Privacy
Last updated 2026-05-04. Effective immediately for all visitors to byjed.com and its project pages.
What we collect
byjed.com uses three privacy-respecting analytics tools to understand how visitors discover and navigate the site. None of them collect personal information (name, email, phone, billing) and none track you across other sites.
- PostHog (EU-hosted at
eu.i.posthog.com): records page views, click events, and a pseudonymous device ID stored in your browser. Session recording is disabled. - Umami (self-hosted at
analytics.pokokar.de, EU-residency Contabo Germany): records page views and clicks. Cookieless. - Vercel Analytics: records page performance metrics (Core Web Vitals).
Storage on your device
To measure how often the same visitor returns to byjed.com (retention), the analytics setup stores pseudonymous identifiers in your browser, all scoped only to byjed.com:
- PostHog persistence (managed by the PostHog SDK; configured cookie name
byjed_did): the SDK stores a randomly-generated UUID under alocalStoragekey derived from that name and a matching first-party cookie (SameSite=Lax,Secureon HTTPS, max age 1 year). The cookie is only included on requests to byjed.com itself; the UUID value is sent in event payloads to PostHog EU servers as the device'sdistinct_id. - Referral token:
localStoragekeybyjed_ref, an 8-character random hex token generated on your first visit and persisted across visits. The token is included as a?ref=<token>URL parameter when you share a link, AND it is also sent to PostHog as the super-propertydevice_ref_tokenon every analytics event so we can correlate the share-source with the recipient's session.
Neither identifier is correlated with personal information (name, email, phone). They exist only so that retention and referral metrics can show aggregate behaviour like "X% of visitors came back within a week".
Third parties (data processors)
byjed.com sends events to three independent analytics endpoints. Each receives a different slice; only PostHog receives the pseudonymous UUID described above.
- PostHog (
eu.i.posthog.com, EU-hosted): receives page views, click events, the pseudonymous device UUID (distinct_id), thedevice_ref_tokensuper-property, and any UTM parameters from the URL. PostHog acts as data processor under their privacy policy. - Umami (
analytics.pokokar.de, self-hosted on Contabo Germany / EU): receives anonymous page views and clicks via its own session-only signal. It does NOT receive the PostHog UUID or the byjed_ref token. Cookieless. Operator-controlled infrastructure. - Vercel Analytics (
cdn.vercel-insights.com): receives Core Web Vitals (page-load performance metrics) and aggregate pageview pings. It does NOT receive the PostHog UUID or the byjed_ref token. Vercel acts as data processor under their analytics privacy policy.
None of these processors receive personal information.
Lawful basis
Legitimate Interest (GDPR Art. 6(1)(f)). The lawful basis is improving the site based on aggregate, anonymous usage patterns; the stored identifiers are pseudonymous (cannot identify you personally) and the processors named above are EU-hosted or operator-controlled.
How to opt out
Three options:
- Clear site data for
byjed.comvia your browser's settings. This removes both the localStorage key and the cookie, and stops analytics from receiving further events from your device until you visit again. - Block all storage at the browser level (most browsers have a global toggle). The site still works fully; analytics simply won't see you.
- Email vons@vons.pl if you want a banner-based explicit opt-in instead.
Your rights (GDPR)
If you are an EEA resident, you have the following rights regarding any personal data processed by byjed.com:
- Art. 15 (access): request a copy of any data tied to your device's pseudonymous ID.
- Art. 16 (rectification): correct any inaccurate data we hold.
- Art. 17 (erasure): request deletion of any data tied to your pseudonymous ID. Clearing site data in your browser severs the linkage immediately.
- Art. 20 (portability): receive your data in a machine-readable format.
- Art. 21 (object): object to processing under Legitimate Interest.
- Art. 77 (lodge a complaint): with your local supervisory authority. For Polish residents that is UODO.
To exercise any of these, email vons@vons.pl with your device's pseudonymous ID (open browser dev tools → Application → Local Storage → byjed.com → copy the value of the PostHog persistence key).
Data retention
Analytics data is retained for 24 months by PostHog and 36 months by Vercel, after which it is automatically deleted.
Email subscriptions (DCMEX26 handout)
When you submit your email address via the form at byjed.com/dcmex-handout, your data is processed as follows.
- Email service provider: UseInbox (INBOXLAB), hosted on Google Cloud Platform EU data centres (ISO 27001). UseInbox acts as data processor under their DPA. Subscriber data is stored in the EU only.
- What is stored: your email address, the timestamp of your subscription, your IP address at the moment of subscription, the exact consent text you ticked, the page URL and User-Agent of the consent action, and the list you subscribed to (handout-only or handout + newsletter). Required for GDPR Art. 7 demonstrability.
- Lawful basis: GDPR Art. 6(1)(a) explicit consent. You must tick a required checkbox to confirm you want the handout email. A second optional checkbox controls whether you also subscribe to the ongoing byJed newsletter.
- Two-list architecture: handout fulfillment uses single opt-in (the email arrives immediately because you just requested it). Newsletter subscription uses double opt-in (you receive a separate confirmation email titled "Confirm your subscription to byJed notes" and must click the link to activate).
- Retention: handout list contacts retained until you unsubscribe plus 30 days. Newsletter list contacts retained for the lifetime of the subscription plus 30 days after unsubscribe.
- Withdrawal: every email includes a one-click unsubscribe link (added automatically by UseInbox). Alternatively, email jed@byjed.com for deletion under Art. 17.
- Backend: form submissions go to a Vercel serverless function (region Frankfurt, EU) that adds you to UseInbox via their REST API. The function never logs your email beyond what UseInbox itself stores.
Contact
Questions or data subject requests: vons@vons.pl.