Privacy Policy

Privacy Policy — version: 2026-04-30

We take the protection of your personal data seriously and process it exclusively in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the Austrian Data Protection Act (DSG).

1. Controller

Gerald Beißmann e.U.
Larnhauserweg 4, 4060 Leonding, Austria
Email: g.beissmann@gmx.at

2. Categories of data we process

• Server log data (IP address, user-agent, requested URL, timestamp) — automatically transmitted by your browser. Used for stability, security and abuse defence. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a stable service).
• Aggregate visit counter for each shipped app — when you load a tool page (URL beginning with /app/) we record a pseudonymous, salted hash of your IP address (not the IP itself), a truncated user-agent string and the referring page (without query parameters), together with a timestamp. This data is used solely to count real human visits per app and to filter out bots and operator self-visits. Operator visits and known crawlers are not stored. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring product reach).
• Usage data of the applications — input you enter into a tool is processed in your browser and, where required to deliver the feature, transmitted to our server. We do not link such input to your identity.
• Subscription / payment data — when you start a paid trial or subscription, name, email, billing country and payment-method tokens are processed by Stripe Payments Europe, Ltd. (see Section 4). Legal basis: Art. 6(1)(b) GDPR (performance of contract).
• End-user account data — for tools that require sign-in (e.g. apps that save your data across devices), we process your email address, an opaque user identifier, sign-in timestamps and, when you choose Sign in with Google or Sign in with Apple, the basic profile fields (name, profile picture URL, locale) the provider returns to us. Authentication is handled on our behalf by Clerk Inc. (see Section 4). Legal basis: Art. 6(1)(b) GDPR (performance of contract — providing you with the account-bound features) and, for the choice of OAuth provider, Art. 6(1)(a) GDPR (consent given by clicking the respective sign-in button).
• Email correspondence — when you contact us, we process the data you provide (sender address, message content) to handle your request. Legal basis: Art. 6(1)(b) and (f) GDPR.

3. Cookies and similar technologies

We use only strictly necessary cookies (e.g. session for the operator dashboard, anti-CSRF, language). We do not use third-party advertising or cross-site tracking cookies. Where third-party scripts (e.g. Stripe Checkout) set their own cookies on their own domains, this happens only after you actively initiate a checkout.

4. Recipients and processors

• Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland — payment processing for trials, subscriptions and one-time purchases. Receives: name, email, billing country, payment-method tokens, transaction amounts. Privacy policy: stripe.com/privacy.
• Clerk Inc., 660 King Street, Unit 345, San Francisco, CA 94107, USA — authentication, session management and identity provider integration for tools that require sign-in. Receives: email address, sign-in timestamps, IP address, user-agent, and (when you choose a third-party sign-in option) the OAuth profile fields described above. Privacy policy: clerk.com/privacy.
• Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland — sign-in only when you click "Sign in with Google" on a tool that requires an account. Google receives the request from your browser to authenticate you and returns a verified email and basic profile to Clerk on our behalf. Privacy policy: policies.google.com/privacy.
• Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland — sign-in only when you click "Sign in with Apple" on a tool that requires an account. Apple authenticates you and returns a verified email (or a private relay address, if you so choose) and basic profile to Clerk on our behalf. Privacy policy: apple.com/legal/privacy.
• Hosting infrastructure — the service is hosted on Replit, Inc. infrastructure. Server logs are processed there. Privacy policy: replit.com/site/privacy.

Where processors are located outside the EU/EEA, transfers are safeguarded through Standard Contractual Clauses pursuant to Art. 46 GDPR.

5. Storage period

• Server logs: up to 30 days, then automatically deleted, unless required for security investigations.
• Subscription / billing data: stored for the legally mandated retention period of seven years (§ 132 BAO).
• Email correspondence: as long as needed to handle and document the request.

6. Your rights

You have the right to:

• access your data (Art. 15 GDPR);
• rectification (Art. 16 GDPR);
• erasure (Art. 17 GDPR);
• restriction of processing (Art. 18 GDPR);
• data portability (Art. 20 GDPR);
• object to processing based on legitimate interest (Art. 21 GDPR);
• withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please email g.beissmann@gmx.at.

Self-service: if you have signed in to one of our paid apps, you can also exercise your access (Art. 15) and erasure (Art. 17) rights directly via authenticated API endpoints:

• GET /api/me/export-data — returns a machine-readable JSON copy of every personal datum we hold about you (Clerk identity, app entitlements, payment receipts).
• DELETE /api/me/account — deletes your account, entitlements and Clerk identity. Payment receipts are retained pseudonymised for 7 years per Austrian accounting law (BAO §132, §190 UGB).

7. Right to lodge a complaint

You have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Wien, www.dsb.gv.at) or the supervisory authority of your habitual residence.

8. No automated decision-making with legal effect

The applications do not perform automated decisions producing legal effects concerning you within the meaning of Art. 22 GDPR.

9. Security

We use TLS-encrypted transmission and limit internal access to data on a need-to-know basis. Despite reasonable safeguards, transmission of data over the internet can never be guaranteed to be 100% secure.

10. Changes to this Privacy Policy

We may update this Policy to reflect changes in the law or our services. The current version is always available at https://gabrielsmachine.replit.app/datenschutz.