Privacy Policy

Version: 29 July 2025

Data Controller
Raphael Nußbaumer BSc (Sole Proprietor)
Sohlstraße 3, 6845 Hohenems, Austria
Email: raphaeln@outlook.com

1. Collection and Use of Personal Data

We collect and process the following personal data:

Note: No tracking, user-agent logging, error reporting, or performance monitoring takes place.

2. Data Retention Period

• Email Address & Timestamps: Stored until deletion by the user.
• Notes, Files, Images, Videos: Stored until deletion by the user; backups are retained for a maximum of 7 days.
• IP Address: Deleted immediately after processing (e.g., rate limiting).
• hCaptcha Data: Deleted after processing by hCaptcha, in accordance with their privacy policy (max. 30 days).
• Inactive Accounts: May be deleted after 1 year of inactivity.

3. Data Sharing & Data Processors

We use the following data processors, with whom contracts pursuant to Art. 28 GDPR have been concluded:

1. Hosting & Infrastructure
   • Render.com (AWS, Frankfurt) for storing notes (max. 1 MB).
   • Wasabi Hot Cloud (Frankfurt) for storing files, images, and videos (max. 100 MB).
2. Email Delivery
   • Mailjet
3. Bot Protection
   • hCaptcha Inc. (collection of IP address, interaction data such as mouse movements and click patterns, and browser header information for bot prevention)
4. No additional data processors are used in the free basic service.

4. Cookies & Local Storage

• Cookies: Only a temporary session cookie during login, deleted after the session ends.
• IndexedDB: Notes stored in plain text, locally in the browser.
• LocalStorage: AES-GCM encryption key stored in plain text, locally in the browser.

5. Security & Encryption

• Transport: All data is transmitted via HTTPS (TLS, current standard, HSTS).
• End-to-End Encryption:
  • Notes, files, images, and videos are client-side encrypted with AES-GCM before transmission.
  • The encryption key remains exclusively in the user’s browser LocalStorage.
  • The operator has no access to unencrypted content.

6. Data Subject Rights

You may exercise the following rights at any time by emailing raphaeln@outlook.com:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of Processing (Art. 18 GDPR)
• Data Portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)

We will process requests within the statutory period (generally 1 month).

7. Export & Deletion

• Export Function: Users can export their notes, files, images, and videos via the PWA.
• Account Deletion: Possible at any time via the PWA, resulting in the deletion of all personal data.

8. Notification of Data Breaches

In the event of a data breach (e.g., unauthorized access to personal data), we will promptly inform affected users via email about the incident, its impact, and the measures taken, in accordance with Art. 34 GDPR.

9. Austrian Data Protection Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority is:
Austrian Data Protection Authority
Wickenburggasse 8, 1080 Vienna, Austria
Email: dsb@dsb.gv.at

10. Accessibility

If you have any questions or issues regarding the accessibility of this Privacy Policy or the PWA “ciphernotes,” please contact us at raphaeln@outlook.com.

11. Amendments to this Privacy Policy

We reserve the right to update this Privacy Policy as needed (e.g., due to new features or legal changes). Users will be informed of significant changes via email or a notice in the PWA. The current version is available at any time in the PWA under “Privacy.”