Privacy Policy
Last updated: 14 June 2026.
1. Controller
The controller within the meaning of the GDPR is:
Malik Albert (sole trader), c/o GAM, Pappelallee 64, 10437 Berlin, Germany Email: [email protected] · Phone: +4915510451026
A data protection officer has not been appointed, as the legal requirements (§ 38 BDSG) are not currently met.
2. Principles & legal bases
We process personal data only where necessary. The main legal bases are:
- Art. 6(1)(b) GDPR (contract/use): account, profile, reviews, threads, reactions.
- Art. 6(1)(a) GDPR (consent): e.g. uploading a profile photo, optional details.
- Art. 6(1)(f) GDPR (legitimate interests): security/stability, abuse and spam prevention, delivery via a CDN, moderation.
- Art. 6(1)(c) GDPR (legal obligation): e.g. removal/reporting of illegal content under the DSA/criminal law.
3. Hosting
The app runs on a server at Hetzner Online GmbH, Germany (EU location). A data processing agreement (DPA) under Art. 28 GDPR is in place.
Server log files: when the service is accessed, technically necessary data is processed (incl. IP address, date/time, requested resource, referrer, user agent) for delivery, security and error analysis (Art. 6(1)(f)). Stored only briefly and deleted automatically as part of regular log rotation.
4. Account, sign-in & authentication (Supabase)
For registration/login we use Supabase (Supabase, Inc., USA; data stored in the EU, Ireland region). We process your email address, a hashed password and session data. Optionally you can sign in with Google ("Sign in with Google") — Google then receives sign-in data; Google's privacy policy applies. Legal basis: Art. 6(1)(b). A DPA incl. Standard Contractual Clauses (SCC) is in place for any third-country aspects (see Section 10).
5. Profile & community content
With an account we process: username, optional bio, optional profile photo (avatar), reading/ rating lists, reviews, discussion threads, comments and emoji reactions. Public posts and your public profile are visible to other users (a private toggle reduces visibility to username + avatar).
Profile photo upload: uploaded images are resized and re-encoded on the server; metadata (e.g. EXIF/location data) is removed. Storage is on Cloudflare R2 (EU region "EEUR"). To combat child sexual abuse material (CSAM) we use the Cloudflare CSAM Scanning Tool, which compares delivered images against known hash lists and notifies the competent bodies on a match. Legal basis: compliance with a legal obligation (Art. 6(1)(c)) and our legitimate interest in protecting minors (Art. 6(1)(f)).
6. Images & delivery (Cloudflare)
We use Cloudflare (Cloudflare, Inc., USA) as a CDN/security layer and for storage (R2) and DNS. Cloudflare processes IP addresses for secure, performant delivery (Art. 6(1)(f)). DPA incl. SCC are in place.
7. Email delivery (Resend)
Transactional emails (e.g. confirmation, password reset) are sent via Resend (Resend, Inc., USA). The email address and delivery metadata are processed. DPA incl. SCC.
8. Cookies, reach measurement & similar technologies (§ 25 TDDDG)
We use only technically necessary cookies/storage (in particular for login/session). These are exempt from consent under § 25(2) TDDDG. We use no third-party tracking or advertising cookies on the website.
For reach measurement we run Umami, a privacy-friendly analytics tool that we self-host on our own server (Hetzner, Germany; see Section 3, no separate processor). Umami works without cookies and without storing or reading any information on your device, uses no cross-site identifiers, and does not store your IP address (it is processed only transiently to derive a non-identifying session hash and an approximate region, then discarded). We process only aggregated usage data (e.g. page views, referrer, rough region, browser/device type) to understand and improve how the service is used. Legal basis: our legitimate interest in needs-based, secure operation (Art. 6(1)(f) GDPR); you may object at any time (Art. 21 GDPR, [email protected]). As nothing is stored on or read from your end device, the consent requirement under § 25(1) TDDDG does not apply, so no consent banner is required.
9. Recipients / processors
| Service | Provider | Purpose | Location |
|---|---|---|---|
| Hosting | Hetzner Online GmbH | Server operation | EU (DE) |
| Database & auth | Supabase, Inc. | Account, data | EU storage (IE) / USA |
| CDN, storage (R2), DNS | Cloudflare, Inc. | Delivery, avatars, security, CSAM scan | EU ("EEUR") / USA |
| Resend, Inc. | Transactional mail | USA | |
| Login (optional) | Google Ireland Ltd. | "Sign in with Google" | EU/USA |
Contracts under Art. 28 GDPR are in place with all processors.
Third-country transfer basis (status checked against the EU-US Data Privacy Framework list on 14 June 2026; we re-verify periodically):
- Supabase, Inc. — not DPF-certified — transfers based on EU Standard Contractual Clauses (Art. 46 GDPR) plus a transfer impact assessment and additional safeguards.
- Cloudflare, Inc. — DPF-certified — transfers based on the adequacy decision (Art. 45 GDPR); SCC apply as a fallback.
- Resend, Inc. — DPF-certified — transfers based on the adequacy decision (Art. 45 GDPR).
- Google LLC — DPF-certified — transfers based on the adequacy decision (Art. 45 GDPR).
10. Transfers to third countries
Some processors are located in the USA or process data there. For recipients certified under the EU-US Data Privacy Framework (DPF), transfers rely on the European Commission's adequacy decision (Art. 45 GDPR). For recipients that are not (or not yet) DPF-certified, transfers are based on the EU Standard Contractual Clauses (SCC, Art. 46 GDPR), supplemented by a transfer impact assessment and appropriate additional safeguards. The basis applicable to each US recipient is indicated in the processor list in Section 9.
11. Retention
We keep personal data only as long as necessary for the stated purposes or as required by law. When you delete your account, your profile, content and profile photo (including the file on Cloudflare R2) are deleted; individual posts may remain as anonymised tombstones (with no personal reference) where needed to keep moderation decisions auditable.
Enforcement of suspensions (ban-evasion prevention): if an account is suspended for serious or repeated violations, we store a one-way hash (HMAC-SHA256) of the email address — never the email in plaintext — solely to keep the suspension effective and to detect circumvention by re-registration with the same address. This hash is retained beyond account deletion for as long as the sanction is to remain in force. Legal basis: our legitimate interest in protecting the community and enforcing our rules (Art. 6(1)(f) GDPR). The measure is data-minimising: the hash cannot be reversed to your address and matches only the exact same email.
12. Your rights
You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21), and the right to withdraw consent at any time (Art. 7(3)).
Directly in the app you can: export your data (machine-readable JSON) and delete your account in the settings. For other requests: [email protected].
13. Right to complain
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your residence or our place of business. Competent authority for our place of business: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI).
14. Changes
We update this privacy policy when the processing or the legal situation changes. The current version published here applies.