Privacy policy
Information per Art. 13 GDPR and § 4 DSG (Austrian Data Protection Act).
1. Controller
The data controller in the sense of Art. 4(7) GDPR is:
- Company
- Reamber GmbH (FN 563424s, Handelsgericht Wien)
- Address
- Barbara-Prammer-Allee 15/2/40, 1220 Vienna, Austria
- [email protected]
- Phone
- +43 664 7557 7557
We have not appointed a statutory Data Protection Officer (no obligation under Art. 37 GDPR); contact for all data protection matters is the address above.
2. Data we process
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email, name, profile picture (from Google sign-in) | Account creation, authentication, attributing your pages to you | Art. 6(1)(b) GDPR — performance of contract | Until you delete your account |
| Page content (HTML, assets) and metadata (slug, expiry, view count, referrers) | Hosting your page and giving you basic page-level analytics | Art. 6(1)(b) GDPR — performance of contract | Until page expiry or manual deletion |
| Form submissions captured on your hosted pages | Storing visitor messages so you can read them in your dashboard | Art. 6(1)(f) GDPR — legitimate interest of the page owner; you act as controller for those submissions, see § 5 below | Most recent 200 per page; deleted with the page |
| Server logs (IP address, user agent, request path, response code) | Operating the service, abuse and fraud prevention, rate limiting | Art. 6(1)(f) GDPR — security of network and information systems | Rotated within 30 days; not used for analytics or profiling |
| Session cookie (Better Auth) | Keeping you signed in | Art. 6(1)(b) GDPR + § 165(3) TKG 2021 — essential, no consent required | Session-bound; refresh up to 30 days |
yapp_anon_id cookie |
Letting your browser claim anonymous publishes after sign-in | Art. 6(1)(f) GDPR + § 165(3) TKG 2021 — essential | 30 minutes |
| OAuth tokens for MCP clients (Claude, Cursor, ChatGPT) | Authenticating MCP requests on your behalf | Art. 6(1)(b) GDPR | Until revoked or 30 days idle |
| Billing data for paid plans (name, billing address, country, payment-method metadata, transaction history) | Processing payments, invoicing, tax compliance and refunds — handled by our Merchant of Record, Paddle (see § 4) | Art. 6(1)(b) GDPR — performance of contract; Art. 6(1)(c) — legal and tax obligations | Retained by Paddle per its policy; tax records kept up to 7 years (§ 132 BAO) |
| Usage analytics (page views, referrer, browser, operating system, device type, approximate country) | Aggregate, privacy-friendly statistics to understand and improve the service — via our self-hosted Umami instance (see § 3) | Art. 6(1)(f) GDPR — legitimate interest; cookieless, no cross-site tracking, no personal profiles | Aggregated event data; no IP addresses or personal identifiers stored |
3. Cookies & analytics
We use only strictly necessary cookies (session, anonymous-publish, CSRF) and no advertising, profiling or cross-site tracking cookies. Because neither these essential cookies nor our analytics store or read non-essential information on your device, no consent banner is required under § 165(3) TKG 2021 and Art. 5(3) ePrivacy Directive.
For usage analytics we use Umami, self-hosted by Reamber GmbH at insights.reamber.com on our EU infrastructure — your data is not shared with any third-party analytics provider. Umami records aggregate metrics only (page views, referrer, browser, operating system, device type, and an approximate country derived transiently from your IP address). It does not set cookies, does not store your IP address, does not track you across sites, and does not build personal profiles. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in measuring and improving the service. You may object at any time at [email protected]. Analytics runs only on yapp.page's own pages, not on the pages you publish.
4. Processors and recipients
| Processor | Purpose | Location & safeguards |
|---|---|---|
| Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany | Server hosting, file storage, PostgreSQL database | EU (Falkenstein / Nuremberg). Data Processing Agreement per Art. 28 GDPR in place. |
| Cloudflare, Inc., 101 Townsend St, San Francisco, CA, USA | CDN, DDoS protection, TLS termination, custom-domain hostnames | Global Anycast, EU traffic preferentially routed via EU PoPs. Transfers to the USA are safeguarded by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and Cloudflare's certification under the EU–U.S. Data Privacy Framework (Art. 45 GDPR). |
| Google Ireland Ltd., Gordon House, Barrow St, Dublin 4, Ireland (Google OAuth sign-in) | Federated sign-in via your Google account | Primary controller: Google Ireland (EU). Onward transfers to Google LLC (USA) are covered by Standard Contractual Clauses and the EU–U.S. Data Privacy Framework. |
| Paddle.com Market Ltd, Judd House, 18–29 Mora Street, London EC1V 8BT, United Kingdom | Merchant of Record for paid plans — payment processing, fraud screening, invoicing, sales-tax / VAT compliance and refunds | United Kingdom (covered by the European Commission's UK adequacy decision, Art. 45 GDPR), with global payment sub-processors safeguarded by Standard Contractual Clauses (Art. 46 GDPR) where required. As Merchant of Record, Paddle acts as an independent controller for the payment transaction. |
Web fonts are self-hosted from our own servers; no font CDN data is sent to Google or other third parties.
We do not sell or rent personal data. We only share data with public authorities where strictly required by law.
5. Pages with forms — you are the controller
If you publish a page containing an HTML <form> element, submissions are captured and shown to you. For that data you are the data controller under Art. 4(7) GDPR and you must inform your visitors per Art. 13 GDPR and obtain any required legal basis. Reamber GmbH acts as your processor (Art. 28 GDPR) for storage and delivery of those submissions and provides reasonable technical and organisational measures; we will sign a Data Processing Agreement on request to [email protected].
To help you operate as a compliant controller, the dashboard Messages view gives you direct access to the rights toolkit visitors can exercise against you: per-submission and bulk deletion (Art. 17), CSV and JSON export for access and portability requests (Art. 15, Art. 20), and a per-page automatic-retention setting (Art. 5(1)(e)). A hard cap of 200 most recent submissions per page acts as a backstop. No IP addresses, user-agent strings or referrer headers of your visitors are stored — only the form payload they submit.
6. Your rights
You have the right to:
- Access (Art. 15 GDPR) — request a copy of your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — delete your account and pages
- Restriction (Art. 18) — pause processing in certain cases
- Portability (Art. 20) — receive your data in a machine-readable format
- Object (Art. 21) — to processing based on legitimate interest
- Withdraw consent at any time, where processing is based on consent
Send requests to [email protected]. We respond without undue delay and at the latest within one month (Art. 12(3) GDPR).
7. Right to lodge a complaint
You may complain to the competent supervisory authority. For Austria:
Österreichische Datenschutzbehörde
Barichgasse 40-42, 1030 Vienna, Austria
dsb.gv.at · [email protected]
8. Automated decision-making
We do not use automated decision-making within the meaning of Art. 22 GDPR.
9. Data security
All traffic is served over TLS 1.2+. Passwords (where used) are stored as salted hashes. Each user's data is scoped to their account. Rate limits mitigate abuse. In the event of a personal data breach we notify the Datenschutzbehörde within 72 hours (Art. 33 GDPR) and affected data subjects without undue delay where the risk is high (Art. 34 GDPR). Despite reasonable measures, no system is perfectly secure, so we recommend not publishing sensitive content.
10. Changes
We may update this policy. Material changes will be announced on this page and, where appropriate, by email.
Last updated: