GDPR Compliant · Last updated March 27, 2026

Privacy Guide

Everything you need to know about how Keta.lol handles your data — and how to exercise your rights as a user.

What data?Security Cookies Export data Delete account Your rights Contact

What data does Keta.lol store?

We only store what you actively provide or what is technically necessary to operate the service. No hidden trackers, no selling your data to third parties.

Data	How it's stored	Legal basis	Retention
Email address	Hashed, never stored in plaintext	Art. 6(1)(b)	Until account deletion
Password	bcrypt-12 hash, not reversible	Art. 6(1)(b)	Until account deletion
Username	Publicly visible, chosen by you	Art. 6(1)(b)	Until account deletion
Profile picture / files	EXIF metadata automatically stripped on upload	Art. 6(1)(b)	Until deletion or replacement
IP address (profile views)	Anonymized (last octet zeroed) + HMAC-SHA256 hash only	Art. 6(1)(f)	90 days (auto-deleted)
Visitor ID (keta_vid)	Random UUID in browser, only with consent	§25 TTDSG + Art. 6(1)(a)	Until consent withdrawn
Discord data	Only if you voluntarily link your Discord account	Art. 6(1)(a)	Until connection is removed
2FA TOTP key	Encrypted at rest, never exported	Art. 6(1)(b)	Until 2FA disabled or account deleted

No ads, no data brokering. Your data is never sold or shared with advertisers — not now, not ever.

How is your data protected?

Password hashing

bcrypt with cost factor 12 — not reversible even in a database breach

HttpOnly cookie, SameSite=Strict, Secure — JavaScript cannot read the token

IP anonymization

Raw IPs are never stored. Only a non-reversible HMAC-SHA256 hash is kept

EXIF removal

All uploaded images are re-encoded — GPS coordinates, camera info etc. are stripped

Breach detection

7 automatic detection patterns: brute-force, token abuse, admin probes and more

DPAs with processors

Cloudflare, Resend and Hetzner have all signed Data Processing Agreements

In the event of a security incident (GDPR Art. 33), affected users will be notified within 72 hours if there is a high risk to their rights and freedoms.

Cookies & tracking — what actually happens?

Keta.lol uses no advertising cookies and no cross-site tracking. There are only two technical categories:

token (Cookie)Technically necessary

Your login session. HttpOnly — not readable by JavaScript. No consent required (§ 25 para. 2 TTDSG).

keta_vid (localStorage)Consent required

Random UUID — prevents your profile visit from being counted multiple times within a 24-hour window. Only stored with your consent. No cross-site tracking, never uploaded to the server.

Manage or withdraw consent:

Go to keta.lol/privacy

Scroll to "Cookie Settings"

Click "Withdraw Consent" — the visitor ID is immediately deleted from your browser

Export your data (GDPR Art. 15 & 20)

You have the right to download all data we have stored about you as a machine-readable JSON file. The export includes: account data, profile content, social links, buttons, badges, Discord connection and view analytics.

You can request an export a maximum of once every 24 hours.

Step by step:

Click the "Settings" tab at the top

Scroll down to "Export Your Data"

Click "Download My Data"

A JSON file containing all your data will download automatically (filename: keta-export-[username]-[date].json)

Alternatively via API: GET /api/auth/export with your login cookie.

Delete your account (GDPR Art. 17)

Deletion is immediate and irreversible. All your data — profile, files, social links, badges — is permanently removed. All uploaded images and videos are deleted from the server.

Warning: After deletion you cannot reclaim your username. Export your data first if you want to keep it.

Step by step:

Click the "Settings" tab at the top

Scroll all the way down to "Delete Account" (red section)

Enter your current password

Type exactly DELETE MY ACCOUNT into the confirmation field

Click "Permanently Delete Account"

You will be logged out immediately and all sessions will be invalidated

What happens after deletion:

Your account is removed from the database (including all linked data via cascade)
All uploaded files (avatar, background, videos, icons) are deleted from the server
Your JWT token is immediately invalidated — all active sessions end
Anonymized view logs (no personal reference) expire automatically after 90 days

Your full GDPR rights

Art. 15

Right of access

You can find out what data we hold about you at any time → Export your data → right here

Art. 16

Right to rectification

Incorrect data can be edited directly in your Dashboard (username, bio, email, password)

Art. 17

Right to erasure ("right to be forgotten")

Full account deletion is available at any time → Delete account → right here

Art. 18

Right to restriction

You can request restriction of processing of your data. Contact us via Discord.

Art. 20

Right to data portability

Export your data as structured JSON → Export your data → right here

Art. 21

Right to object

You can object to processing based on legitimate interests (e.g. view tracking). Contact us.

Art. 77

Right to lodge a complaint

You have the right to file a complaint with a supervisory authority.

Supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
datenschutz-berlin.de

Contact & privacy requests

For all privacy requests (access, deletion, objection) that cannot be handled directly in the Dashboard:

Controller

Keta.lol (Nils Becker)

Musterstraße 7, 10115 Berlin, Germany

Contact

Discord: discord.gg/agSSkrQ4ZJ →

Response time

We respond to privacy requests within 30 days (GDPR Art. 12 para. 3).

→ Full Privacy Policy → Impressum

Last updated: March 27, 2026 · Keta.lol GDPR audit score: 92% (March 2026)

← Back to Keta.lol