Privacy Policy

Datenschutzerklärung in accordance with GDPR

Last updated: April 2026

1. Data controller

Peter Hartwieg
Tölzer Str. 5a
81379 Munich
Germany
Email: privacy@openclienting.org

2. What data we collect and why

2.1 Account data

When you create an account (via Google OAuth or email magic link) we store your email address, display name (from your Google profile or derived from your email), a unique user ID, and the date of registration.

Legal basis:Performance of a contract (Art. 6(1)(b) GDPR) — necessary to provide you with an account and the ability to contribute content.

2.2 User-generated content

Content you submit (problem templates, requirements, pilot frameworks, solution approaches, success reports, comments, votes, and suggested edits) is stored along with your author ID and timestamps.

If you choose the anonymous option when submitting, your identity is hidden from other users on the published page. However, your author ID is always stored server-side for moderation purposes.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

2.3 Server logs & IP addresses

When you visit our website your browser transmits certain data automatically (IP address, browser type, operating system, referring URL, date and time of access). This data is processed by our hosting provider (Vercel) and our authentication provider (Supabase) for security and operational purposes.

Legal basis:Legitimate interest (Art. 6(1)(f) GDPR) — ensuring security and availability of the service.

2.4 Cookies

We use strictly necessary cookies for authentication. Supabase Auth sets a session cookie (JWT) that keeps you logged in. These cookies are essential for the service to function and do not require your consent.

Analytics cookies (Google Analytics) are only set if you give explicit consent via our cookie banner. See Section 5 for details.

2.5 Google OAuth

If you sign in with Google, we receive your name and email address from Google. We do not access your contacts, calendar, or any other Google data. Google's own privacy policy applies to data Google collects during the OAuth flow.

Legal basis:Consent (Art. 6(1)(a) GDPR) — you initiate the Google sign-in flow.

3. Recipients & third-party processors

We share personal data with the following processors:

Supabase Inc.— database hosting & authentication (Data Processing Agreement in place).
Vercel Inc.— website hosting (Data Processing Agreement in place).
Cloudflare Inc.— DNS and CDN services.
Google LLC— OAuth authentication and, if you consent, Google Analytics (GA4).
Resend / SendGrid(planned) — transactional email notifications (e.g. submission status changes, comment replies).

4. Data transfers outside the EU

Some of our processors (Vercel, Google, Cloudflare) are based in the United States. These transfers are safeguarded by the EU–US Data Privacy Framework (where the processor is certified) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure that all processors provide adequate data protection guarantees.

5. Google Analytics

We use Google Analytics 4 (GA4) to understand how visitors use our website (pages visited, time on site, device type, country). GA4 anonymises IP addresses by default for traffic from the EU.

Google Analytics cookies (_ga, _gid) are only set after you give explicit consent via our cookie banner. If you decline, no analytics data is collected and no analytics cookies are placed on your device.

You can withdraw your consent at any time by clicking “Cookie Settings” in the website footer.

Legal basis: Consent (Art. 6(1)(a) GDPR).

6. Fonts

We use the Geist font family. These fonts are self-hosted on our servers via Next.js and are not loaded from external Google servers. No data is transmitted to Google for font delivery.

7. Data retention

Account data: retained for as long as your account exists. Deleted upon account deletion request.
Published content: retained indefinitely as part of the public knowledge base. Upon account deletion, your content is anonymised (author reference removed) rather than deleted.
Server logs:retained per our hosting providers' policies (typically 30 days).
Analytics data: Google Analytics user-level data is retained for 2 months (GA4 default).

8. Your rights under GDPR

You have the right to:

Access(Art. 15) — request a copy of all personal data we hold about you.
Rectification(Art. 16) — correct inaccurate personal data.
Erasure(Art. 17) — request deletion of your personal data (“right to be forgotten”).
Restriction of processing(Art. 18) — request that we limit how we use your data.
Data portability(Art. 20) — receive your data in a machine-readable format.
Object(Art. 21) — object to processing based on legitimate interests.
Withdraw consent— where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@openclienting.org. We will respond within 30 days.

9. Right to lodge a complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).

The competent supervisory authority for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de

10. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

11. Changes to this privacy policy

We may update this privacy policy from time to time. The “last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.