Privacy Notice (Datenschutzerklärung)

This notice fulfils the information obligations under DSGVO Art. 13 for all processing activities carried out in connection with runlog.org. Last updated: 2026-05-05.

Deutsche Zusammenfassung

Diese Seite enthält die Datenschutzerklärung für runlog.org gemäß Art. 13 DSGVO.

Verantwortlicher: Volker Otto (Einzelunternehmen), Norderstedt, Deutschland. Vollständige Kontaktdaten: Impressum. E-Mail für Datenschutzanfragen: hello@volkerotto.net. Ein Datenschutzbeauftragter wurde nicht bestellt; die gesetzlichen Schwellen aus Art. 37 DSGVO sind nicht erreicht.

Verarbeitungszwecke und Rechtsgrundlagen: Die einzige Stelle, an der personenbezogene Daten erhoben werden, ist das Registrierungsformular unter /register/. Die E-Mail-Adresse wird ausschließlich zur Ausstellung eines API-Keys und zur Bindung dieses Keys an das Nutzerkonto verarbeitet (Art. 6 Abs. 1 lit. b DSGVO — Erfüllung eines nutzergewünschten Vorgangs). Sicherheits- und Anti-Missbrauchsprotokolle (IP-Adressen, Verifikations-Token) stützen sich auf Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse an Betriebssicherheit). Zur Abwehr automatisierter Missbrauchsversuche auf /register/ kommt die Cloudflare Turnstile Challenge zum Einsatz; Rechtsgrundlage Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse an Betriebssicherheit). Verarbeitete Daten: IP-Adresse, Browser-Charakteristika; verarbeitet von Cloudflare als Auftragsverarbeiter.

Datenkategorien: E-Mail-Adresse (Klartext im Versandvorgang, danach als bcrypt-Hash gespeichert); abgeleiteter Hash des API-Keys; Anfrage-Metadaten (IP-Adresse, User-Agent, Zeitstempel); Verifikations-Token (einmalig, 1 Stunde gültig).

Empfänger (Kategorien): Hostingprovider in Deutschland; Backup-Dienst (gleicher Anbieter, anderes Rechenzentrum innerhalb Deutschlands); E-Mail-Dienstleister (EU-Standort, aktuell gültige Auftragsverarbeiter-Liste unter resend.com/legal/subprocessors); CDN-/Edge-Provider (US-Sitz, EU-Edge — Drittlandtransfer mit SCCs über Standard-DPA); Bot-Erkennungs-Dienst: Cloudflare Turnstile (US-Sitz) zur Challenge-Verifikation auf /register/ — verarbeitet IP-Adresse und Browser-Charakteristika als Auftragsverarbeiter; Datenschutzhinweis: cloudflare.com/privacypolicy/; Drittlandtransfer mit SCCs über Standard-DPA; Uptime-Monitoring-Dienst (EU-Anbieter, verarbeitet ausschließlich Server-Metadaten, keine Nutzerdaten).

Speicherdauer: Reverse-Proxy-Zugriffslog: bis zu ~90 Tage; Anwendungslog (inkl. Zuordnung E-Mail zu Versand-ID): bis zu ~70 Tage; Versandprotokoll beim E-Mail-Dienstleister: 30 Tage; IP-Adressen in der Datenbank (Rate-Limiting): 1 Stunde; Verifikations-Token in der Datenbank: 24 Stunden; API-Key + E-Mail-Hash: für die Lebensdauer des API-Keys; Off-Host-Backup: rollierend 24 Stunden.

Betroffenenrechte: Auskunft (Art. 15), Berichtigung (Art. 16), Löschung (Art. 17), Einschränkung (Art. 18), Datenübertragbarkeit (Art. 20), Widerspruch (Art. 21). Beschwerderecht bei der zuständigen Aufsichtsbehörde am Sitz des Verantwortlichen (Art. 77). Anfragen an: hello@volkerotto.net.

Keine Pflicht zur Angabe / rein freiwillig: Die Registrierung ist freiwillig; die einzige Konsequenz einer Nichtangabe ist, dass kein API-Key ausgestellt werden kann. Keine automatisierten Entscheidungen (kein Profiling). Keine Cookies durch den Betreiber gesetzt; das Cloudflare Turnstile Widget auf /register/ kann technisch notwendige Cookies oder Local-Storage-Einträge zur Durchführung der Challenge setzen (gesetzt von Cloudflare, nicht vom Betreiber); der CDN-/Edge-Provider kann darüber hinaus plattformseitig technisch notwendige Cookies zur Bot-Erkennung setzen (unter der aktuellen Konfiguration nicht beobachtet).

