Privacy Statement (GDPR / DSGVO Compliant)

Last updated: April 14, 2026
Controller: Maik Zimpel Email: privacy@attendance-sheets.dev
Address: Lübsche Strasse 95, 23968 Wismar

1. Personal Data We Collect

When you use our authentication features (Sign in with Google or GitHub), we collect the following personal data:

Name – as provided by your Google or GitHub profile
Email address – verified email from your OAuth provider
Profile picture (avatar) – retrieved via Google or GitHub OAuth, used to personalize your account

We do not collect sensitive personal data (e.g., health, political opinions, biometric data).

2. Legal Basis for Processing (GDPR Art. 6)

We process your personal data only when a valid legal basis exists under the GDPR:

Art. 6(1)(b) GDPR – Contract fulfillment:
Name, email, and profile picture are necessary to provide you with a user account, authenticate you, and deliver core website functionality.
Art. 6(1)(a) GDPR – Consent:
For optional features (e.g., storing profile picture preferences), we will ask for your explicit consent. You may withdraw consent at any time.
Art. 6(1)(f) GDPR – Legitimate interest:
For security and fraud prevention (e.g., session token validation), we rely on our legitimate interest to maintain a safe service.

3. Third-Party Processors

We use the following third-party processors, all of which have GDPR-compliant data processing agreements (DPA) in place:

Processor	Purpose	Data Transferred	Location
Google OAuth	Authentication ("Sign in with Google")	Name, email, profile picture URL	EU / USA (SCC)
GitHub OAuth	Authentication ("Sign in with GitHub")	GitHub username, email, avatar	EU / USA (SCC)
Resend	Transactional emails (welcome, magic links, notifications)	Email address, name	EU / USA (SCC)
Google Cloud Platform (GCP)	Hosting, database, cloud functions, file storage	All user data (name, email, avatar reference) + encrypted session tokens	Frankfurt (eu-central-1) / Belgium

Data transfers to third countries are based on Standard Contractual Clauses (SCC).

4. Data Retention Periods

We retain your personal data only as long as necessary for the purposes outlined:

Account data (name, email, profile picture): For the duration of your active account. Upon account deletion, data will be erased within 30 days (unless legal retention obligations apply).
Session token (httpOnly, 7 days): Automatically expires after 7 days of inactivity.
OAuth state parameter (httpOnly, 10 minutes): Used only during the authentication handshake; deleted immediately after completion or after 10 minutes.
Email logs (Resend): Retained for 30 days for delivery diagnostics, then pseudonymized.
Backups (GCP): Encrypted backups are kept for up to 90 days, then permanently deleted.

5. Your Data Protection Rights (GDPR)

Under the GDPR, you have the following rights:

Right of access (Art. 15) – You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16) – You can correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Art. 17) – You can request deletion of your data when it is no longer needed.
Right to data portability (Art. 20) – You can receive your data in a structured, machine-readable format (JSON/CSV).
Right to restriction of processing (Art. 18) – You can request that we limit how we use your data.
Right to object (Art. 21) – You may object to processing based on legitimate interests.

6. How to Exercise Your Rights

You have two convenient ways to exercise your rights:

Via your account settings page:
Log in and go to "Account → Privacy & Data". There you can:
- Download all your personal data (portability / access)
- Update your name or profile picture (rectification)
- Delete your account permanently (erasure)
By emailing our Data Protection Officer:
Send a message to privacy@yourdomain.com with the subject line "GDPR Data Request". We will respond within 30 days (as required by Art. 12 GDPR).

Exercising your rights is free of charge.

7. Cookies Used

Our website uses strictly necessary cookies for authentication and security. We do not use tracking or analytics cookies without explicit consent.

Cookie Name	Purpose	Type	Expiry	HttpOnly
`session_token`	Maintains your authenticated session after login (encrypted, signed)	Essential	7 days (rolling)	✅ Yes
`oauth_state`	CSRF protection during Google/GitHub OAuth flow; randomly generated per attempt	Security (essential)	10 minutes	✅ Yes

Because these cookies are strictly necessary for core functionality (login and security), they cannot be disabled via our interface. You may refuse them by not using the authentication features – however, you will not be able to create an account or log in.

8. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

For Germany (where our controller is based), the competent authority is:

The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Phone: +49 228 997799-0
Email: poststelle@bfdi.bund.de
Web: www.bfdi.bund.de

We kindly ask that you contact us first at privacy@yourdomain.com before lodging a complaint with a supervisory authority, so we can address your concerns directly.

9. Contact Information of the Controller

Data Controller:
Maik Zimpel
Lübsche Strasse 95, 23968 Wismar
Email: privacy@attendance-sheets.dev

For any questions regarding this privacy statement or to exercise your rights, please contact us using the email above.

10. Changes to This Privacy Statement

We may update this privacy statement from time to time to reflect changes in our practices or for legal reasons. For material changes, we will notify you via email or through a prominent notice on our website. The "Last updated" date at the top of this document indicates when the latest changes were made.