GDPR / German privacy notice
Data privacy
This private, invite-only website processes personal data only where needed for secure access, administration, legal obligations, and abuse prevention.
1. Controller
The controller responsible for this website under the GDPR is:
ByteTAL
Germany
Email: [email protected]
2. Scope and private access
This website is not a public registration platform. Accounts are created or invited only by the owner or an authorized administrator. This notice also applies before login, because IP addresses, timestamps, browser metadata, and failed access attempts may be processed to deliver and protect the website.
3. Personal data processed
- Account data: name, email address, role, status, creation and update timestamps.
- Authentication data: password hashes, MFA setup data, recovery-code status, session identifiers, reset tokens, and invitation tokens.
- Security data: login attempts, IP address, browser/user-agent data, audit events, timestamps, and administrative security actions.
- Communication data: messages sent to the contact address and related metadata.
- Technical data: server logs, essential cookies, CSRF/session data, and delivery metadata.
4. Purposes and legal bases
Processing is limited to operating the website, managing authorized accounts, enforcing access restrictions, providing requested private access, detecting misuse, troubleshooting incidents, maintaining auditability, responding to contact requests, and meeting legal duties.
The legal bases are Article 6(1)(b) GDPR where processing is necessary to provide requested private access, Article 6(1)(f) GDPR for the legitimate interests in secure operation, access control, abuse prevention, and evidence preservation, and Article 6(1)(c) GDPR where processing is required by law. If consent is requested for a future feature, Article 6(1)(a) GDPR will apply and consent may be withdrawn at any time with future effect.
5. Cookies and local storage
This website uses only technically necessary cookies or browser storage. No advertising, analytics, profiling, or marketing tracking is intended. Under Section 25(2) TDDDG, storage or access that is strictly necessary to provide a requested secure service does not require separate consent.
| Name/category | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Login session, MFA state, CSRF protection, secure account access. | Until logout or session expiry. | Necessary |
| CSRF/session data | Prevents forged requests and protects authenticated actions. | Session based. | Necessary |
| Cookie notice acknowledgement | Stores whether the notice was acknowledged. | Until browser storage is cleared. | LocalStorage, non-tracking |
6. Hosting and processors
The website is hosted with IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Hosting providers may process connection data, server logs, and technical metadata where required to deliver, maintain, and protect the website. A data processing agreement is used where required by Article 28 GDPR.
7. Recipients and transfers
Personal data is not sold. Access is limited to the owner, authorized administrators, hosting/service providers required for operation, and public authorities where disclosure is legally required. No intentional transfer to countries outside the European Economic Area is planned. If a future provider requires such transfer, an adequacy decision or appropriate GDPR safeguards must be used.
8. Retention
Personal data is kept only as long as necessary for authorized access, security, abuse prevention, troubleshooting, or legal obligations. Current operational defaults:
- Expired invitations: 30 days after expiry, unless needed for abuse prevention.
- Password reset tokens: Until expiry, normally 60 minutes.
- Sessions: Until logout, expiry, or administrative revocation.
- Login attempts: Up to 180 days for security monitoring.
- Audit logs: Up to 365 days for security and accountability.
- Inactive accounts: Reviewed periodically and deleted or disabled when no longer required.
9. Security
The website uses technical and organizational measures intended to protect personal data, including password hashing, MFA, recovery controls, CSRF protection, access controls, session management, audit logging, and HTTPS transport where configured by the hosting environment.
10. Your rights and request handling
Under the GDPR, affected persons may have rights of access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and withdrawal of consent where processing is based on consent. Requests can be sent to the contact email above. To protect accounts, the owner may verify the requester identity before fulfilling a request.
Providing account, authentication, and security data is necessary for authorized access. Without that data, access to the private website cannot be provided. No automated decision-making or profiling within the meaning of Article 22 GDPR is used.
11. Supervisory authority
You may lodge a complaint with a competent data protection supervisory authority. Current reference: REPLACE_WITH_COMPETENT_DATA_PROTECTION_AUTHORITY.
12. Official references
13. Security disclosure
Please report suspected vulnerabilities to [email protected]. Do not perform destructive testing, access other users' data, or disrupt availability.
14. Changes
This notice may be updated when the website, hosting, security functions, or legal requirements change.
Last updated: 18 May 2026. Version: 2026-05-18.1