Skip to main content

Data Protection

We try to follow the EU General Data Protection Regulation (GDPR) as strictly as possible. The site is built from the ground up to generate as little personal data as we can get away with.

What we do NOT do

  • No user tracking — we do not follow individual page views across sessions and we do not build profiles.
  • No analytics tools — no Google Analytics, Matomo, Plausible, etc. No heatmaps or session recordings either.
  • No advertising pixels, no conversion trackers, no affiliate IDs.
  • No third-party scripts for marketing or tracking. The site loads its own CSS bundle and webfonts (Inter, Material Symbols) via Bunny Fonts (fonts.bunny.net, GDPR-friendly, no tracking, EU-hosted) — nothing else.

Controller

The controller under the GDPR is Holger Hellinger. Full contact details are in the imprint.

Data we process

  • Email address

    Your email is your login identifier (magic-link sign-in) and is linked to every entry you submit. It is never shown publicly.

  • Submitted entries

    Title, optional explanation, and tags of the entries you submit are stored. Published entries are publicly visible; pending or rejected entries are visible only to you and the moderators.

  • Session cookie

    Exactly one technical cookie called "absurd_sid" keeps your session alive. It is HttpOnly, SameSite=Lax, and is removed on sign-out or after at most 12 hours of inactivity. There are no tracking cookies.

  • Technical data (IP, user agent)

    On login, magic-link issuance, and security-relevant events we temporarily store your IP address and browser user agent to prevent abuse (e.g. email bombing). This data is never used for marketing or profiling.

Purposes and legal bases

  • Providing the platform and magic-link sign-in — Art. 6(1)(b) GDPR (performance of a contract).
  • Abuse prevention (rate limiting, audit log) and moderation — Art. 6(1)(f) GDPR (legitimate interest in secure operation).
  • Compliance with legal obligations, e.g. information requests from law enforcement — Art. 6(1)(c) GDPR. This is why we store the email address with every entry: if a published entry turns out to be unlawful and authorities need to identify the author, we can respond.

Retention

Account and entry data are stored while your account exists. When you delete your account (see below), entries, votes, and sessions are removed automatically via database cascade.

Security audit entries (e.g. "login success", "entry approved") are retained for 90 days and then removed by a daily cron job. While they exist, they remain stored after account deletion but without a foreign-key reference to the deleted account — this preserves the fact that an action happened without the person remaining identifiable. Rate-limit counters expire automatically after 24 hours.

Recipients

We do not pass personal data to third parties as a rule. The only exception is the delivery of magic-link emails through an SMTP provider, where the recipient address is technically processed.

On a legally binding request from a competent German authority (police, prosecutor), we may have to disclose stored information about an entry or account. In that case it is a statutory obligation.

Your rights

Under the GDPR you have, in particular, the following rights:

  • Access to the data we hold about you (Art. 15 GDPR).
  • Rectification of inaccurate data (Art. 16 GDPR).
  • Erasure of your data (Art. 17 GDPR) — see note below.
  • Data portability (Art. 20 GDPR).
  • Objection to processing (Art. 21 GDPR).
  • Lodging a complaint with a supervisory authority — in Rhineland-Palatinate: the State Commissioner for Data Protection and Freedom of Information of Rhineland-Palatinate.

One-click account deletion: Once signed in, you can delete your account and every entry attached to it yourself, immediately. The action lives in the profile under "Danger zone".

Data protection contact

For questions, access requests, or deletion requests, please write to us.

Contact: sitte@polente.de