Straight answers to the questions founders actually ask before they book. If you don't find your question here, the discovery call is free — 30 minutes, no commitment.
Based in Katowice, Poland (CET). I work with founders worldwide — good timezone overlap with the UK, EU, and the US East Coast; I flex for US West Coast when an engagement needs it.
Polish (native) and English (professional). Discovery calls, engagements, and written deliverables in either. The site has Polish, Swedish, and Norwegian long-form content for SEO discoverability, but the working language inside an engagement is almost always English or Polish.
Solo. I don't subcontract — every engagement is delivered by me directly. That keeps quality consistent; the trade-off is scheduling has a real ceiling, so book early when you can.
Usually within a week of the discovery call. For genuinely urgent situations — live production outage, enterprise customer waiting on a security review — I can start immediately. Tell me on the call how urgent it is.
For urgent production issues inside an active engagement, yes. Not as a standing policy — I don't accept weekend discovery calls or weekend routine work — but if something is on fire and we're already working together, I don't wait until Monday.
Whatever channel you prefer: Slack (shared channel), email, WhatsApp, SMS for urgent items. I match your team's existing workflow rather than forcing mine on you. Written decisions live in one place — usually a shared doc or a Slack pin — so nothing important is only in a DM.
Almost always: start with the audit. It's the cheapest way to find out whether a rescue is worth doing — and what it'll cost if it is. Full context on the services page and on the discovery call.
Project-based pricing, agreed on the discovery call before work starts. It depends on codebase size, infrastructure complexity, and urgency. I don't publish a rate card because rates without context are misleading. The discovery call is free, 30 minutes, and you'll have a concrete number before committing to anything.
Milestone-based. A typical rescue splits into 3–5 milestones — e.g., audit complete, security remediation shipped, deployment pipeline live, handoff delivered. Invoice per milestone. No surprise lump-sum at the end; no full-amount upfront.
We re-scope. Small changes I absorb. Material changes — e.g., the codebase turns out to be twice the size described, or a new requirement emerges — I flag immediately, we agree a new number and timeline, then continue. You never receive a surprise invoice at the end.
Yes, after the discovery call. Single-issue engagements work when the issue is well-scoped. "Just the CORS fix" or "just the CI/CD setup" are common — often cheaper and faster than a full rescue. If the audit found several independent issues, you can hire me for individual ones.
PHP (Symfony, Doctrine), Node.js / TypeScript, React, Python. AWS (ECS, Lambda, RDS, SQS, SNS, S3, CloudFront), Docker, Terraform. PostgreSQL, MySQL, Aurora. Competent generalist level on most other mainstream stacks — enough to audit and remediate common AI-generation failure modes.
That's the specialty, but I also take rescue work on code from departed contractors, agencies, and early in-house developers. The common thread is "the team on it now can't read it" — not specifically the tool that wrote it.
Yes. Most no-code tools have an escape hatch — custom code blocks, webhooks, export API. Migration off no-code to a real codebase is a named engagement type (different shape than a standard rescue) and includes the new architecture, data migration, and a cutover plan.
I'll tell you honestly on the discovery call whether I'm the right auditor. For an audit I can often still find the common failure patterns at a higher level; for a rescue with hands-on code work, exotic stacks are usually outside my expert range, and I'll point you at someone better suited.
Yes, on request, before any call. Email me after booking and I'll sign your standard form. For most discovery calls an NDA isn't strictly needed — I treat everything shared as confidential by default — but happy to sign one if you'd prefer.
Yes. If your product processes personal data and you're under GDPR obligations, a DPA is standard — I sign them.
Formal certification programs aren't my specialty — for full SOC2 Type II, HIPAA, or PCI-DSS you'd want an auditor who specializes in that. What I do cover is the technical work that shows up on real security questionnaires: auth hardening, secrets handling, audit logs, access control, encryption at rest and in transit, backups and DR, vendor list.
If you're approaching a questionnaire rather than seeking formal certification, that's something I help with regularly.
Yes — that's one of the most common reasons founders book. An audit before technical diligence typically converts a two-hour forensic call with an investor's tech advisor into a thirty-minute "here's our stack and here's the plan" call. One to two weeks of prep is usually enough.
You do. Full IP transfer. I retain no copyright, no shared-ownership clause, no right to re-use engagement-specific code elsewhere. Code I write for you belongs to you the moment I check it in.
Yes. Two options, both optional: a 3–6 month fractional arrangement while you hire a full-time engineer, or an ongoing maintenance retainer for small predictable work — monitoring triage, monthly security sweep, on-call for specific systems. Priced per engagement; easy to start and easy to stop.
Invoices issued per milestone from Opcode (the Polish business entity behind The AI Mechanic; details in the footer). Payment terms are flexible — tell me your AP cycle on the discovery call and we'll align.
No. I work with clients worldwide. For EU B2B the usual VAT reverse-charge applies; for non-EU clients the invoice is issued without VAT. Either way we settle the operational details on the call and the invoice arrives in whichever currency makes most sense for you.
Book the discovery call and ask it directly. Free. 30 minutes. No commitment.
Book a discovery call →