Privacy policy

Controller

Sven Schöffel, Badener Str. 5, 91126 Schwabach, Germany. Email: sven@socialwarrior.de

No data protection officer is appointed, as the legal requirements under Art. 37 GDPR are not met.

Scope

This policy applies to your use of VLOGLog as a web app and Progressive Web App (PWA), including registration, login, time logging, team features, and export. It does not apply to external websites we link to.

Website access and server log files

When you access VLOGLog, the hosting provider automatically processes technical access data (e.g. IP address, date and time of access, requested URL, referrer URL, browser and operating system information). The purpose is technical provision, stability, and security of the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation). Data is typically deleted by the hosting provider after a short period.

Categories of data processed

• Solo mode account data: email address, display name, authentication data (password stored hashed only via Supabase Auth)
• Team mode account data: username, display name, credentials
• Timestamp logs: person, action, format, location, custom fields, timestamp, author
• Project and team information: project name, project settings, group membership, invite links
• Technical session data: login session, session token, device/browser information as part of authentication
• Locally stored data: language preference, login preferences, appearance, background media, PWA status (see "Local storage")
• Optional website statistics (only with consent): visited page path, coarse country (ISO country code derived at the edge, no IP address stored), timestamp, and selected site language

Purposes and legal bases

We process personal data for the following purposes and on the following legal bases:

• Provision and performance of the service (registration, login, time logging, export, team collaboration): Art. 6(1)(b) GDPR (contract performance or pre-contractual measures)
• Technical provision and security of the website: Art. 6(1)(f) GDPR (legitimate interest in operation and security)
• Storage of login sessions and technically required settings: Art. 6(1)(b) and/or (f) GDPR
• Storage of user preferences (language, appearance, login preferences): Art. 6(1)(f) GDPR (legitimate interest in user-friendly operation)
• Compliance with legal retention obligations, where applicable: Art. 6(1)(c) GDPR
• Anonymous website statistics (page views and country) on public pages, only if you consent via cookie settings: Art. 6(1)(a) GDPR

Recipients and processors

We use the following service providers as processors pursuant to Art. 28 GDPR. Data processing agreements (DPAs) are in place:

• Supabase Inc. (646 Harrison St, San Francisco, CA 94107, USA) — database, authentication, and storage of application data. Privacy policy: supabase.com/privacy
• Cloudflare Inc. (101 Townsend St, San Francisco, CA 94107, USA) — hosting and delivery of the web app. Privacy policy: cloudflare.com/privacypolicy

Transfers to third countries

When using the services listed above, personal data may be transferred to the USA. Transfers are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the data processing agreements with the providers. Supabase operates data centres in the EU; depending on configuration, data may still be processed in third countries.

Retention period

• Account data: until deletion of your user account
• Timestamp logs and project data: until deleted by you, a team administrator, or when the associated project is deleted
• Server log files: short-term by the hosting provider, typically a few days up to 30 days
• Locally stored data: until deleted in the browser, on logout, or when uninstalling the PWA
• Website statistics: up to 24 months, then deleted automatically

Local storage (browser/PWA)

VLOGLog stores data locally in your browser as a Progressive Web App (PWA): localStorage and sessionStorage for login session, language, appearance, and form preferences; IndexedDB for background media and settings. This data remains on your device and is not automatically transmitted to us unless you actively send it through app features (e.g. log synchronisation). You can delete local data at any time via browser settings.

Cookies and local storage

VLOGLog uses technically necessary storage (session storage, localStorage) for login, session management, language, and your cookie preferences. Optional analytics are stored only if you enable them in cookie settings; they do not use third-party advertising or tracking cookies. No marketing cookies are used.

Website statistics (optional)

If you consent in cookie settings, we record anonymous visits to public marketing pages: the page path, a coarse country code derived from your connection at our hosting provider (Cloudflare; IP addresses are not stored by us), the time of the visit, and the site language shown. This helps us understand reach and regional interest. You can withdraw consent at any time via cookie settings; no statistics are collected after withdrawal. We do not merge this data with your account or create marketing profiles.

Data security

We implement appropriate technical and organisational measures to protect your data, including encrypted transmission (TLS/HTTPS), access controls via Supabase Row Level Security (RLS), and role-based permissions for team features. Absolute security cannot be guaranteed for internet transmission.

No automated decision-making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.

No advertising tracking

VLOGLog does not use advertising trackers, social media plugins, or third-party analytics services such as Google Analytics. Optional first-party statistics are described above and require your consent.

Your rights

You have the following rights vis-à-vis the controller:

• Access to your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR) — you can download your logs at any time via the export feature in VLOGLog
• Objection to processing (Art. 21 GDPR) where based on Art. 6(1)(f) GDPR
• Withdrawal of consent given (Art. 7(3) GDPR) with effect for the future
• Complaint to a supervisory authority (Art. 77 GDPR)

To exercise your rights, contact the address above. We will respond without undue delay, at the latest within one month.

Right to object

Where we process data on the basis of Art. 6(1)(f) GDPR (legitimate interest), you have the right to object at any time on grounds relating to your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement. For us: Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de

Changes to this privacy policy

We may update this privacy policy when the legal situation, service, or data processing changes. The current version is available on this page. Material changes will be communicated in an appropriate manner.