ARTICLES

The City Admits Irregularities But Blames Google and the Operator It Finances

Author: Maciej Lesiak Published on: words: 5767 minutes read: 28 minutes read

A breakdown of Vice-President Tomasz Piotrowski's response to the inquiry about surveillance on city portals. I confront the city's official letter with its hidden contracts and hard evidence from a GDPR audit. See how the local government tries to blur responsibility for profiling residents.

On June 30, 2026, the Vice-President of Łódź, Tomasz Piotrowski, responded to an interpellation by councilors Sebastian Bulak, Marcin Buchali, and Piotr Cieplucha from May 22. The interpellation explicitly referenced my audit and the evidence that has been on the table for months. The letter the councilors received is particularly interesting because, for the first time, it contains an official admission of a fact the city had denied for over a year. At the same time, it is a document built on several evasions, which I want to dissect here, paragraph by paragraph.

What matters most, however, is what happens when you place this letter next to the contracts the city itself signed. At the crucial point where the Vice-President assures the councilors that the city has nothing to do with the residents’ data in the application and the Resident’s Card, its own documents say the exact opposite. I will come back to that, because that is the moment when the entire response falls apart.

Let’s start with the context, because without it, it is hard to understand why this is important.

A Year of Denials

In May 2025, after my first publication about the municipal advertising combine, councilor Kosma Nykiel asked the Łódź City Hall about the monetization of residents’ data. The city replied that no such thing existed, and the topic was closed.

In November 2025, I filed a notification with the Personal Data Protection Office (UODO) regarding data processing in municipal services (signature DOK240835862).

In February and March 2026, the “Gazeta Wyborcza” daily described the case. Representatives of the City Hall and municipal companies assured journalists at the time that everything was operating in accordance with the law and there were no irregularities.

It was only the interpellation of the three councilors, based on my audit, that led to a document in which the city writes something else. It is worth remembering this sequence: a notification to the data protection authority did not force any admission, a publication in the national press did not force any admission, but a single question from councilors under the municipal government act did. This says more about the condition of oversight than about Łódź itself.

What exactly is “lodz.pl”

Before I dissect the letter, I must explain one thing, because without it the whole case looks like a collection of separate glitches on random pages. And these are not separate glitches. It is a single organism operating under one brand, deliberately spread across several entities.

“lodz.pl”, also written as “Łódź.pl”, is not a single website. It is a brand under which sit at least four things: the lodz.pl news portal, the Łódź.pl mobile application, the Resident’s Card program, and modules attached to the application, including news, tickets, resident services, and waste management. For a resident, it is all one thing. They enter the “municipal portal”, install the “municipal application”, get the “municipal card”, all branded with the city’s coat of arms and name.

But underneath, each of these things is assigned to a different entity, to which the city refers you when a question is asked. The lodz.pl portal? The Vice-President refers to the Municipal Library. The Łódź.pl application? To the Library, the Łódź Media Group, and the Łódź Tourism Organization (ŁOT). The Resident’s Card? To ŁOT as the concession operator. The sale of ads with a million monthly visits on the web and a database of 174,000 email addresses and 170,000 phone numbers? That’s the Łódź Media Group. Five questions, five different addressees, and never the City Hall.

And here lies the core. The very same Resident’s Card, which started as a simple discount card settled in a concession model, absorbed the news module, ticketing, resident services, and waste management, and became a de facto municipal super-app. A simple loyalty card morphed into a platform that collects data on what a resident reads, where they are, who they are, what they browse, what tickets they buy, and what services they use. And all these surfaces, the portal and the app, feed one machine: Google analytics, Meta pixels, the Library’s ad server, and ultimately the Łódź Media Group, which sells this attention to advertisers. Furthermore, such user segmentation could potentially be used for political microtargeting.

That is why monetization cannot be shown by pointing a finger at a single entity. Because the whole structure is designed to dilute the issue… The portal belongs to one, the app to another, the card to a third, sales to a fourth, and the data flows through all of them. The diffusion of responsibility is not a side effect of this structure. It is its function. And that is exactly why the Vice-President could write a letter in which he does not answer “we” to any of the difficult questions, but each time says “please ask someone else.”

“Common IT support” is not a joint controllership agreement

Piotrowski opens the response from the legal basis of the common container:

“The City provides IT support for the organizational units of the City of Łódź classified as part of the public finance sector based on a City Council Resolution.”

