–US Data Privacy Framework (DPF) adequacy decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23). An appeal is pending before the CJEU since 31 October 2025. The adequacy decision remains fully operative during appeal. Standard Contractual Clauses (Commission Decision 2021/914) are maintained as a parallel safeguard for all US transfers.

7. Automated Privacy Signals

We respect the Global Privacy Control (GPC) browser signal as an expression of the user's opt-out preference for non-essential cookies, where technically feasible. We also respect Do Not Track (DNT) signals on a best-efforts basis.

Note: Mandatory recognition of automated privacy signals is not currently required under EU law. Our respect for GPC and DNT signals reflects a voluntary compliance position adopted in advance of any future legislative requirement. We do not represent this as a legal obligation until it becomes one.

8. Cookie Duration

• Session cookies: Deleted automatically when the browser is closed; no persistent identifier is stored
• Persistent cookies: Maximum duration of 12 months, in line with EDPB recommendations; strictly necessary security cookies may persist longer where technically required
• Consent renewal: Users are re-prompted after 6 months, or earlier where the purposes or processors have changed materially

9. Your Rights

Under GDPR and Polish law, in relation to personal data processed through cookies you have the right to:

• Access your data (Article 15 GDPR)
• Withdraw consent at any time (Article 7(3) GDPR) — via the Cookie Settings link in the footer
• Object to processing based on legitimate interests (Article 21 GDPR)
• Request erasure of your data (Article 17 GDPR)
• Lodge a complaint with UODO (uodo.gov.pl) or your national supervisory authority

For all data subject requests, contact us at legal@cardiac-purr.com. We will respond within 30 days.

10. Updates and Contact

We update this Cookie Policy to reflect changes in our use of cookies, applicable law, and regulatory enforcement guidance. The "Last Updated" date at the top of this page indicates the date of the most recent revision. We do not treat pending EU legislative proposals as if they are already in force.