bartis.dev
/ legal · privacy

Privacy policy

bartis.dev is operated by one person in Germany. This page describes what personal data is processed when you use the site, why it's processed, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Controller

Statutory controller within the meaning of the GDPR is the operator named on the imprint page. For privacy requests: darius@bartis.dev.

2. Data we process

Server logs

Every request leaves a short-lived access log entry — IP address, user-agent, URL, response status, timestamp. The infrastructure is hosted on Hetzner Online GmbH (Germany). Logs are kept up to 14 days for security and abuse defense, then rotated out. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in operating the service).

Account data

When you create an account, we store your email address and a salted hash of your password. Authentication is handled by a self-hosted Supabase Auth (GoTrue) instance — your data never leaves servers we operate. Legal basis: Art. 6 (1)(b) GDPR (contract performance).

License + session data

For paid products, we store the license key, the product it's tied to, and the machine fingerprint of devices that activated it (so we can enforce per-license session limits). The fingerprint is a one-way hash — not a recoverable hardware ID. Legal basis: Art. 6 (1)(b) GDPR.

Payment data

Payments are processed by Stripe Payments Europe Ltd.. We never see your card number — Stripe handles that under PCI DSS. We store a Stripe customer ID and the metadata Stripe sends back (last 4 digits, brand, country) for receipts and refunds. Legal basis: Art. 6 (1)(b) GDPR.

Transactional email

Verification mails, password resets, license deliveries, and receipts are sent via Resend (Drie B.V.) as a processor under Art. 28 GDPR. Resend receives your email address and the message content. Legal basis: Art. 6 (1)(b) and (f) GDPR.

3. Cookies and local storage

No tracking cookies, no analytics, no third-party ads. The site stores your authentication session in your browser's localStorage under the key bartisdev.supabase.auth so you stay signed in. You can clear it any time from your browser settings.

4. Recipients of personal data

  • Hetzner Online GmbH (hosting)
  • Stripe Payments Europe Ltd. (payments)
  • Resend / Drie B.V. (transactional email)
  • Cloudflare, Inc. (DNS + DDoS protection at the network edge)

Each is bound by a Data Processing Agreement and processes data only on instruction. International transfers (to Stripe US entities, Cloudflare US entities, etc.) are covered by Standard Contractual Clauses per Art. 46 GDPR.

5. Retention

Account data is kept while your account exists and for up to 6 months after deletion (for fraud prevention and tax records). Invoices and Stripe transaction logs are kept for 10 years per German tax law (§ 147 AO).

6. Your rights

Under GDPR you have the right to:

  • Information about your data (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)
  • Lodge a complaint with a supervisory authority (Art. 77)

Reach out to darius@bartis.devfor any of these. We'll respond within one month per Art. 12 (3) GDPR.

7. Updates

We update this policy when our processing changes. The current version is always linked from the footer.

Last updated: 2026-06-16