Privacy Policy for Cybach Oy powered websites ========================================== Effective Date: 29.7.2025 Website: [cybach.space, cybach.com, pigeonreporter.com] Privacy in a Nutshell --------------------- - We do NOT collect any personal data unless you register. - No cookies or tracking technologies are used; we use JWT tokens stored in local storage solely for authentication. - All requests to our servers, including those from unregistered visitors, pass through managed hosting and CDN providers who may log IP addresses and request metadata as part of normal operational processes. - Our managed hosting provider is legally bound to **anonymize logged IP addresses** in accordance with data protection laws. - We use the third-party service **ipapi.co** and the open-source library **Leaflet** **only when you use map features** (e.g., to show your region or local content). - IP addresses are **not stored in plain form**. Instead, we store a **secure hash of the IP address** for operational measures such as **rate limiting** and abuse prevention. - When you register, we collect only your **email** and **username**. Passwords are hashed immediately and never stored in plain text. - The registration server is hosted in Germany and logs standard web server data including IP addresses for security and operational purposes. - Payment processing is handled entirely by PayPal; we store only payment confirmation data, not sensitive payment details. - Payment-related data is **retained indefinitely** for accounting and legal compliance and **cannot be deleted**. - Other than payment data and optional content users request, **we do not collect any other personal data that would require deletion**. - If you submit content (e.g. ordered results), we will **delete it upon request within one month**, or **automatically after payment access expires**. This is a **manual process handled by humans**, so please allow for delays or minor issues. - You can withdraw your consent at any time by contacting us via contact@cybach.com. - You have full rights to access, correct, or delete your personal data (where applicable). - We do not sell or share your data for marketing. Full Privacy Policy ------------------- 1. Who We Are ------------- We are based in Finland and provide services globally. Our infrastructure is hosted within the EU and globally by providers including Azure, PayPal, and CDN services. 2. Data We Collect and When --------------------------- Visitors (Unregistered Users): - We do not collect personal data or use cookies or trackers. - All requests from visitors, including unregistered users, pass through managed servers and CDN providers who may log IP addresses and technical metadata as part of normal service delivery. - **Our managed hosting provider is bound by law and contract to anonymize IP addresses logged at the infrastructure level.** These logs are maintained for operational integrity and are not directly accessed or used by us except as permitted for security or troubleshooting. - We use **ipapi.co** as a third-party service to translate IP addresses into approximate geographic data **only when users interact with maps** (e.g., to determine region-specific content or show nearby points). - We use **Leaflet**, an open-source JavaScript mapping library, **only when maps are loaded by the user**, to display interactive geographic data directly in the browser. - We store only a **hashed version of the IP address** (not the raw IP) in our database for **rate limiting** and abuse prevention. This enhances privacy while still allowing us to enforce request limits. Registered Users: - Upon registration, with your explicit consent (via checkbox), we collect: - **Email address** - **Username** - **Password (hashed immediately using secure cryptographic methods)** - Email verification and account creation timestamps - We do not collect your name, address, or other personal identifiers. - The registration server in Germany logs web server data including IP addresses for security and fraud prevention. Payments: - Payments are processed solely by PayPal. - We store: - User ID - Product ID - PayPal order ID - Payment amount and currency - Payer email (from PayPal) - Payment metadata and status - **We do not store credit card or banking information.** - **Payment data is retained permanently** to comply with legal and accounting obligations and cannot be deleted. User-Requested or Purchased Content: - If you order or generate content through our services (e.g. reports, downloads, custom outputs), we retain it: - Until you request deletion (we aim to process within one month). - Or until payment access or entitlement expires. - **Deletion is manual and performed by real humans**, so please understand delays may occasionally happen. We always aim to fulfill requests responsibly and promptly. 3. Legal Basis for Processing ----------------------------- - Registration and data collection occur based on your explicit consent. - Payment data is processed to fulfill our contractual obligations. - Server log processing and hashed IP address storage for rate limiting is based on our legitimate interest in security and abuse prevention. - We comply with legal obligations related to payment and accounting data retention. 4. How We Use Your Data ------------------------ - To create and manage your account. - To verify your email and communicate important information. - To process payments and refunds. - To monitor security, prevent fraud, and implement rate limiting using hashed IP addresses. - To comply with legal and regulatory obligations. - To provide localized content and services **only when map features are used**, by using geolocation services (ipapi.co) in connection with your IP address. - We use **Leaflet** to display maps and pins in your browser **only if you view or interact with map-based content**. 5. Data Retention ----------------- - **Registration data** is deleted upon account closure or upon your request. - **Payment data is retained indefinitely** as required by accounting laws and cannot be deleted. - We do not collect other personal data that would need deletion. - **User content**, if created or requested by you, is deleted: - On request (within 1 month, manually). - Or after your payment/license/access expires. - Server logs and hashed IPs used for rate limiting are retained only as long as needed for operational security. 6. Data Security ---------------- - Passwords are stored as secure hashes using industry-standard algorithms. - IP addresses used for rate limiting are hashed using industry-standard cryptographic algorithms (e.g., SHA-256), ensuring they are not stored in readable form. - Our hosting provider anonymizes infrastructure-level IP logs as required by law. - We rely on managed hosting providers for infrastructure security, including physical, network, and operational safeguards. - In case of a data breach, information potentially exposed includes email addresses, usernames, password hashes, payment data, and hashed IP addresses associated with payments and rate limiting. - We minimize risk by not collecting unnecessary sensitive data. 7. Your Rights Under GDPR -------------------------- You have the right to: - Access your personal data. - Request correction or updates. - Request deletion of your personal data (where applicable). - Withdraw consent at any time by contacting contact@cybach.com. - Object to or restrict data processing. - Request data portability. - Lodge a complaint with your local data protection authority. To exercise your rights, please send a request from your registered email address to contact@cybach.com. We may require verification to protect your privacy. 8. Third-Party Sharing ----------------------- - We do not sell or share your data for marketing purposes. - Data may be shared with: - Cloud and CDN providers for service delivery. - PayPal for payment processing. - Legal authorities when required by law. - All third parties comply with GDPR and have appropriate data processing agreements. 9. International Transfers --------------------------- - Data processing and storage primarily occur within the EU. - Third-party services such as PayPal, Azure, CDN providers, and ipapi.co may transfer data outside the EU under GDPR-approved safeguards like Standard Contractual Clauses. 10. Cookies and Tracking ------------------------ - We do not use cookies or tracking technologies. - Authentication uses JWT tokens stored in local storage only. 11. Age Restrictions --------------------- - Our services are intended for users aged 18 or older. - We do not knowingly collect data from minors. - If data from minors is discovered, we will delete it promptly. 12. Changes to This Privacy Policy ----------------------------------- - We may update this policy occasionally to reflect operational or legal changes. - The latest version is always posted here with the effective date. - Significant changes will be communicated via email or website notifications. Thank you for trusting us with your data. We are committed to protecting your privacy and complying fully with GDPR.