This sounds like an explanation, but it is changing the subject. The councilors asked about something specific in question four: whether there are formal agreements on joint controllership within the meaning of Article 26 of the GDPR between the City, the Municipal Library, the Łódź Tourism Organization, and the Łódź Media Group. A resolution on joint IT support regulates who technically maintains servers and systems. It does not regulate who is the data controller and on what basis data travels between entities. These are two different legal regimes. Common IT support does not legalize a situation where an analytics container belonging to one entity fires up on the domains of a dozen others and sends the user identifier to Google, DoubleClick, and an external ad server.

Piotrowski does not answer whether agreements under Article 26 exist. That sentence is simply missing from the letter. In practice, the lack of an answer to a question about a document that was explicitly requested reads unambiguously: there are no such agreements. And this was one of my main allegations in the notification to the UODO in November 2025. Today, I have material evidence and knowledge of what those arrangements actually were.

“Service development” explains the genesis, not the legality

The next paragraph is a historical tale:

“The operation of a shared Universal Analytics container on multiple pages was related to the development of the office’s website.”

I would like to believe it was like that, that once there was a single site, then it broke into subpages, and the shared measurement identifier was left behind due to “messiness”. That is a realistic, typical technical genesis for a hair salon website, but not for a major municipal portal. The problem is that genesis is not an excuse for the current state. Just because something has a historical cause does not mean it is legal today, especially since the city has an obligation to comply with the GDPR and someone periodically approves that everything is in order. Right?

There is also a troublesome fact here that the letter does not touch upon. Universal Analytics was shut down by Google in July 2023. If in March 2026, the date of my scans, the UA container was still sending a full pageview to Google, it is not a “retained old identifier”. It is active data transmission for a year and a half after the tool itself was officially killed by its manufacturer. Furthermore, as I demonstrated, this container contains others. Maintaining dead code that nonetheless continues to send personal data is a separate problem of IT management quality.

“Each site has a separate GA4” vs. evidence and quiet alterations

Let’s read carefully:

“In the case of some services, the old UA identifier has been retained. Currently, each of the sites has its own separate GA4 identifier or does not have one at all.”

Piotrowski provides two identifiers, G-NWG6TNN5CK for uml.lodz.pl and G-97Z8CGYCYX for bip.uml.lodz.pl, and stops there. In their second question, the councilors asked for identifiers for a whole list of domains, including lodz.pl, mpu.lodz.pl, bip.zlm.lodz.pl, mosir.lodz.pl, orientarium.lodz.pl, and aquapark.lodz.pl. There is no answer for this list in the letter.

One word is key: “currently”. My audit documents the state from March 2026, in which the uml_portal family of domains shared a single GA4 property and one UA container. I analyzed over 40 domains and sites, detailing the containers and providing a detailed description of network traffic. The letter describes the state from late June. The city does not deny what I showed. I get the impression that the city is describing the state after a quiet fix and presenting it as the natural order of things. This is not a correction of my findings. It is an admission that the state had to be changed, wrapped in the present tense. If today each site has a separate GA4, it means it didn’t have one before. That is exactly what the audit showed.

“Heads of units are responsible”?

“The other pages mentioned in the letter are pages of separate units, for the content of which, and for ensuring the compliance of their operation in formal and legal terms, the heads of these units are responsible.”

This internally contradicts the opening of the letter. In the first paragraph, the city explains that it provides joint IT support for organizational units. In this paragraph, the city deflects responsibility for the same units to their heads. You cannot maintain both theses at once. If the city technically maintains the units’ services, then the city implements tracking containers on them. And the fact that a container belonging to the Municipal Library fires up on the domains of social assistance, an animal shelter, or a benefits center is precisely the proof that these units are not technically independent. You cannot simultaneously manage someone’s infrastructure and wash your hands of what that infrastructure sends.

“No complaints noted”? What has UODO actually been doing since November 2025?

“No complaints or notifications regarding privacy and security have been noted, however, the information contained in the interpellation (the cited publication) initiated an internal analysis.”

This sentence opens up a much more serious thread. I filed a notification with the UODO in November 2025. If the authority had been conducting proceedings against the City of Łódź based on it, the city would have to know about it, because the inspected party is notified of an inspection. If, in a letter from late June 2026, the Vice-President writes that no notifications have been noted and that only the councilors’ interpellation triggered an internal analysis, then the conclusion is uncomfortable for everyone: for over half a year since my notification, nothing has happened on the part of the data protection authority regarding municipal services of a million-scale nature that the city would be able to note. In my notification to the UODO, I issued specific demands regarding urgent securing, but above all, stopping the defective processing. (Given this passivity and silence, I am also preparing an official press inquiry to the UODO about the status of this case).