Last updated: 2026-05-05. Material changes to this notice will be reflected via the og:updated_time meta tag and the "Last updated" line above.

1. Controller (Verantwortlicher)

The controller within the meaning of DSGVO Art. 4(7) is the natural person operating runlog.org. Full name, postal address, and contact details are published in the Impressum. For data-protection enquiries, write to hello@volkerotto.net.

2. Purposes of processing

Personal data is collected at exactly one point: the registration form at /register/. The purposes are:

Issuing an API key and binding it to the registrant's account (the sole purpose for which the email address is collected).
Verifying that the registrant controls the submitted email address (one-time verification token, valid for 1 hour).
Anti-abuse and security logging to protect service integrity (IP address and request metadata, retained for limited periods).
Bot-detection challenge (Cloudflare Turnstile) on the registration form to prevent scripted email abuse. Processes IP address and browser characteristics. Lawful basis: Art. 6(1)(f) DSGVO — legitimate interest in fraud prevention and service integrity. Cloudflare acts as a processor; see Cloudflare's privacy notice.

No data is used for marketing, analytics, profiling, or any purpose beyond those listed here.

3. Lawful bases (Rechtsgrundlagen)

Art. 6(1)(b) DSGVO — processing of the email address and issuance of the API key is necessary to carry out the arrangement requested by the user (API key registration). Without the email address, the key cannot be issued.
Art. 6(1)(f) DSGVO — logging of IP addresses and verification tokens for anti-abuse and security purposes is based on the legitimate interest of the controller in maintaining the availability and integrity of the service. This interest is not overridden by the data subject's interests given the short retention periods and the absence of any downstream use of the logs.

4. Categories of personal data

Email address — collected in plaintext on submission, used to send the verification email, then stored only as a bcrypt-derived hash (one-way; the plaintext is also retained in the operator-side application log for up to ~70 days).
Derived hash of the API key — stored persistently for the lifetime of the API key to authenticate subsequent API requests.
Request metadata — IP address, User-Agent string, and timestamps, recorded automatically in server access and application logs.
Verification token — a single-use, time-limited token (valid 1 hour) bound to the submitted email address; stored in the database until used or expired (database entry retained up to 24 hours).

5. Source of data

All personal data is provided directly by the data subject via the registration form. No data is obtained from third parties or inferred from other sources.

6. Recipients and processors (Empfänger)

The following categories of service providers process personal data as processors under Art. 28 DSGVO. All processors operate under a data-processing agreement (DPA). No personal data is sold or shared with third parties for their own purposes.

Hosting provider (in Germany) — hosts the API server. Processes server access logs, application logs, and the database (including email hashes and API keys). All infrastructure located in Germany; no third-country transfer.
Backup service (same hosting provider, separate data centre within Germany) — receives encrypted off-host database backups. Backup snapshots may contain the transient data (IP addresses, tokens) that has already been purged from the live database; rolling 24-hour retention means any such data is discarded within 24 hours of the live-database purge. No third-country transfer.
Email-delivery service (EU-based) — receives the registrant's email address and a templated message body to deliver the verification email. Does not receive the registrant's IP address. Operates under a DPA accepted at account sign-up. For the current list of sub-processors used by this service, see resend.com/legal/subprocessors. No third-country transfer (EU-resident operation).
Content-delivery / edge provider (US-headquartered, EU edge) — serves the static website (runlog.org) from edge nodes. Does not proxy the API server (api.runlog.org). Processes visitor IP addresses and request metadata inherent to CDN operation. No cookies are set under the current configuration; see Section 13 below. Third-country transfer: see Section 7.
Bot-detection service — Cloudflare Turnstile (US-headquartered) — renders a challenge widget on the registration form at /register/ to distinguish human visitors from automated scripts. Processes the visitor's IP address and browser characteristics as part of the challenge flow. Operates as a data processor under a DPA. Lawful basis: Art. 6(1)(f) DSGVO — legitimate interest in fraud prevention. For Cloudflare's privacy practices, see cloudflare.com/privacypolicy/. Third-country transfer: Standard Contractual Clauses (SCCs) incorporated in the standard DPA.
Uptime-monitoring service (EU-based) — receives periodic availability pings from the API server. Processes only the server's public IP address; no visitor data or personal data is transmitted to this service.

