Privacy policy

This statement informs you, per Art. 13 GDPR, about the processing of your personal data when using Struqo.

Controller

The controller within the meaning of the GDPR is:

Scope

This statement applies to the websites at struqo.app, struqo.de and struqo.eu and the related web application ("Editor").

Server logs

When you visit the site, technically required data is collected (IP address, date and time, requested page, browser, operating system). This data is necessary to deliver the site and ensure its security. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest). Retention: at most 14 days.

Account

If you create an account, we process your email address and a password hash for authentication. Legal basis: Art. 6 (1) (b) GDPR (performance of a contract). Data is stored as long as your account exists. You can delete it at any time in settings.

Project data

Plans, components, materials and dimensions you create in the editor are stored under your account. They are accessible only to you (row-level security in the database). Legal basis: Art. 6 (1) (b) GDPR. In guest mode no project data is stored.

Cookies

We use only strictly necessary cookies required for login and session handling (Supabase auth cookies). We do not use cookies for advertising or personal tracking.

Traffic measurement

On public pages (not the editor), we use Plausible Analytics for anonymous traffic measurement. Plausible sets no cookies and stores no personal data. IP addresses are hashed with a daily-rotating salt and discarded immediately, so no inference about individuals is possible. We collect page views, referrer, country (derived from the IP and then discarded), device type, and browser, plus a few anonymous interaction events (for example which help-page FAQ item gets opened). Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in statistical usage analysis). Provider: Plausible Insights OÜ, Tallinn (Estonia); server hosting in Germany.

Editor telemetry

Inside the editor we count only aggregate events (for example "project opened", "component placed", "view created", "plan exported", "material assigned", "help opened"). We store only the event name and an incrementing counter, never your user ID, session ID, IP address or a per-event timestamp. No inference about individual people or sessions is possible from this data. Storage is in our Supabase database on AWS in Ireland (eu-west-1); no data is transmitted to third parties. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in aggregate usage measurement for product improvement).

Error monitoring

To keep the editor stable we capture JavaScript errors via the Sentry service. When an error occurs we transmit the stack trace, the error message, the route that was visited and a technical browser context (browser name, version, operating system). We have disabled Sentry's default PII collection: no IP address, no request headers, no cookies and no user identifier are transmitted. No session replay takes place. Data flows through a server-side proxy on our servers to Sentry, so no third-party scripts are loaded in the browser. The provider is Sentry, Inc., with exclusive EU-region hosting in Frankfurt (de.sentry.io, AWS eu-central-1). Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in technical stability and error remediation). Retention: 30 days maximum.

Contact form

When you use the contact form on the about page or inside the editor, we transmit your email address, optionally your name, the chosen request category and your message to our email delivery provider Resend, which delivers the message into our mailbox. We reply directly from that mailbox; there is no automated ticketing system. Your data is kept in the mailbox for at most 12 months, then deleted, unless an open conversation requires longer retention. No further transfer to third parties takes place. To prevent spam, we hold your request's IP address transiently in server memory (for at most one hour) for rate limiting; it is not persisted. Legal basis: Art. 6 (1) (b) GDPR (initiation or performance of a contract) or (f) GDPR (legitimate interest in contact and spam prevention).

Processors

We use the following service providers, each under a data processing agreement per Art. 28 GDPR:

• Supabase Inc., hosted on AWS in Ireland (eu-west-1). Purpose: authentication and database.
• Vercel Inc., EU edge hosting. Purpose: delivery of the website and the web application.
• Sentry, Inc., USA, with EU-region hosting in Frankfurt (de.sentry.io, AWS eu-central-1). Purpose: capturing error stack traces in the editor for stability monitoring. Data transmitted: stack trace, error message, technical browser context; no IP address, no user identifier.
• Resend, Inc., USA, with AWS sub-hosting in Ireland (eu-west-1). Purpose: sending transactional auth emails (confirmation, password reset) and delivering messages submitted through the contact form. Data transmitted: recipient address and email content; no editor data.
• Plausible Insights OÜ, Estonia; server hosting in Germany. Purpose: anonymous traffic measurement on public pages.

Retention

Account and project data are retained as long as your account exists. Server logs are deleted after at most 14 days. When the account is deleted, all associated data is removed promptly.

Your rights

Under the GDPR you have the following rights:

• Right of access to data stored about you (Art. 15 GDPR).
• Right to rectification of inaccurate data (Art. 16 GDPR).
• Right to erasure of your data (Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability, available in settings under "Export data" (Art. 20 GDPR).
• Right to object to processing (Art. 21 GDPR).
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority is the Bavarian State Office for Data Protection Supervision (BayLDA), based in Ansbach, Germany.

Security

Your data is transmitted encrypted via TLS. In the database, row-level security policies ensure that only you can access your data.

Changes to this statement

We adjust this statement when the processing of your data changes. The current version is always available on this page.