Let’s compare this to another case. My audit of Orientarium, after being sent to the UODO, prompted hasty alterations of the website and messages. I know that municipal officials read this material a few business days after it was sent to the UODO before the long May weekend of 2026, because the changes followed exactly the points I urgently described. And yet to this day there is no public communication from the authority, no further actions, and most importantly, the core of the problem in the Orientarium case, namely the defective proxy servers, remains unchanged. They powdered the frontend and the messages. The pattern repeats: what is visible on the surface is fixed, and the architecture that generates the violation is left behind. Are there no responsible parties? I hope there are at least GDPR registers properly entered into the document circulation system with a time stamp and a checksum. Right?

The city admits a parameter it previously denied

And here we come to the sentence worth waiting a year for:

“We cannot rule out that the described [situation] took place, and the gcd parameter took the value 13l3l3l2l1l1.”

Well, it cannot be ruled out, because the facts speak for themselves. This specific parameter, in this specific form, is one of the pillars of my audit. After a year in which the city first dismissed councilor Nykiel, and then assured the press that everything was fine, an official letter states that the state I described might have occurred and that the parameter indeed took the value I documented. I proved that data is being sent, and users of municipal services are being profiled for marketing without given consent. I spent hours analyzing traffic on dozens of domains to prove this empirical fact on dowody.dadalo.pl. Today we know that the GCD parameter with incorrect cookie banners (faulty CMP implementation) caused marketing profiling on municipal websites without consent. The councilors got black-and-white confirmation of what had previously been denied to journalists and councilors (Kosma Nykiel) asking the UMŁ about these things in 2025 following my first publication.

The DMA argument, or shifting responsibility to Google

Right after admitting the parameter, the city goes on the defensive:

“The lowercase letter l means ’not set’ (lack of configuration) […] the lack of an explicit signal about granted consent will cause Google to block the possibility of using this data.”

I will start by saying that the interpretation “l means not set” is correct and consistent with the correction I published myself in the audit. There is no dispute here about reading the parameter. Data was sent before consent was granted or refused. The dispute is about the conclusion the city draws from this. And the conclusion is: since the consent was “not set”, Google will block the data anyway, so fundamentally there is no violation. This line of reasoning does not hold up for at least five reasons.

First, it shifts responsibility to an entity the city is not. The obligation to collect consent before launching cookies other than strictly necessary rests with the controller, meaning the city or the service operator, not Google. This is stated in Google’s terms of service, but also the Electronic Communications Law requires consent before saving such a cookie on the user’s device. A _ga cookie saved in a citizen’s browser even before clicking the banner is a violation already committed, regardless of what Google does with the data later.

Second, the city itself admits it does not know what Google did. The same letter states that “the internal analysis, however, does not provide an unambiguous answer as to how Google acted after receiving such a signal.” You cannot write in one paragraph that you do not know what Google did with the data, and in another assure that Google blocked it. These are two contradictory theses in one document. Data should not be transmitted, and users profiled without consent. The Google press office unfortunately did not answer my question about audits and the compliance of CMP implementation with the new GDPR requirements in portals and services of such scale. That is why I want to interest Panoptykon in this thread.

Third, the DMA regulates the behavior of so-called gatekeepers in the digital market. It is not a provision that exempts a controller from the obligation to collect consent under the GDPR and the Electronic Communications Law. Invoking the DMA in response to an allegation of lack of consent is confusing the competition protection regime with the personal data protection regime.

Fourth, the data physically reached Google’s servers, which the city also admits. This means a transfer of data to Google’s servers. Such a transfer without an appropriate basis is a separate issue from Chapter 5 of the GDPR and exists regardless of whether Google subsequently used the data for advertising as remarketing inventory, building segmentation for marketing, etc.

Fifth, the thesis that the “not set” state is safe does not withstand a collision with the rest of the material. On one of the municipal domains I analyzed, the same mechanism sent the npa=0 parameter, meaning ad personalization explicitly allowed, while consent was still not set. The configurations were not uniform and were not “safe” by default. It was a lottery depending on what was accidentally typed into the tag configuration. The details can be traced per domain in the conclusions tab.

“The removal of old codes was ordered” and an audit that is “being considered”

“During the ongoing analysis, the removal of all old and inadequate codes was ordered […] Commissioning an external audit at this stage is being considered.”

