Legal documents

Cookies Policy

Version 2.1

This Policy sets out the rules for the use of cookies and similar technologies (including Web Push subscriptions) in the biurko.io service ("Biurko", "the Service"). The document complements the Privacy Policy.

The legal basis for the use of cookies is Art. 173 and 174 of the Polish Act of 16 July 2004 — Telecommunications Law, and, with respect to the processing of personal data, the GDPR. The Policy also takes into account the guidelines of PUODO of December 2024 on cookie banners (equally weighted Accept/Reject buttons, granular choice, ban on "dark patterns") and CJEU case law (e.g. judgment C-673/17 Planet49).

Table of Contents

1. What cookies are

Cookies are small text files saved by the web browser on the end device of the user (computer, tablet, smartphone). They allow, inter alia, recognition of the device, maintaining the session of the logged-in user, and ensuring the security of the application.

The Policy also covers similar technologies:

  • localStorage / sessionStorage (Web Storage API),
  • Web Push subscriptions (Push API + Service Worker),
  • web beacons (single-pixel images used to measure e-mail opens).

2. Categories of cookies used in the Service

As at the effective date of this Policy, the Service uses only essential cookies for the operation of the Service (so-called technical/session cookies). We do not use analytical, marketing, or advertising cookies.

Name Purpose Type Lifetime
biurko_session (or equivalent, depending on configuration) maintaining the session of the logged-in user session, essential 120 minutes of inactivity
XSRF-TOKEN protection against CSRF attacks session, essential duration of the session
locale remembering the chosen interface language persistent, essential 1 year
theme remembering the chosen theme (light/dark) persistent, essential 1 year

Technical cookies are essential for the proper operation of the Service and do not require user consent (Art. 173(3)(1) of the Telecommunications Law).

Categories of optional cookies that may be introduced in the future and will require active consent:

Category Purpose Requires consent Status
Functional remembering UI preferences (e.g. sidebar state) yes not used
Analytical anonymous usage statistics yes not used
Marketing personalisation of communication, measurement of campaign effectiveness yes not used

3. Web Push notifications

The Service provides a Web Push notifications feature (Push API + Service Worker) for events related to the Account and Invoices (e.g. delivery of UPO from KSeF, receipt of an e-invoice, payment status).

Web Push notifications:

  • are entirely optional — they require separate consent given in the browser's dialog box ("This site is asking to show notifications");
  • process the following technical data: the browser endpoint (URL of the browser provider's push server — e.g. fcm.googleapis.com for Chrome, updates.push.services.mozilla.com for Firefox), the public keys p256dh and auth generated by the browser;
  • do not contain advertising identifiers or marketing data;
  • may be disabled at any time in the browser settings ("Notifications") or in the Service panel (Account → Notifications).

Withdrawal of consent to Web Push is as easy as giving it (Art. 7(3) GDPR).

  • Essential (technical) cookies: Art. 173(3)(1) of the Telecommunications Law — cookies are necessary for the provision of the service requested by the user.
  • Analytical, functional and marketing cookies: user consent is required (Art. 173(1) of the Telecommunications Law and Art. 6(1)(a) GDPR). Not currently used — if deployed in the future, a consent banner described in section 6 will be displayed before activation, and this Policy will be updated with at least 14 days' notice.
  • Web Push subscriptions: user consent given in two stages — first in the browser (Push API mechanism), then accepted in the Service by the Service Worker.

5. Web Storage (localStorage / sessionStorage)

The Service may use Web Storage technologies (localStorage, sessionStorage) to store user preferences (e.g. chosen colour theme, UI panel state, progress in multi-step forms). This data is stored locally on the user's device and is not sent to the Controller's server.

Upon the deployment of optional cookies (analytical, functional, marketing), the Controller will launch a consent banner compliant with the guidelines of PUODO of December 2024 and of the European Data Protection Board (EDPB):

  1. Equally weighted buttons "Accept all" and "Reject all / Essential only" — the same visual level, colour and contrast (ban on "dark patterns").
  2. Granular choice — the possibility to consent to particular categories (functional / analytical / marketing), without having to opt out of all optional cookies.
  3. Active consent — by default all optional categories are disabled; no pre-selected checkboxes (confirmed by the CJEU judgment C-673/17 Planet49).
  4. No validation of consent "by scrolling" or by clicking on the page — interaction unrelated to the banner does not constitute consent.
  5. Easy withdrawal of consent — a "Cookie settings" link always available in the footer of the Service; withdrawal of consent is as easy as giving it (Art. 7(3) GDPR).
  6. Consent log — the Controller records the moment of giving / withdrawing consent, the selected categories, the version of the Cookies Policy in force at that time, and the user's IP address. This is required by Art. 7(1) GDPR (the ability to demonstrate that consent was obtained) and by EDPB Guidelines 05/2020 on consent.
  7. No obstacles to using the Service in the event of refusal of consent to optional cookies (excluding essential cookies, the disabling of which results in loss of functionality).

7. Managing cookies

The user may at any time:

  • disable or restrict cookies in the browser settings,
  • delete cookies already stored on the device,
  • configure the browser to inform of any attempt to save cookies,
  • withdraw consent to Web Push in the browser settings ("Notifications") or in the Service panel,
  • (after the deployment of optional cookies) use the "Cookie settings" banner in the footer of the Service.

Instructions for managing cookies in popular browsers:

Note: disabling essential cookies may result in inability to use the Service or its particular features (e.g. login).

8. Contact

For matters relating to the use of cookies please contact contact@itcompass.io.

9. Changes to the Policy

In the event of changes to the scope of cookies used (e.g. deployment of an analytics tool), this Policy will be updated, and users will be informed in the Service with at least 14 days' notice. The archive of versions is available at biurko.io/legal/polityka-cookies/archiwum.

Previous versions

ITCompass - ARTEM SHEVCHENKO · Katowice · contact@itcompass.io

Cookies

We use cookies to keep the service running and — with your consent — to improve it. You can accept all, reject the optional ones, or customize your choices. Cookie Policy