Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Privacy Policy

Last updated: January 2026

This privacy policy explains how fabi-sc-id collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and German data protection law.

1. Data Controller

The person responsible for data processing on this website is:

Fabian Schlüter
Schloß-Ricklinger Straße 22
31515 Wunstorf
Germany

Email: support@id.fabi-sc.com
Phone: +49 176 41612960 (not a support hotline)

This is a private, non-commercial project with no revenue generation.

2. Supervisory Authority

The competent supervisory authority for data protection matters is:

Der Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hannover
Germany

Website: https://www.lfd.niedersachsen.de

3. Data We Collect

3.1 Account Data (Required)

When you create an account, we collect:

DataPurposeLegal Basis
UsernameAccount identificationArt. 6(1)(b) GDPR — Contract performance
Email addressAccount verification, password recovery, security notificationsArt. 6(1)(b) GDPR — Contract performance
PasswordAuthentication (stored as secure hash)Art. 6(1)(b) GDPR — Contract performance

3.2 Profile Data (Optional)

You may voluntarily provide additional information:

  • Display name
  • First and last name
  • Biography
  • Date of birth (used solely for age-related features)
  • Avatar image
  • Timezone and language preferences
  • Backup email address (for account recovery if you lose access to your primary email)

Legal basis: Art. 6(1)(a) GDPR — Your consent. You can modify or delete this data at any time.

3.3 Automatically Collected Data

To provide our services and protect your account, we automatically collect:

DataPurposeRetentionLegal Basis
IP addressSecurity, abuse prevention, geolocationStored in login history for 90 daysArt. 6(1)(f) GDPR — Legitimate interest
Login timestampsSecurity monitoring90 daysArt. 6(1)(f) GDPR — Legitimate interest
Approximate location (country/city)Security monitoring, detecting suspicious logins90 daysArt. 6(1)(f) GDPR — Legitimate interest
Basic device information (User-Agent)Security monitoring, session management90 daysArt. 6(1)(f) GDPR — Legitimate interest

Note: Geolocation is determined using a local database on our servers. Your IP address is never transmitted to external services.

3.4 Two-Factor Authentication Data

If you enable two-factor authentication, we store:

  • TOTP secrets (encrypted)
  • Passkey/security key credentials (encrypted)
  • Backup codes (stored as secure hashes)

Legal basis: Art. 6(1)(b) GDPR — Contract performance (security features you requested).

4. Third-Party Applications

When you connect third-party applications to your account:

DataPurposeLegal Basis
Granted permissions (scopes)Control what data applications can accessArt. 6(1)(a) GDPR — Your consent
Application-specific user IDPrivacy protection (prevents cross-app tracking)Art. 6(1)(f) GDPR — Legitimate interest

You can review and revoke application access at any time in your account settings.

5. Data Processing and Security

5.1 Encryption

  • Passwords are hashed using a memory-hard algorithm resistant to brute-force attacks
  • Sensitive profile data is encrypted at rest
  • Two-factor authentication secrets are encrypted
  • Backup codes are stored as one-way hashes
  • All connections are TLS-encrypted (HTTPS)

5.2 No External Data Transfers

Your personal data is processed exclusively on our servers. We do not use:

  • Third-party analytics services
  • Tracking tools or cookies for advertising
  • External authentication providers
  • Cloud services that process your personal data

Email delivery and content moderation are handled entirely on our own infrastructure.

5.3 Geolocation Processing

We use IP-based geolocation to determine approximate location for security purposes. This processing occurs on our servers using a local database. Your IP address is never sent to external geolocation services.

5.4 Automated Content Moderation

We use limited automated checks when saving profile content to detect obvious policy violations. These checks may reject content but do not result in automatic account suspension. All account suspensions are performed manually by authorized administrators after review. Content that violates these guidelines may be removed. This processing occurs entirely on our infrastructure without sending data to external services. If you believe a decision was made in error, you may contact us.

5.5 Hosting

Our servers are operated by Hetzner Online GmbH, a German data center provider. A data processing agreement (DPA) is in place in accordance with Art. 28 GDPR.

5.6 Administrative Access

For moderation and abuse prevention purposes, authorized administrators may review user profile information. Administrators cannot modify user-provided content, but may remove individual profile fields or content that violates our policies. All administrative actions are logged for accountability.

5.7 Backups

For security and integrity purposes, encrypted backups of our databases may be created. Backups are protected with appropriate technical measures and are retained only as long as necessary.

6. Data Retention

Data TypeRetention Period
Account dataUntil you delete your account
Login history90 days
Session data7 days after expiration or logout
Password reset tokens1 hour
Email verification tokens24 hours
Unverified accounts7 days
Inactive accountsDeleted after 1 year of inactivity (email warning sent 30 days before deletion)

Suspended Accounts

If your account is suspended for policy violations, your email address and username may be retained to prevent re-registration and for legal compliance purposes. This data is restricted and not used for any other purpose.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right of Access (Art. 15 GDPR)

You can export all your personal data at any time from your account settings. The export includes your profile information, login history, connected applications, and more.

7.2 Right to Rectification (Art. 16 GDPR)

You can update or correct your personal data at any time in your account settings.

7.3 Right to Erasure (Art. 17 GDPR)

You can delete your account at any time. When you do:

  1. Connected applications are notified that you have disconnected
  2. All your personal data is permanently removed from our systems

7.4 Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing in certain circumstances. Contact us at the email address above.

7.5 Right to Data Portability (Art. 20 GDPR)

You can export your data in a machine-readable format (JSON) from your account settings.

7.6 Right to Object (Art. 21 GDPR)

You may object to processing based on legitimate interests. Contact us at the email address above.

7.7 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with the supervisory authority listed in Section 2.

8. Security Notifications

We automatically notify you via email when security-relevant events occur:

  • Password changes
  • Email address changes
  • Two-factor authentication changes
  • New passkey registrations
  • Account deletion
  • Inactivity warning (30 days before automatic deletion)

These notifications help you detect unauthorized access.

9. For Developers

If you register an application, we store:

  • Application name and description
  • Authorized domains and callback URLs
  • Requested permission scopes
  • Webhook configuration (if applicable)
  • API keys (stored as secure hashes)

Legal basis: Art. 6(1)(b) GDPR — Contract performance.

10. Data Transfers to Third Countries

We do not transfer your personal data to countries outside the European Economic Area (EEA). However, when you grant access to a third-party application, that application becomes responsible for further processing. Please review their privacy policy before authorizing access.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

Limited automated content moderation is used to detect obvious policy violations. This does not affect your legal rights and you may contact us if you believe a decision was made in error.

12. Cookies and Local Storage

We use only essential cookies and local storage for:

  • Session management (authentication)
  • Security tokens

We do not use cookies for tracking, analytics, or advertising purposes.

13. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Significant changes will be communicated through appropriate channels.

14. Contact

For any questions about this privacy policy or your personal data, please contact:

Email: support@id.fabi-sc.com