Ordering the removal of old codes is an admission that there was something to remove. It is good that they are disappearing. Currently, new cookie banners can already be seen on municipal websites, replacing the previous solutions. It should be noted, however, that I have not yet subjected them to verification and technical audit for legal compliance. What is worse is that after a public audit, after a notification lying in the UODO since November, and after a publication in “Wyborcza”, an external audit is only “being considered”, and its execution is to depend on the outcome of internal work. This is not the attitude of an institution that wants to get to the bottom of things. This is the reactionary minimum, spread out so as to keep the matter inside the office for as long as possible.

The strongest sentence in the entire letter concerns the consent mechanism:

“A proprietary cookie consent tool created for the needs of the UMŁ is implemented on the pages uml.lodz.pl and bip.uml.lodz.pl.”

This sentence diverges from what can be seen in the source code, and diverges in a way that must be named. The consent mechanism in the family of municipal services is cookie-box.js, a library publicly available at github.com/r4fx/cookie-box. Its own headers say it all: version 2.0, publication date March 16, 2014, last update January 31, 2016. This is abandoned code from GitHub, withdrawn from development over ten years ago, long before the GDPR even came into force. Calling this a “proprietary tool created for the needs of the UMŁ” does not match what can be read directly from the files served by municipal servers. The councilors received a description that does not match the evidence. The proprietary code is simply dead code from Github, which should never have been deployed in production. The risk of deploying this has just materialized in violations.

Screenshot of cookie-box.js file This is the “proprietary code” created for the needs of the UMŁ. Its analysis clearly shows, among other things, a lack of an easy way to withdraw consent and a complete absence of a consent registry (who, when, for what).

And now the core of why this point is a separate scandal, not another technical glitch. bip.uml.lodz.pl, but also other BIP pages processing sensitive data, is not an ordinary information page. It is a Public Information Bulletin, a tool for exercising the constitutional right of access to public information under Article 61 of the Polish Constitution, operated under the regime of the Act of September 6, 2001 on access to public information and the Ministry of Interior and Administration regulation of January 18, 2007 on the BIP. A citizen who visits the BIP is exercising a constitutional guarantee of access to information about the activities of public authorities. They must not be subjected to commercial tracking as an unwritten condition of access on this occasion. Implementing a ten-year-old, abandoned script on the BIP that pretends to be a consent mechanism, while simultaneously letting Google analytics through before any click, is a qualified violation. It goes beyond the GDPR and touches the guarantee on which citizen control over the government relies. Someone accepted this code on municipal servers, someone maintained it, and someone probably confirmed in protocols for years the fiction that the consent mechanism works and is legal.

Additionally, the very wording from the letter that “before clicking, consents for strictly necessary cookies are sent” describes only half the picture. Necessary cookies indeed do not require consent, that is true. But my audit shows that before the click, not only necessary cookies were sent, but also _ga, _gid, and a beacon to Google Analytics. The letter describes the part that no one questions and ignores the part that is the core of the allegation.

The referral to ŁOT and the Library, or fleeing from the contracts the city itself signed

In the end, the city throws up its hands:

“Please direct questions regarding the Resident’s Card to the card operator. Please direct questions regarding the lodz.pl portal to the Municipal Library. Please direct questions regarding the Łódź.pl application to the Municipal Library and the Łódź Media Group / ŁOT.”

This is the answer to questions seven and twelve, i.e., about profiling users of the Resident’s Card and about the contract with the Łódź Media Group. And here the law ceases to be enough. Here, signatures are enough.

I have reached the Public-Private Partnership Agreement concluded on October 28, 2020. The City of Łódź is the “Public Entity” in it, a party to the agreement, not a bystander. Below the document are the signatures of First Vice-President Adam Pustelnik and Director Łukas Goss. Section 9.1.3.5 of this agreement states that the Private Partner is obliged to use the User Database, I quote, “for marketing purposes at the request of the Public Entity”. Let’s read that again. At the request of the City. The city, on the one hand, assures councilors today that it has nothing to do with the user database and that they should ask the operator, and on the other hand, in the concession agreement, it reserved the right to steer this very database for its own marketing campaigns. This is not an entity that handed over data and lost control over it. This is an entity that wrote a lever into its contract and keeps its hand on it.

In this light, the referral “please ask the operator” is a smokescreen. Even if one were to ignore the agreement, Article 26(3) of the GDPR is unambiguous: the data subject may exercise his or her rights in respect of and against each of the controllers. But the agreement goes further than the GDPR. It shows in black and white that the city is not only a joint controller; it is a party that reserved the initiative in the commercial use of residents’ data.

