Privacy Policy (Datenschutzerklärung)
Last updated: January 2026
Data Controller
Overview
We take the protection of your personal data very seriously. This privacy policy explains what data we collect, how we use it, and your rights regarding your data under the General Data Protection Regulation (GDPR).
Data We Collect
1. Account Data
When you create an account, we collect:
- Username - Your chosen login name
- Password - Stored securely using bcrypt hashing (we never store plain passwords)
- Callsign - Your amateur radio callsign (if assigned)
2. QSL Card Data
When you generate QSL cards, we process:
- Card templates and background images you upload
- Text positions and configuration settings
- Generated card data (processed in your browser, not stored on our servers)
Note: QSL cards are generated entirely in your browser using HTML5 Canvas. The actual card content (recipient callsign, date, frequency, etc.) is not transmitted to or stored on our servers.
3. Automatically Collected Data
When you visit our website, the following data may be collected automatically:
- IP address (may be anonymized by Cloudflare)
- Date and time of access
- Browser type and version
- Operating system
- Referrer URL (the page you came from)
Cloudflare CDN and Security
Important: This website uses Cloudflare as a Content Delivery Network (CDN) and security service.
Cloudflare, Inc. is a US-based company that provides CDN, DDoS protection, and security services. When you access our website, your connection passes through Cloudflare's network.
Data processed by Cloudflare:
- IP addresses (for routing and security)
- HTTP request data (headers, URLs)
- Security-related information (to detect and prevent attacks)
Cloudflare's role:
| Purpose | Description |
|---|---|
| CDN | Caches and delivers static content from servers closer to you |
| DDoS Protection | Protects our service from distributed denial-of-service attacks |
| SSL/TLS | Encrypts data in transit between you and our servers |
| Security | Blocks malicious traffic and bot attacks |
Cloudflare processes data according to their privacy policy: https://www.cloudflare.com/privacypolicy/
Cloudflare is certified under the EU-U.S. Data Privacy Framework.
Legal Basis for Processing
We process your data based on:
- Contract performance (Art. 6(1)(b) GDPR) - To provide our QSL card generation service
- Legitimate interests (Art. 6(1)(f) GDPR) - For security, fraud prevention, and service improvement
- Consent (Art. 6(1)(a) GDPR) - Where you have explicitly agreed
Cookies and Tracking
This website uses only essential cookies required for the service to function:
- Authentication token - Stored in localStorage to keep you logged in
- Language preference - Stored in localStorage to remember your language choice
We do not use:
- Tracking cookies
- Advertising cookies
- Third-party analytics (Google Analytics, etc.)
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you request deletion |
| Session data | 7 days (automatic expiration) |
| Uploaded images | Until you delete them or your account is removed |
| Audit logs | 90 days for security purposes |
Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) - Request a copy of your data
- Right to rectification (Art. 16) - Correct inaccurate data
- Right to erasure (Art. 17) - Request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18) - Limit how we process your data
- Right to data portability (Art. 20) - Receive your data in a portable format
- Right to object (Art. 21) - Object to processing based on legitimate interests
To exercise these rights, please contact us at [email protected].
Data Security
We implement appropriate technical and organizational measures to protect your data:
- Passwords are hashed using bcrypt with 12 salt rounds
- All data is transmitted over HTTPS/TLS encryption
- Session tokens are cryptographically random
- Rate limiting prevents brute-force attacks
- Card images are only accessible to authenticated users
International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA) through our use of Cloudflare. Cloudflare participates in the EU-U.S. Data Privacy Framework, which provides adequate protection for personal data transferred from the EU to the US.
Complaints
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Austria, the competent authority is:
Barichgasse 40-42
1030 Vienna, Austria
[email protected]
https://www.dsb.gv.at
Changes to This Policy
We may update this privacy policy from time to time. The latest version will always be available on this page with the "Last updated" date at the top. Significant changes will be communicated to registered users.