Privacy Policy
We're an independent business and we collect only the personal data we actually need to operate the site, fulfil contracts with our customers (schools), keep the service secure, and meet our legal obligations. Below is the full breakdown — what, why, how long, and your rights under DSGVO.
1. Data controller
Controller in the sense of Art. 4(7) GDPR / § 4 DSG:
[VOLLSTÄNDIGER NAME]
[STRASSE HAUSNUMMER]
[PLZ] [ORT], Austria
Email: [YOUR-EMAIL]
Full legal disclosure: Impressum.
2. At-a-glance summary
What we do:
- Aggregate, privacy-preserving traffic analytics to understand how the site is used. We do not use Google Analytics or any other third-party tracker on the public site by default.
- Log sponsored-click events (aggregated, no personal data attached) for billing schools who buy "Anzeige · Sponsored" placements.
- Process school portal accounts: email, name, optional phone, password hash, optional verification document. Required to operate the portal you signed up for.
- Display advertising (when active): if and when we add a display-advertising network, you will see a cookie-consent banner on first visit. No advertising or analytics cookies will be set before you affirmatively consent. Refusing is the default and does not disable any non-advertising feature.
What we do not do:
- No sale of personal data. Ever — under no business circumstance.
- No third-party tracking pixels on the public site (Facebook Pixel, LinkedIn Insight, TikTok Pixel, etc.).
- No newsletter or marketing-email signup forms on the public site at present.
- No advertising cookies without your prior, freely-given, specific, informed, and unambiguous consent in line with Art. 6(1)(a) and Art. 7 GDPR.
3. Categories of data we process
3.1 Public site
| Data | Where stored | Why |
|---|---|---|
| IP address, browser, OS, referrer, request timestamp | nginx access log on our Hetzner virtual server (EU data centre) | Technically required to deliver the page; standard web server log. Used for security monitoring, abuse prevention, and operational debugging. Logs are rotated and deleted after 30 days. |
| Sponsored-click event (course ID, sponsor ID, timestamp; no IP, no user ID) | Application database on our server | Counting clicks for billing schools who buy sponsored placements. Aggregated only; no individual user is identifiable. |
Theme preference (light / dark) |
Browser localStorage, key theme |
Remember whether you set the site to dark mode. Never sent to any server. |
Language preference (e.g. en, de, tr) |
Browser localStorage lang + cookie googtrans |
Remember your chosen UI language across visits. The cookie is read by Google Translate to translate the page server-side. Only set when you actively change the language. |
| Saved courses (a list of course IDs) | Browser localStorage, key saved-courses |
Remember which courses you've starred. Never sent to any server. |
| Filter state (the filters you've chosen) | URL hash fragment, not stored | Lets you share or bookmark a filtered view. The fragment is never transmitted to the server. |
3.2 School portal
When you create an account at the school portal we collect additional data described in section 6.
4. Cookies and local storage in detail
Under the EU Cookie Directive (transposed into Austrian law via § 165 TKG 2021), we are required to disclose cookies in use. The complete list:
| Name | Storage | Lifetime | Purpose |
|---|---|---|---|
theme |
localStorage | Until cleared | Light/dark mode preference. Strictly functional. |
lang |
localStorage | Until cleared | UI language preference. Set only on user action. |
googtrans |
Cookie | 1 year | Read by Google Translate to translate page text to your chosen language. Set only when you change language from English. |
saved-courses |
localStorage | Until cleared | List of courses you've starred for later. |
session |
Cookie (portal only) | 12 hours | Authenticated session for the school portal and admin. Signed, HttpOnly, SameSite=Lax, Secure. Set only after login. |
csrf_token |
Cookie (portal only) | Session | Cross-Site Request Forgery protection. Strictly necessary. |
All cookies and localStorage entries listed above are either (a) strictly necessary for the requested service (§ 165 Abs. 3 TKG 2021), or (b) set only after explicit user action (clicking the theme toggle, switching language, starring a course, or logging into the portal). For these no consent is required.
Advertising and analytics cookies — if and when we activate display advertising or third-party analytics on the public site, you will see a cookie-consent banner on first visit with separate, granular toggles for "functional", "analytics", and "advertising" categories. No category beyond strictly-necessary will load until you actively consent. Your consent decision is stored client-side and you can revoke it at any time via a footer link.