An application the city bought, and now pretends it doesn’t know

There is also a layer that a web scraper will not see, and which stands exactly behind the councilors’ seventh question. The Resident’s Card mobile app is a separate data channel. Firebase Analytics sends events to the GA4 property with a device identifier, which is more durable than any cookie in a browser because it lives as long as the app is installed. If the operator links the identifier of a logged-in user with data from the verification of entitlements, meaning with Social Insurance Institution (ZUS) documents, tax documents, or disability certificates, or visits to sensitive services like nursing homes (DPS) or BIP subpages concerning disability, a bridge is built between behavioral identity and sensitive data. I will include a separate analysis of potential marketing groups in a separate article. The seventh question was exactly about this. The Vice-President did not answer it, but redirected it to the Library and the Łódź Media Group.

And again, the documents say something different than the letter. On January 8, 2024, Addendum No. 1 to the PPP Agreement was signed. Under the addendum, just like under the agreement, are the signatures of First Vice-President Adam Pustelnik and Director Łukasz Goss. By virtue of this addendum and the Protocol of Necessity No. 1/2023, the City of Łódź commissioned and paid single-source the gross amount of PLN 250,132.80 for adding six new modules to the app, among them a news module, ticketing, events, resident services, and municipal waste. The city bought the expansion of this application from its own budget and shaped its functions. Not several years earlier, but a dozen or so months before it refers inquiries about the same application to an external operator in an official letter. The claim that the app is the domain of the Library or ŁOT is a denial of their own invoices and their own signatures. You cannot simultaneously be the architect and sponsor of a tool and maintain that you are a third party in this matter.

Who is responsible for the data that the city handed over to the operator?

Editorial note. In an earlier version of this text, this chapter went further, towards the structure of the public-private partnership itself and its potential legal flaws, from the concession model to public procurement. After consultations, I removed these threads from this publication. Not because they are unimportant, but because a serious allegation in the field of concession and public procurement law requires solid documentary backing and a legal opinion, which I leave for a separate piece. I do not want legal speculation to weaken the part of the case that is empirical, documented, and mine, namely data protection. Therefore, here I remain strictly on the grounds of the GDPR.

Because after subtracting that layer, the question that is most important anyway remains, and it is a question about data, not about a tender. The city handed over residents’ data to an external operator. As I showed above, it simultaneously reserved in the contract the right for this database to be used for marketing at its request, and it independently financed and shaped the application in which this data is collected. In the language of the GDPR, this makes the city at least a joint controller, and a joint controller cannot absolve itself of responsibility with the sentence “please ask the operator.”

So the question is simple. Who is really responsible for what happens to the data of hundreds of thousands of residents, and for what the app sends to Google and Meta? The Vice-President’s letter suggests an answer that should be disturbing: no one is taking this responsibility. The city assures that it is not its business, but the operator to whom it refers was appointed to this role by the city itself, is financed by the city, and is linked to it by a contract giving the city the initiative in the marketing use of the data. This is not a problem of concession law. This is a problem of responsibility for data processing, and the risk is borne by the resident, who knows nothing about it. This is not the hypocrisy of a single letter. It is a situation where no one is responsible for the residents’ data, and responsibility circles between the city and the operator, whom the city itself appointed to this role.

These structural threads, concerning how this partnership is built and financed, I am pursuing further, but on a separate track and not alone. In this matter, I have established cooperation with Łódź Cała Naprzód, which cares, in the interest of the residents and the public interest, to dig deep into the topic I have discovered. When these threads are documented as solidly as the data layer, I will return to them separately.

Since the city is “removing old codes”, I say to the authorities: I call your bluff

Let’s return for a moment to one sentence from the letter, because in light of all the above it sounds different than on the first reading. The Vice-President informs that “the removal of all old and inadequate codes was ordered”.

I want to be precise about the status of what I am about to say, because this is an investigative hypothesis, not a verdict. I have consulted on this matter, also as a person working in marketing and web infrastructure for over a dozen years, with specialists who know the ad-tech kitchen inside out, including black hat SEO techniques and various security circumvention techniques known as CONSENT BYPASS. Their reading aligns with mine. Maintaining legacy codes on such an operational scale, codes that should have been replaced long ago, is a known technique in this industry for bypassing the security measures that Google has introduced in recent years. The migration from Universal Analytics to GA4, phasing out old identifiers, successive versions of Consent Mode, all these were steps intended to close down data collection without consent. Leaving a parallelly operating, “forgotten” legacy channel with a faultily implemented consent mechanism allows these safeguards to be bypassed. The effect is measurable: larger advertising inventory and the ability to track a user outside the consent management system. Let’s repeat it once more: consent bypass.