7. Third-country transfers (Drittlandtransfers)

The content-delivery / edge provider and the bot-detection service (Cloudflare Turnstile) are both headquartered in the United States. The controller-to-processor relationships with these providers constitute transfers of personal data to a third country within the meaning of DSGVO Art. 44. The legal basis for these transfers is the Standard Contractual Clauses (SCCs) incorporated in each provider's standard data-processing agreement, accepted at account sign-up.

All other processors operate within the European Union or, in the case of the hosting and backup provider, within Germany. No additional third-country transfers apply.

8. Retention periods (Speicherdauer)

Reverse-proxy access log (server-side, includes IP, UA, request path, status): up to approximately 90 days, governed by the server software's built-in log-rotation policy.
Application / system log (server-side, includes plaintext recipient email address mapped to the email-delivery message ID, plus IP addresses): approximately 70 days, governed by the operating-system journal's storage limit.
Email-delivery service log (delivery metadata — recipient address, delivery status, timestamps — at the processor): 30 days, then automatically purged by the processor.
Database — transient tables:
- Rate-limit records (IP address): auto-purged after 1 hour.
- Verification token (token + email binding): auto-purged 24 hours after expiry.
Database — persistent tables (API key hash + email hash + issuance timestamp): retained for the lifetime of the API key. There is currently no automated key-expiry mechanism; data subjects may request deletion under Art. 17 at any time.
Off-host database backup: rolling 24-hour window; restore points older than 24 hours are discarded automatically.

9. Data-subject rights (Betroffenenrechte)

Under DSGVO, data subjects have the following rights, exercisable by writing to hello@volkerotto.net:

Art. 15 — Access (Auskunft): right to obtain confirmation of whether personal data is processed and, if so, a copy.
Art. 16 — Rectification (Berichtigung): right to have inaccurate data corrected.
Art. 17 — Erasure (Löschung): right to have personal data deleted where the conditions of Art. 17 are met.
Art. 18 — Restriction (Einschränkung): right to restrict processing under the conditions of Art. 18.
Art. 20 — Portability (Datenübertragbarkeit): right to receive personal data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.
Art. 21 — Objection (Widerspruch): right to object to processing based on legitimate interests (Art. 6(1)(f)); the controller will cease processing unless compelling legitimate grounds override the data subject's interests.
Art. 77 — Complaint (Beschwerderecht): right to lodge a complaint with the competent supervisory authority at the controller's place of establishment. The controller is established in Norderstedt, Schleswig-Holstein, Germany; the competent supervisory authority is das Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, www.datenschutzzentrum.de.

10. Obligation to provide data

Registration is entirely opt-in. There is no statutory or contractual obligation to provide personal data. The only consequence of declining to submit data is that an API key cannot be issued.

11. Automated decision-making and profiling

No automated decision-making within the meaning of Art. 22 DSGVO takes place. No profiling is carried out.

12. Data protection officer (Datenschutzbeauftragter)

No data protection officer has been appointed. The statutory triggers under Art. 37 DSGVO (obligation to designate a DPO) are not met at the current scale of operations.

13. Cookies and device storage

The operator sets no first-party cookies and accesses no device storage (Web Storage, IndexedDB, or similar) for any purpose.

The Cloudflare Turnstile widget embedded on /register/ may set strictly necessary technical cookies or use local storage as part of its bot-detection challenge. These are set by Cloudflare (challenges.cloudflare.com), not by the operator, and are limited to what is required for the challenge to function. No tracking or advertising cookies are set by Turnstile.

The content-delivery / edge provider may, under certain traffic conditions, set strictly necessary technical cookies for bot-scoring purposes as part of its platform defaults. Under the current site configuration, no such cookies have been observed; the site serves without Set-Cookie headers under normal conditions. Should this change, this notice will be updated.

The content-delivery / edge provider also auto-injects browser-side Network Error Logging (NEL) headers. These cause the visitor's browser to send connection-failure reports to the provider's reporting endpoint. Reports include the request URL, error type, response code, server IP, and protocol-level metadata — they do not include page content or personal data beyond what is inherent in a connection record. No successful-connection reports are sent (success_fraction = 0.0). This behaviour is a platform default outside the operator's control on the current service tier.

14. Updates to this notice

This notice may be updated to reflect changes in processing activities or legal requirements. The "Last updated" date at the top of this page and the og:updated_time meta tag will be revised whenever material changes are made.