Privacy Policy
In short: We develop every feature according to the principle of Privacy by Design & Default to ensure that as little personal data as possible is generated, or that it is only processed ephemerally. Where processing is unavoidable, you will learn transparently what data we actually collect, why it is necessary, and when it will be deleted.
Principles & Legal Basis
Data Minimization (Art. 5(1)(c) GDPR): We only process data that is technically absolutely necessary.
Purpose Limitation (Art. 5(1)(b) GDPR): All processing is carried out exclusively for the purpose for which the data was collected.
Legal bases according to Art. 6 GDPR:
- Art. 6(1)(b) – Performance of a contract (e.g., providing the user account)
- Art. 6(1)(c) – Legal obligations (tax & commercial law)
- Art. 6(1)(f) – Legitimate interest (abuse and attack detection – see Server Logs). Our legitimate interest prevails, as the secure provision of the service would not be possible without these logs, and the data is heavily truncated and stored only for a short time.
- Art. 6(1)(a) – Consent: Only if neither b, c, nor f applies and the processing is not required for core functions.
100% Local Processing
These tools run entirely in your browser and transmit no data to our servers: Base64 conversion, Word/Character Counter, Password Generator (WebCrypto API), Unix Timestamp Converter. Feel free to check this yourself in the Network tab of your developer tools—you will not see any requests.
Data Processing
For computationally intensive jobs (e.g., PDF ↔ DOCX conversion, image optimization), the files are transmitted TLS 1.3 encrypted to our servers at netcup GmbH, Nuremberg (Germany).
Specifics:
- Temporary processing on encrypted servers; no permanent storage on hard drives.
- Automatic deletion no later than 10 minutes after processing is complete.
- You can delete your data immediately at any time using the "Delete" button.
- We have data processing agreements (DPAs) in place with all processors according to Art. 28 GDPR.
Server Logs
For technical reasons, we collect the following metadata on each page visit:
- Truncated IP address (IPv4 /24, IPv6 /64)
- User-Agent
- Timestamp & requested resource
Balancing of interests: The short retention period (7 days) and immediate IP anonymization minimize the risk to data subjects; without logs, we could not guarantee the integrity of our service—our interest prevails.
Log files are not merged with account data or other personal data.
Data Storage in the Browser (LocalStorage and SessionStorage)
We use your browser's LocalStorage and SessionStorage to store and retrieve certain information locally on your device. These technologies help us improve the functionality and user-friendliness of our website.
LocalStorage:
Data in LocalStorage remains stored in the user's browser without a specific time limit until it is actively deleted by the user, the application, or through browser settings. Unlike cookies, this data is not automatically sent to the server with every request.
- darkMode – Used to store your preferred display option (e.g., dark mode) to improve the usability of our website. The legal basis for processing any personal data that may be associated with this setting is our legitimate interest in an appealing and user-friendly presentation of our services (Art. 6(1)(f) GDPR). The setting remains in LocalStorage until you actively delete it (e.g., by clearing the browser data for our website) or we offer a function to change/reset it and you use it.
- preferredLocale – Used to store your preferred language setting (e.g., 'en' for English) to display the website directly in this language on future visits and improve usability. The legal basis for this is Art. 6(1)(f) GDPR. The setting remains in LocalStorage until you actively delete it.
SessionStorage:
Data in SessionStorage is only stored for the duration of your current browser session (until the browser tab or window is closed) and is then automatically deleted.
- sveltekitscroll – Stores information about your scroll position on various pages within our website to restore the correct position when navigating back (Art. 6(1)(f) GDPR).
- sveltekitsnapshot – Stores temporary state information (e.g., from forms or page sections during navigation) to ensure a smooth user experience (Art. 6(1)(f) GDPR).
Registration & Account
Mandatory information: Email address, password. Without this data, no user account can be created (contractual obligation).
Passwords are hashed using bcrypt + pepper (Art. 6(1)(b) GDPR).
To complete the registration, we send an activation link via Brevo SAS, Paris (France) – a data processor according to Art. 28 GDPR. Processing takes place exclusively within the EU. Unactivated accounts are automatically deleted after 30 days.
Further use of the email address is exclusively for password resets and security-related notifications. We do not send advertising or newsletters.
You can delete your account yourself at any time; all associated data will be removed from the live system immediately and from encrypted backups within 24 hours.
Premium & Payment Processing
Payments are processed via Mollie B.V., Amsterdam (Netherlands) (Art. 6(1)(b) GDPR). Mollie processes payment data exclusively within the EU/EEA. We only receive a tokenized alias (transaction/customer ID) and have no access to full payment details.
We store invoicing and tax information for 10 years in encrypted form due to legal obligations (Art. 6(1)(c) GDPR). Premium does not change our general data protection principles; there are no additional tracking or marketing cookies.
Security
All connections are made via TLS 1.3 (incl. HSTS, Forward Secrecy).
Databases are encrypted with AES-256-GCM; key management via HashiCorp Vault.
Admin access is handled via a Zero-Trust VPN + MFA.
Backups:
- Encrypted (AES-256-GCM), geo-redundant within the EU
- Retention period of 30 days
- No unencrypted export
Data Retention & Deletion
Personal data is deleted as soon as the purpose for its collection no longer applies and no statutory retention periods exist:
- Account data: immediately after self-deletion, backup clearance within 24 h
- Support tickets: 6 months after final closure
- Server logs: 7 days
- Invoices & tax data: 10 years (according to German Commercial and Tax Codes, e.g., § 257 HGB, § 147 AO)
Your Rights under GDPR
You have the right to access, rectification, erasure, restriction of processing, data portability, and to object (Art. 15–21 GDPR).
You also have the right to lodge a complaint with a supervisory authority, for example, the State Commissioner for Data Protection of Schleswig-Holstein, Holstenstraße 98, 24103 Kiel, Germany.
Changes to this Policy
This Privacy Policy will be updated when new or modified features are introduced (last updated: August 12, 2025). We will post a prominent notice in the app at least 14 days before any changes take effect and archive older versions here.
Contact & Data Controller
Data Controller within the meaning of Art. 4 No. 7 GDPR:
Finn Christian Hecker, Boholzau 19, 24894 Twedt, Germany
Email: support@privacykit.net
A Data Protection Officer is not required according to § 38 BDSG (German Federal Data Protection Act), as fewer than 20 people are permanently entrusted with the processing of personal data.
Support Inquiries
If you contact us at support@privacykit.net, we will process:
- Email address
- Date & time
- Content of your inquiry
Mailbox hosting: MC-HOST24 (Germany), a data processor according to Art. 28 GDPR. The data will be deleted no later than 6 months after the final closure of the ticket, provided there are no legal retention obligations.