The city will defend itself with messiness and lack of oversight, and it already anticipates such a line in the letter. So let’s ask the question fairly. We are talking about lodz.pl, the city’s flagship digital project, and about BIP services, in the era of the GDPR, the obligation to report breaches, and fines counted in the millions. Will anyone really believe that for years, on the city’s most important domains, where monthly traffic is counted in millions, this was solely an accident and an oversight? I don’t have that faith. But, and this is crucial, I do not posit this as a proven fact. I posit this as a hypothesis that can be resolved. It is resolved on logs and on network traffic records. And exactly for this reason, to confirm or refute this hypothesis, I filed a request to secure this evidence many months ago, to the Prosecutor’s Office and the UODO.

And here is a problem that must not be passed over in silence. The very same evidence that I asked to be secured is now under threat. The city itself, officially, in a letter to councilors, informs that it is “removing old codes” under the banner of cleanup work. I am not predetermining anyone’s intentions. I am stating a fact: the material that is the only thing that can confirm or refute this hypothesis might be overwritten right this minute, and the authorities that were supposed to secure it have not given a sign for months that they have done so. That’s why I say directly, by the name of the institution: I call your bluff. Secure the logs and traffic records before “cleanup work” overwrites them. The editorial office of dadalo.pl has two massive evidence repositories, but it shouldn’t be citizens securing evidence…

And hence the question I am asking no longer to the city, but to state organs. The case concerns million-scale services, has been dragging on since November 2025, and real movement only appeared after the councilors’ interpellation. I don’t know why this is, and I won’t guess. I will only note what is on the table: we are talking about data processing in million-scale services, in a case that the authority has known about for months. The higher the stakes, the greater the public’s right to know whether the inaction stems from the objective complexity of the case or from something else. I demand an answer to this question, rather than giving one. And I will repeat it until one is given.

Open Letter to the Commissioner for Human Rights

Therefore, in parallel with this publication, I am addressing an open letter to the Commissioner for Human Rights with a request to take the case under oversight. The reason is twofold. First, the public interest: we are talking about services used by about 700,000 residents and over 350,000 participants of the Resident’s Card program. Second, everything indicates that the competent authority, i.e., the President of the UODO, remains passive in this matter, despite knowing about the problem for months. The BIP case additionally falls directly within the Commissioner’s mandate, because it touches the constitutional right of access to public information, and not just data protection regulations.

Vice-President Piotrowski’s letter is fundamentally an admission packaged in evasions. It admits the parameter, admits the existence of old codes that had to be removed, admits that an internal analysis was launched following the interpellation. At the same time, it avoids answering the question about joint controllership, shifts responsibility to Google and the heads of units, presents an over ten-year-old abandoned script that someone accepted as part of a tender for IT systems—somehow it passed unnoticed and was maintained for years, although it didn’t require technical competencies—and the Vice-President shouldn’t refer the toughest questions to operators that the city itself finances and steers by virtue of a contract. If councilors are dismissed in this way, then all the more a resident who wants to assert their own rights.

Because this is the core of the whole matter. The city speaks with one voice and signs with another. In the letter from June 2026, the Vice-President assures that he has nothing to do with data in the app and the Resident’s Card. Under the 2020 contract and under the 2024 addendum, with which the city reserved the marketing use of the user database and paid a quarter of a million extra for the app’s expansion, there are the signatures of its own vice-president. These are not two different cities. This is one office that hopes no one will place its letter next to its contract. I will return to the contract itself, its clauses, and how it was protected from disclosure separately, when I can document it in its entirety.

This is material that forms a sequence. May 2025, dismissing a councilor asking about data monetization. March 2026, assurances to the press that everything is legal. June 2026, the first admission under the pressure of an interpellation. Every time it’s the same: exactly as much is admitted as can no longer be hidden, and not a word more. The difference is that this time, signed documents lie next to the letter, and the residents of Łódź are not the idiots the office wants them to be. I will continue to pursue this case.

To be continued… very soon.


This material is a continuation of the audit published on dowody.dadalo.pl and notifications addressed to the UODO. The full technical documentation, including network logs, cookie dumps, and website archives, remains open and available for verification.

Attachments

Maciej Lesiak

Amplify the Signal

Best support is sharing articles and tagging dadalo.pl on social media.