You can delete all client-side state at any time via your browser's "clear site data" or "clear cookies and site data" settings.
5. Third-party processors
We use the following third-party services to operate the site. None of them receives more data than is strictly required for the service:
Hetzner Online GmbH (hosting of the entire site and school portal)
Operator: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.
Data: IP address, request headers, response status (standard web-server log). Data centre in the European Union (Falkenstein / Nuremberg / Helsinki).
Purpose: Hosting the public site, the admin application, and the school portal on a single virtual private server.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a functional website).
Privacy policy: hetzner.com/legal/privacy-policy.
Data processing agreement: A DPA is in place between the controller and Hetzner Online GmbH covering all processing under Art. 28 GDPR.
GitHub, Inc. (private code repository)
Operator: GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA.
Data sent by us: Source code and aggregated, non-personal course data committed by automated jobs running on our server. No personal user data is sent to GitHub from the public site.
Purpose: Versioned storage of our source code in a private repository.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in versioned backup of business code.
Privacy policy: GitHub Privacy Statement.
Display advertising network (planned — not currently active)
If we activate display advertising, the provider and full disclosure (operator, data transferred, transfer mechanisms, opt-out URL) will be added to this section before any advertising script loads on the site. Until then, no advertising network receives any data from the site.
Payment processor (for school portal subscriptions and sponsored placements)
When a school purchases a paid product, payment is processed by [PAYMENT PROCESSOR — z.B. Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin, Ireland]. We never see or store full card details — only a tokenised reference and the transaction outcome. The processor's privacy policy governs payment-data processing; we receive only billing email, name, country, last-4 digits, and transaction status. Legal basis: Art. 6(1)(b) GDPR (contract).
Google Translate
Operator: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for EEA users).
Data: Page content snippets sent to translate.google.com when you change language to anything other than English.
Purpose: Live in-browser translation of page text.
Loaded only when: You actively change the language. The translation script is not loaded by default for English.
Legal basis: Art. 6(1)(a) GDPR (consent — the user's positive language choice).
Privacy policy: policies.google.com/privacy.
CARTO basemap tiles (only on the map page)
Operator: CARTO (CARTO DB, Inc.), 201 Spear St., San Francisco, CA 94105, USA. Tiles served via the global CDN at basemaps.cartocdn.com. Underlying geographic data is from OpenStreetMap contributors; CARTO re-renders it in the "Positron" style.
Data sent: Your IP address, browser user-agent, and the map tile coordinates you view (one HTTP request per visible tile). Only loaded when you visit the /map.html page — other pages don't contact CARTO.
Purpose: Rendering the interactive map of course locations in Vienna.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in showing a map. No personalisation, no profile-building.
Data transfer: Tile requests may be served from CARTO's edge nodes outside the EU. We use CARTO because it produces a substantially cleaner map than EU-only alternatives. If you prefer not to send the tile request, simply don't visit the map page — every other page in the site stays in the EU.
Privacy policy: carto.com/privacy.
Google Places API (rating refresh)
Operator: Google Ireland Limited.
Data sent by us: The public name and address of each indexed school. No user data is transmitted — this call is made from our scheduled job, not from your browser.
Purpose: Refreshing the publicly visible Google rating shown next to each school.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in keeping ratings current.
Source-of-truth storage
The school portal commits your school's listing data (course catalog, school description, public contact info) to our private GitHub repository for versioning and backup. Portal user accounts (email, name, phone, password hash, OAuth subject ID) are kept in a separate, gitignored folder on our Hetzner server and are never committed to git. Verification documents you upload during portal signup are stored only on the Hetzner server disk and are deleted on rejection of your application.
