Privacy Policy
This policy explains which personal data FritKot.Online processes, why, for how long and how you can exercise your rights.
Controller and contact
- Publisher: FritKot.Online, Belgium. Full administrative details of the operating entity (legal form, postal address, company/VAT number if applicable) will be added before commercial operation or paid processing.
- Privacy contact: privacy@fritkot.online. Legal contact: legal@fritkot.online. Security reports: security@fritkot.online.
Data we process
- Account data: nickname, email, phone number, language, GDPR consent and creation date.
- Verification data: hashed OTP code, expiry, attempt counter and sent date. The code itself is not stored in readable form.
- Contributions: ratings, criteria, optional comment, date and associated nickname.
- Technical security data: session ID, rate-limit counters, hashed IP and user-agent in security logs.
Purposes and legal bases
- Access management and email verification by OTP: performance of the requested service.
- Securing votes and comments, limiting abuse and preventing fraud: legitimate interest.
- Displaying public comments and scores: performance of the service and user contribution.
- Handling GDPR requests and legal obligations: legal obligation.
- No marketing without separate consent.
Retention
- OTP code: valid for 10 minutes; OTP hash and metadata are cleared after expiry and at the latest within 24 hours. Any OTP test log is kept for a maximum of 24 hours.
- Rate-limit files: kept until the end of the security window plus a maximum of 1 hour.
- Sessions and necessary session files: maximum 30 days.
- Technical logs: Nginx access logs 30 days; Nginx error logs, uptime and operational logs 90 days; security events and incident alerts 180 days. Incident extracts may be kept under restricted access for up to 12 months when needed for security or legal evidence.
- Unverified accounts are deleted after 30 days. Verified accounts unused for 24 months are deleted/anonymised: email, phone and account identifiers are removed; public contributions are detached or anonymised; aggregate scores may remain anonymously.
- Valid deletion or export requests are normally handled within 1 month unless the GDPR allows a reasoned extension.
Recipients and processors
- Hosting: Hetzner server infrastructure.
- Email: local mail server or Brevo SMTP if configured.
- Map: OpenStreetMap tiles are loaded by your browser to display the map.
- We do not sell personal data.
Cookies and local storage
- Necessary cookies: session and language preference.
- Local storage: PWA/splash/install status, without marketing tracking.
- There are currently no advertising or marketing tracking cookies.
Your rights
- You may request access, correction, erasure, restriction, portability and objection via privacy@fritkot.online.
- You may complain to the Belgian Data Protection Authority: https://www.dataprotectionauthority.be.