Privacy Policy

Every request to our service processes the following data server-side:

• IP address: Before storage, the last octet (IPv4) or last 64 bits (IPv6) are set to zero (IP anonymisation). The full IP address is never stored.
• Timestamp, HTTP method, requested path, HTTP status code, response time
• User-agent string (browser/OS, truncated to 120 characters)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: IT security, abuse detection, error diagnosis).
Retention: Access logs are automatically deleted after 30 days at most. Suspicious activity logs (attack detection) after 90 days.

When your public profile is visited, we store:

• IP hash: HMAC-SHA256 of the anonymised IP address with a server-side salt. Not reversible, not portable across installations.
• Visitor ID (only with consent — see §3.4)
• Timestamp of the visit

This data is used exclusively to display the profile view count to the profile owner.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the profile owner in view statistics).
Retention: Profile view logs are deleted after 90 days at most.

With your consent, we store a randomly generated UUID (keta_vid) in your browser's local storage. This ID:

• is fully random and contains no information about you personally
• is used solely to deduplicate profile views within a 24-hour window (so one browser is not counted multiple times)
• is not a cookie — it lives in your browser's localStorage
• is not shared with any third-party website
• is immediately deleted from your browser when you withdraw consent

Legal basis: §25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR (consent).
Without consent: An ephemeral, non-stored one-time ID is generated. Deduplication uses IP hash only.
Withdraw consent: At any time via Privacy Settings below.

The following file types may be uploaded: profile pictures, background videos, background images, cursor graphics, OG images, audio files, custom button icons.

All uploaded images are re-encoded server-side by Sharp before storage. During this process:

• EXIF metadata (GPS location, camera model etc.) is completely removed
• hidden payloads (polyglot files) are neutralised by re-encoding
• filenames are replaced with a random UUID

Legal basis: Art. 6(1)(b) GDPR.
Retention: Until account deletion or until the user replaces the file with a new one (old files are deleted immediately).

If you link your Discord account and enable the Discord presence display, our Discord bot receives and stores the following data from Discord:

• Discord username and display name
• Online status (online, idle, dnd, offline)
• Avatar URL and avatar decoration
• Currently played game (name, details, state)
• Spotify activity (song title, artist, album, album art) — if publicly visible in Discord
• Custom status text and emoji
• Clan tag (if present)

This data is updated in real time and displayed on your public profile if you have enabled it in profile settings. You can disable the display at any time in your settings.
Legal basis: Art. 6(1)(a) GDPR (consent by activating the feature).
Retention: Until the feature is disabled or the account is deleted. Discord is an independent controller: discord.com/privacy.

If you enable 2FA, a secret TOTP key (Base32-encoded) is stored in our database. This key never leaves our servers in plaintext.
Legal basis: Art. 6(1)(b) GDPR.
Retention: Until 2FA is disabled or account deleted.

During a password reset, a cryptographically secure token (SHA256 hash, 32 bytes of entropy) is stored in the database. The token expires after 1 hour and is deleted immediately upon use. Expired, unused tokens are automatically purged after 2 days.
Legal basis: Art. 6(1)(b) GDPR.

Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Role: Data processor under Art. 28 GDPR. Cloudflare acts as a reverse proxy between the internet and our server. All visitor IP addresses and request data pass through Cloudflare before reaching our servers.

Data transmitted: Full IP addresses, HTTP request headers, requested URLs, response metadata. Cloudflare may set technically necessary cookies (e.g. __cf_bm, cf_clearance) for bot detection and DDoS mitigation — these are technically necessary under §25(2) TTDSG and do not require consent.

Legal basis for third-country transfer (Art. 44 GDPR):

• EU–US Data Privacy Framework (DPF): Cloudflare is certified under the EU–US DPF (DPF registry entry). The European Commission issued its adequacy decision for the DPF on 10 July 2023 (Art. 45 GDPR).
• Standard Contractual Clauses (SCCs): Cloudflare additionally offers SCCs (Module 2: Controller-to-Processor) as a supplementary safeguard under Art. 46(2)(c) GDPR.

Art. 28 DPA: A Data Processing Agreement has been concluded with Cloudflare via the Cloudflare Customer DPA.

Privacy policy: cloudflare.com/privacypolicy · DPA: cloudflare.com/cloudflare-customer-dpa

Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA.

Role: Data processor under Art. 28 GDPR. Resend processes personal data solely on our behalf and under our instructions.

Data transmitted: Email address of the recipient and the content of transactional emails (password reset links, email verification links, security alert notifications). No marketing emails are sent.

Legal basis for processing: Art. 6(1)(b) GDPR (password reset / email verification — necessary for contract performance); Art. 6(1)(f) GDPR (security notifications — legitimate interest in account security).

Legal basis for third-country transfer (Art. 44 GDPR):

• EU–US Data Privacy Framework (DPF): Resend is certified under the EU–US DPF (DPF registry entry).
• Standard Contractual Clauses (SCCs): SCCs (Module 2: Controller-to-Processor) are incorporated into the Resend DPA as an additional transfer safeguard under Art. 46(2)(c) GDPR.

Art. 28 DPA: A Data Processing Agreement has been concluded with Resend. The DPA is available at resend.com/legal/dpa.

Privacy policy: resend.com/legal/privacy-policy · DPA: resend.com/legal/dpa

Discord Inc., 444 De Haro Street, San Francisco, CA 94107, USA.

Role: Independent data controller under Art. 4(7) GDPR. Discord determines the purposes and means of its own data processing independently. Discord is not our processor — no Art. 28 DPA is required or applicable.

When Discord is involved: Only if you voluntarily link your Discord account and/or enable the presence display widget in your profile settings. If you do not use this feature, no data is exchanged with Discord.

Data involved: Discord username, display name, avatar, online status, activity (game, Spotify), custom status. This data is received from Discord via our bot and displayed on your public profile while the feature is enabled.

Legal basis: Art. 6(1)(a) GDPR (your explicit consent by activating the feature). You can withdraw consent at any time by disabling the presence display in your profile settings.

Third-country transfer: Discord is certified under the EU–US Data Privacy Framework (DPF) for its own processing. See Discord DPF entry.

Discord privacy policy: discord.com/privacy

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. (EU/EEA entity)

Role: Data processor under Art. 28 GDPR. Hetzner provides the physical and virtual server infrastructure on which our application and database run.

Data processed: All personal data stored in our database and on our servers (account data, profile content, uploaded files, log files) resides on Hetzner infrastructure.

Third-country transfer: None. All servers are located in Germany (Nuremberg data centre). Processing remains entirely within the EU/EEA. No Art. 44–46 transfer mechanism is required.

Art. 28 DPA: A Data Processing Agreement has been concluded with Hetzner Online GmbH. Hetzner's GDPR documentation and DPA are available at hetzner.com/legal/gdpr.

Privacy policy: hetzner.com/legal/privacy-policy · GDPR / DPA: hetzner.com/legal/gdpr