Information on the processing of personal data

Effective from: April 28, 2026. Replaces the previous version dated June 6, 2025.

Legal basis: Art. 5(1)(a) and Art. 24(1) GDPR (principles of transparency and accountability).

This policy defines the rules for the processing and protection of personal data provided by Users and Customers in connection with the use of the services and the digital ecosystem of Dangerous Goods Safety Advisor drs. D. Kociemba (including the domains kocie.mba, adr-egzamin.pl, learn.noviqa.group).

1. Data Controller

The controller of your personal data is DGSA drs. D. Kociemba, headquartered in Eindhoven, Spalaan 6, 5628 ZG, Netherlands, registered in the Dutch Chamber of Commerce (KvK) under number 95907130, holding VAT ID: NL005178103B20 (hereinafter referred to as the "Controller").

Contact with the Controller is possible via:

• E-mail address: damian@kocie.mba (preferred) or info@kocie.mba

• Mailing address: Spalaan 6, 5628 ZG Eindhoven, Netherlands

2. Purposes and Legal Bases for Data Processing

The Controller processes your data for the following purposes:

• a) Provision of services and software delivery: to conclude and properly perform a contract for the provision of consulting and training services (including the issuance of certificates) and to ensure access to the functionalities of the ADR Application and the EDI System.

  • Legal basis: Art. 6(1)(b) GDPR (necessity for the performance of a contract or the provision of an electronic service).

• b) Payment processing: in the case of purchases in the online store (Training, VIP Tokens), data is processed to handle the payment process.

  • Legal basis: Art. 6(1)(b) GDPR (necessity for the performance of a contract).

• c) Fulfillment of legal obligations: to fulfill obligations arising from legal provisions, in particular tax and accounting regulations (e.g., issuing and storing invoices).

  • Legal basis: Art. 6(1)(c) GDPR (legal obligation).

• d) Contact and handling of inquiries: to conduct correspondence in response to your inquiries (e.g., via the contact form or e-mail).

  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller).

• e) IT infrastructure security and abuse prevention: to protect servers against attacks (DDoS), enforce query limits (Rate Limiting) in the Applications, and log access to the Moodle educational platform.

  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller consisting in ensuring the integrity and availability of services).

• f) Establishment, exercise, or defense of legal claims: to protect the Controller's rights related to the performance of the contract or violation of the Terms of Service (e.g., illegal web scraping).

  • Legal basis: Art. 6(1)(f) GDPR.

3. Types of Processed Personal Data

The Controller processes the following categories of data depending on the scope of use of the services:

• Identification data: first name and surname (verification on the training platform).

• Contact data: e-mail address, phone number, shipping address for the certificate.

• Transactional and company data: invoice data, including NIP/VAT ID.

• Training data: information required to issue a certificate (e.g., citizenship, place and date of birth, learning progress logs on the Moodle platform).

• Infrastructure data (Logs): IP addresses (used for server security and limit verification in the ADR/EDI Application, subject to immediate cryptographic encryption/hashing).

Providing data is voluntary but necessary to conclude a contract, purchase Training, or send an inquiry.

4. Data Retention Period

Your data will be stored for the period necessary to achieve the purposes:

• Contract performance and billing: for the duration of the contract, and after its termination for the period resulting from tax regulations (maximum 7 years).

• Certificates and attestations: data contained in certificates and attestations of training completion (and associated Moodle platform accounts) are stored for 5 years. This enables the issuance of a duplicate document in the future (legitimate interest).

• Infrastructure data (IP Logs / Hashes): stored short-term, usually no longer than 48 hours, solely for the purpose of resetting daily limits (unless a security breach resulting in a permanent blockade has occurred).

• Data may be stored longer if necessary for the establishment, exercise, or defense of legal claims. After these periods, the data will be permanently deleted or anonymized.

5. Recipients of Personal Data

In order to properly provide services, your data may be entrusted to:

• Payment processors: Payments are handled by Stripe, Inc. Data necessary for the transaction goes directly to Stripe, which acts as an independent controller. (Stripe Privacy Policy: https://stripe.com/privacy).

• Security infrastructure: Network traffic to our applications (including IP addresses) is routed through global filters of Cloudflare, Inc. to protect against attacks.

• IT and hosting service providers: companies providing server maintenance services (e.g., OVH). The contact form is based on the infrastructure of Mobirise (Netherlands), which transmits messages without permanently storing them on its servers.

• Accounting and logistics: accounting offices, law firms, and courier/postal companies handling the dispatch of certificates. All entities cooperating with the Controller guarantee the application of appropriate data protection measures.

6. Data Security Measures

The Controller implements rigorous technical measures to ensure the security of the processed data (Privacy by Design). Communication with our services takes place via TLS/SSL encryption.

• In systems storing sensitive data (e.g., the Moodle administration panel), we use multi-factor authentication (MFA) or hardware security keys (FIDO2).

• For analytical purposes, we use the Matomo platform in Cookieless mode, which completely anonymizes IP addresses.

• In applications providing API resources, user IP addresses used for limit management are irreversibly hashed (encrypted) in a fraction of a second, making their subsequent decoding impossible. The Controller does not use automated decision-making producing legal effects or marketing profiling within the meaning of Art. 22 GDPR.

7. Rights of the Data Subject

You have the following rights:

• The right to access data (Art. 15 GDPR) and rectify data (Art. 16 GDPR).

• The right to erasure of data ("right to be forgotten" – Art. 17 GDPR), subject to limitations arising from legal obligations (e.g., tax regulations).

• The right to restriction of processing (Art. 18 GDPR) and data portability (Art. 20 GDPR).

• The right to object to processing (Art. 21 GDPR).

• The right to withdraw consent at any time (if applicable).

To exercise your rights, please contact us at: damian@kocie.mba. You have the right to lodge a complaint with the supervisory authority in the Netherlands (Autoriteit Persoonsgegevens, AP – https://autoriteitpersoonsgegevens.nl/).

8. Transfer of Data Outside the European Economic Area (EEA)

Your primary personal data is hosted on servers located within the EEA (OVH servers in France for the training platform and in Poland for the main websites and applications). In connection with the use of global services from providers such as Stripe (payments) and Cloudflare (infrastructure security and anti-DDoS protection), necessary transactional data or network parameters (e.g., IP traffic) may be processed in third countries, including the USA. The Controller ensures that the transfer takes place based on lawful mechanisms (e.g., the Data Privacy Framework for the USA or approved Standard Contractual Clauses of the European Commission).

9. Changes to the Privacy Policy

The Controller reserves the right to introduce amendments to this Privacy Policy to continuously reflect the development of the IT architecture and legal requirements. The current version will always be available on the Services.