Privacy Policy

1. Data Controller

moinsen UG (haftungsbeschränkt), Musterstraße 1, 12345 Berlin, Germany. Email: privacy@moinsen.dev

2. What Data We Process

Post Text

When you click "Analyze", your post text is sent to our server and forwarded to the Anthropic Claude API for analysis. For authenticated users, the post text and analysis results are stored in our database to provide analysis history. Free-tier users' posts are processed in transit. You can request deletion of your analysis history at any time.

IP Address (Hashed)

To enforce the daily free usage limit (3 analyses per day), we create a SHA-256 hash of your IP address combined with a server-side salt. This one-way hash is stored in Cloudflare KV with a 24-hour expiry. We never store your raw IP address. The hash cannot be reversed to recover your IP.

Local Storage (Browser Only)

We use your browser's localStorage to remember two preferences: your selected theme (light/dark) and your preferred language (EN/DE). This data never leaves your browser and is not sent to our servers.

Session Cookie

When you sign in, Conrad sets a single HttpOnly session cookie (conrad_session) containing an encrypted JWT token. This cookie is strictly necessary for authentication — it is not used for tracking. It expires after 7 days or when you log out. No third-party cookies are used.

Email Address

When you create an account, we store your email address for authentication (magic link login) and account identification. We do not share your email with third parties or use it for marketing. You can request deletion at any time.

Billing Data (Stripe)

If you purchase credits or a Pro subscription, payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never your credit card number or payment details. Stripe's privacy policy applies to payment data.

Wishlist Data

Feature suggestions and votes you submit to the community wishlist are stored with your user ID. Wish titles, descriptions, and vote counts are publicly visible. You can request deletion of your submissions at any time.

No Analytics or Tracking

We do not use Google Analytics, Meta Pixel, or any other analytics or tracking service. We do not collect behavioral data, browsing patterns, or usage statistics.

3. Legal Basis

We process data under Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest is providing the post analysis service. The processing is minimal (text analyzed in transit, IP hashed and auto-deleted after 24h) and proportionate to the service provided.

4. Third-Party Processors

Anthropic (Claude API)

Your post text is sent to Anthropic's Claude API for analysis. Anthropic processes the text to generate risk scores and recommendations. Anthropic's data processing terms apply. Anthropic does not use API inputs for model training.

Stripe

Payment processing is handled by Stripe, Inc. When you make a purchase, Stripe processes your payment information directly. We never receive or store your full credit card details. Stripe's privacy policy and PCI DSS compliance apply.

Resend

We use Resend to send magic link authentication emails. Resend processes your email address solely for delivery purposes and does not use it for marketing.

Cloudflare

Our application runs on Cloudflare Pages. Cloudflare provides hosting, CDN, and the KV storage used for rate limiting. Cloudflare processes requests in accordance with their privacy policy and DPA.

Cloudflare Turnstile

We use Cloudflare Turnstile to verify that form submissions come from humans, not bots. Turnstile runs invisibly in the background without presenting puzzles or CAPTCHAs. It may analyze browser signals (mouse movements, interaction patterns) to distinguish humans from bots. No personal data is collected or stored by Turnstile beyond what is needed for the verification. Cloudflare's privacy policy applies.

5. Data Retention

Rate limit records (IP hashes) are automatically deleted after 24 hours via Cloudflare KV TTL expiry. Analysis history is retained for the lifetime of your account and can be deleted on request. Account data (email, preferences) is retained until you delete your account. Billing records are retained as required by German tax law (10 years for invoices).

6. Your Rights (GDPR Art. 15–21)

You have the right to:

• Access — Request information about data we process about you (Art. 15)
• Rectification — Correct inaccurate data (Art. 16)
• Erasure — Request deletion of your data (Art. 17)
• Restriction — Restrict processing of your data (Art. 18)
• Data portability — Receive your data in a portable format (Art. 20)
• Objection — Object to processing based on legitimate interest (Art. 21)

To exercise any of these rights, contact us at privacy@moinsen.dev. Since we store minimal data (only expiring IP hashes), most requests can be fulfilled immediately by confirming that no persistent personal data exists.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

7. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. Continued use of Conrad after changes constitutes acceptance.