6. School portal data
If you create an account on the school portal (/portal/signup), the following additional data is processed:
| Field | How collected | Why |
|---|---|---|
| You enter it at signup | Login, contact about your school's listing | |
| Full name, phone | You enter them at signup (phone optional) | Verification of identity, contact about your application |
| Password hash | Computed from the password you set (bcrypt, 12 rounds) | Authentication. The plaintext password is never stored. |
| Google OAuth subject ID (optional) | From Google if you sign in with Google | Federated login |
| Verification document | You upload it during onboarding (PDF / JPG / PNG) | Confirming you have authority to represent the school |
| Consent timestamp | Auto-recorded when you tick "I represent this school" at onboarding | Proof of informed consent |
| Audit log entries | Auto-generated for each action you take (course edit, school edit, etc.) | Operational logging, dispute resolution. Stored append-only. |
Retention: Account data is kept for as long as your account is active. If you ask us to delete your account (see Section 9), we delete the account record. The school's public course data you created remains in the repository (it's the property of the school, not of you personally).
Verification document: Deleted from disk immediately if your application is rejected. On approval the document is retained for as long as you remain the school's verified representative; you can request earlier deletion.
7. Legal basis for processing
- Art. 6(1)(b) GDPR — contract — for the school portal: registering an account, managing your school's listing, providing the platform you signed up to use.
- Art. 6(1)(a) GDPR — consent — for Google Translate (loaded only on positive language choice) and the school portal consent checkbox.
- Art. 6(1)(f) GDPR — legitimate interest — for serving the public site, logging requests for security and operational reasons, and operating the daily scraper.
- Art. 6(1)(c) GDPR — legal obligation — for retaining audit logs and any data we may be required to keep under Austrian law (e.g. Mediengesetz disclosure).
8. How long we keep things
- Public site: nginx access logs (IP, request) on our Hetzner server are rotated and deleted after 30 days. Sponsored-click events are aggregated; no per-user identifier is stored.
- Portal account data: until the account is deleted by you or by an admin.
- Verification documents: deleted on rejection; retained on approval while the user is an active representative.
- Audit log: append-only, retained indefinitely as a security record.
- Cookies and localStorage: retained client-side as specified in section 4; you can clear them at any time via your browser.
9. Your rights under DSGVO
As a data subject under the General Data Protection Regulation, you have the following rights with respect to your personal data:
- Art. 15 — Right of access. You can request a copy of all personal data we hold about you.
- Art. 16 — Right to rectification. You can correct inaccurate data we hold.
- Art. 17 — Right to erasure ("right to be forgotten"). You can request deletion of your data subject to lawful retention obligations.
- Art. 18 — Right to restriction of processing. You can ask us to suspend processing in certain circumstances.
- Art. 20 — Right to data portability. You can request your data in a structured, machine-readable format.
- Art. 21 — Right to object. You can object to processing based on legitimate interest.
- Art. 7(3) — Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time. Withdrawal doesn't affect the lawfulness of processing before withdrawal.
To exercise any of these rights, email [YOUR-EMAIL]. We respond within 30 days (extendable by two months for complex requests, in which case we'll tell you why).
Right to complain
You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority. The Austrian supervisory authority is:
Österreichische Datenschutzbehörde (DSB)
Barichgasse 40–42, 1030 Wien
Email: dsb@dsb.gv.at
Web: dsb.gv.at
10. Security measures
We implement the technical and organisational measures (TOMs) required by Art. 32 GDPR appropriate to the risk:
- HTTPS everywhere: all connections to the public site and the portal use TLS.
- Passwords: hashed with bcrypt (12 rounds). Plaintext passwords are never stored or logged.
- Sessions: signed with a server-side secret, HttpOnly, Secure, SameSite=Lax. Expire after 12 hours.
- CSRF tokens on all state-changing form submissions.
- Rate limiting on login and signup endpoints.
- Input validation on every form field before storage.
- Audit logs for every mutation in the portal and admin.
- PII isolation: portal user records and verification documents are stored in gitignored folders on the server, never committed to git.
- EU-hosted infrastructure: all personal data is processed on servers within the European Union (Hetzner data centre, Falkenstein, Germany).
- Backups: encrypted, retained 30 days, rotated automatically.
11. Contact
For any data-protection question or to exercise a right under DSGVO:
Email: [YOUR-EMAIL]
Postal address: see Impressum
Changes to this policy
We may update this privacy policy when our processing activities change or when legal requirements evolve. Material changes will be announced on the homepage. The current version always lives at this URL.
Stand / Last updated: [DATUM — z.B. November 2026]
Impressum · Privacy · Terms of Use · Advertising policy · Cookie settings