Privacy & Cookie Policy
Effective as of: June 26th, 2026
Dear Customer,
We make every effort to ensure the security and confidentiality of your data. We care about your privacy - when you visit our website www.jsdojo.io (the “Website”), register an account and use our services, join our waitlist or newsletter, contact us, or visit our social media channels. We act in compliance with the law, including provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (the “GDPR”).
In this document, we would like to provide you with essential information about your personal data processing. For the sake of clarity, we have put them together in the form of questions and answers. All of this is to let you know why, on what basis and for how long we process your data, as well as who can access it and what rights you have.
How do we access your personal data?
Using the Website, you may be asked to provide personal data. Providing it is voluntary, but in certain situations necessary - for example, without your email address we cannot register your account, add you to the waitlist/newsletter, or answer a question you send us.
Some data is collected automatically through cookies during your visit (e.g. IP address, browser type, operating system). We use them to operate the Website, provide hosting services, and - with your consent - to measure usage and create relevant marketing conten. You can block or restrict cookies via your browser settings, and you can accept, reject, or later change your choice at any time using the “Cookie settings” link in our footer.
Who is the controller of your personal data?
The controller of your personal data is “Imagined Things“ Tomasz Wasilonek, with registered office at ul. Wyczółkowskiego 7, 04-682 Warszawa, Poland, NIP (tax id): 9521997532, REGON: 142233168. For any questions or to exercise your rights, contact us at legal@jsdojo.io.
For what purpose, on what legal basis, and for how long do we process your data?
We process your personal data:
- To provide and perform our service - to register and maintain your account, save your code drafts and learning progress, run the exercises, and sign you in (including via Google or GitHub):
legal basis: the processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c) of the GDPR); processed until your account is deleted / the service ends. - To comply with tax and accounting obligations - if and when you purchase a paid plan (we do not currently charge for the service):
legal basis: compliance with a legal obligation (Article 6(1)(c) of the GDPR); processed until the statutory limitation periods for tax obligations expire. - To meet data-protection requirements:
legal basis: legal obligation incumbent upon us (Article 6(1)(c) of the GDPR); processed until the limitation periods for related claims expire. - To establish, pursue, and defend claims:
legal basis: our legitimate interest in protecting our rights (Article 6(1)(f) of the GDPR); processed until the limitation periods for claims expire. - To keep the Website working - ensuring core functionality and security:
legal basis: our legitimate interest in operating the Website reliably (Article 6(1)(f) of the GDPR). - To analyse usage and run marketing via cookies - Google Analytics / Tag Manager, PostHog, and the Meta (Facebook) Pixel:
legal basis: your consent (Article 6(1)(a) GDPR), given through our cookie banner; processed until you withdraw consent or the purpose is achieved. Withdrawing consent does not affect the lawfulness of processing before withdrawal. - To run our social media channels (including a Facebook Page) and promote the platform:
legal basis: our legitimate interest in promoting the Website (Article 6(1)(f) GDPR); processed until the relevant limitation periods expire. - To answer your questions and feedback - sent via our contact details or the in-app feedback feature:
legal basis: our legitimate interest in communicating with users and people interested in our services (Article 6(1)(f) GDPR); processed until the relevant limitation periods expire.
Remember! We process your personal data, as long as it is necessary to achieve the aforementioned purposes unless you make a valid and proper request for your personal data to be deleted. In addition, the period of the processing may be subject to the content of the legal provisions applicable to us, e.g. in the case of the storage of financial documents or the time limits for pursuing the claims.
Who may be a recipient of your personal data?
In certain situations, if this proves necessary for the purposes of data processing, we rely on the support and assistance of external entities. However, each time, prior to the transfer of personal data, we require the recipients to guarantee an adequate level of data protection and confidentiality.
The recipients of your personal data may be:
- Supabase - authentication and database (account, progress, submissions);
- Vercel - website hosting and infrastructure;
- Resend - transactional email delivery;
- Kit (ConvertKit) - waitlist and newsletter management;
- Google (Analytics / Tag Manager), PostHog (product analytics), and Meta (Facebook Pixel / advertising) - only with your consent;
- CodeSandbox / Sandpack - the in-browser code editor that runs your exercises;
- Fontshare - web fonts used on the Website;
- Authorised state authorities, where required under applicable law;
- Other entities whose request for data transfer is justified under the applicable laws.
Do we transfer personal data to third countries?
We try to keep processing within the European Economic Area (EEA). However, some of the providers above (e.g. Vercel, Google, Meta, PostHog, Resend, Kit/ConvertKit) are based in the United States and may process data on servers outside the EEA - i.e. in a “third country”. Where that happens, we rely on appropriate safeguards under the GDPR, such as the EU-U.S. Data Privacy Framework or the European Commission’s standard contractual clauses (Article 46(2)(c) of the GDPR). For details, see each provider’s own privacy information.
Do we profile your personal data?
With your consent, the analytics and advertising tools we use may profile your activity (e.g. approximate location, device, behaviour on the Website) to personalise content and ads. This information is used in an aggregated/anonymous way and does not influence the terms of any contract. We do not make automated decisions that produce legal effects for you or similarly significantly affect you.
Do we use cookies?
Yes. Cookies are small text files stored on your device that can be read by our system and by services we use (e.g. Google, Meta). On your first visit we show a consent banner; strictly-necessary and functional storage is required to run the service and loads without consent, while analytics and marketing cookies load only after you accept them. You can change or withdraw consent any time via “Cookie settings” in the footer. Disabling some cookies may limit Website functionality.
| Category | Examples | Purpose | Consent |
|---|---|---|---|
| Strictly necessary | sb-*-auth-token (Supabase auth), cc_cookie (your cookie choices) | Sign-in, session, and remembering your consent choice | Always on |
| Functional (local storage) | js-dojo-* (code drafts, progress, editor settings, navigation state) | Save your work, preferences, and place in the curriculum | Always on |
| Analytics | Google Analytics / Tag Manager (_ga, _gid), PostHog (ph_*) | Understand feature usage so we can improve the product | Opt-in (consent) |
| Marketing | Meta (Facebook) Pixel (_fbp, _fbc, fr) | Measure and improve our advertising | Opt-in (consent) |
Other third parties: our in-browser code editor (Sandpack by CodeSandbox) and our heading font (Fontshare) are loaded from their CDNs and may set their own cookies when used. Vercel Web Analytics measures performance anonymously without cookies and does not require consent.
How do we protect your data?
To keep a high level of protection, we apply technical and organisational measures, including:
- Encryption in transit (TLS);
- Authentication and per-user access controls on your data (Supabase);
- Regular backups;
- Granting access to personal data only to authorised persons;
- Monitoring and promptly responding to potential security incidents.
What rights do you have?
As a data subject, you have the right to:
- Access your personal data;
- Rectify (correct) your personal data;
- Erase your personal data;
- Restrict the processing of your personal data;
- Object to the processing of your personal data;
- Data portability;
- Withdraw consent, where processing is based on your consent.
These rights are not absolute and, in certain cases, we may lawfully decline a request. Withdrawing consent does not affect processing carried out before withdrawal. We respond to requests without undue delay and within one month of receipt; for complex or numerous requests we may extend this by a further two months and will inform you beforehand. To exercise any right, contact us at legal@jsdojo.io.
If you are outside the EU
California (CCPA/CPRA): California residents may request to know, access, or delete the personal information we hold, and to opt out of its “sale” or “sharing”. We do not sell your personal information. You can limit advertising cookies via “Cookie settings”.
Other regions: wherever you are, you can contact us to ask about the data we hold and to exercise the choices available to you under your local law.
How can you complain about irregularities?
If you believe we process your personal data unlawfully, you can lodge a complaint with the President of the Polish Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
Does using the Website involve sending logs to the server?
Using the Website sends requests to the server that hosts it (Vercel). Each request is recorded in server logs, which may include the IP address, the date and time, and information about your browser and operating system. These logs are auxiliary material used to administer the Website; they are not linked to specific users and are not used to identify you.
Is the service intended for children?
The Website is intended for adults and is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
Can we amend this Privacy Policy?
Yes. Data protection is a process we adapt to current needs and changing technology. We may supplement or amend this Privacy Policy; we will post changes on the Website and, for material changes, notify registered users by email.