Privacy Policy

1. Introduction

This Privacy Policy explains how we collect, use, process, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Austrian data protection law (DSG).

Data Controller:
Julian Hieblinger
Kaiserin Elisabeth-Straße 7, 2344 Maria Enzersdorf, Austria
Email: sceptical.investor@hieblinger.at

2. Data We Collect

2.1 Automatically Collected Data

When you visit our website, we automatically collect:

• IP Address: Hashed with daily salt for privacy (not stored in raw form)
• Browser Type: User-Agent string
• Access Time: Timestamp of page requests
• Pages Visited: URLs accessed during your session

2.2 Click Tracking Data

When you click outbound links (e.g., to wikifolio.com), we log:

• Hashed IP Address: SHA256 hash with daily salt
• Hashed URL: SHA256 hash of destination URL (first 16 characters)
• Campaign Tag: Source of the click (e.g., "portfolio")
• Timestamp: When the click occurred

2.3 API Access Logs

Our API endpoint logs:

• Hashed IP Address: For security monitoring
• Authorization Status: Success/failure of authentication
• Payload Size: Volume of data submitted
• Timestamp: When access occurred

2.4 Analytics (If Enabled)

If Google Analytics is enabled, we collect anonymized usage statistics. See Google's Privacy Policy: https://policies.google.com/privacy

3. Legal Basis for Processing

We process your data based on:

• Legitimate Interest (Art. 6(1)(f) GDPR): Analytics, security monitoring, and fraud prevention
• Consent (Art. 6(1)(a) GDPR): Analytics cookies (if used)
• Contractual Necessity (Art. 6(1)(b) GDPR): Providing the stock checker service

4. How We Use Your Data

We use collected data for:

• Service Delivery: Operating the stock checker tool
• Security: Detecting abuse, preventing unauthorized access
• Analytics: Understanding usage patterns to improve the service
• Performance Monitoring: Detecting and resolving technical issues

We do NOT:

• Sell your data to third parties
• Use your data for targeted advertising
• Share your data with marketing companies
• Store raw IP addresses (only hashed versions)

5. Data Retention

We retain data for the following periods:

• Click Logs: 90 days
• API Access Logs: 90 days
• Stock Data: Current version + 3 backups (rotated)
• Server Logs: 30 days

After retention periods expire, data is automatically deleted. IP hashes change daily due to daily salt rotation, making historical linkage impossible.

6. Data Security

We implement industry-standard security measures:

• HTTPS/TLS Encryption: All connections encrypted with Let's Encrypt certificates
• IP Hashing: Raw IP addresses never stored
• Access Control: API protected with IP whitelist and Bearer token authentication
• Rate Limiting: Prevents abuse and DDoS attacks
• Server Hardening: Firewall, fail2ban, automatic security updates
• Backup Encryption: Automated backups stored securely

7. Third-Party Processors

We use the following third-party services:

7.1 Hosting Provider

Hetzner Online GmbH (Austrian data center)
Purpose: Website hosting and server infrastructure
Data Processing Agreement: Yes (GDPR-compliant)
Privacy Policy: https://www.hetzner.com/legal/privacy-policy

7.2 CSS Framework

Pico.css (served locally)
Purpose: CSS framework for styling
Note: Served from our own server — no third-party CDN requests are made.

7.3 Analytics (If Enabled)

Google Analytics (if ANALYTICS_ID configured)
Purpose: Anonymized usage statistics
Privacy Policy: https://policies.google.com/privacy

8. Your Rights Under GDPR

You have the following rights:

8.1 Right of Access (Art. 15 GDPR)

Request a copy of personal data we hold about you.

8.2 Right to Rectification (Art. 16 GDPR)

Request correction of inaccurate data.

8.3 Right to Erasure (Art. 17 GDPR)

Request deletion of your data ("right to be forgotten").

8.4 Right to Restriction (Art. 18 GDPR)

Request limitation of data processing.

8.5 Right to Data Portability (Art. 20 GDPR)

Receive your data in machine-readable format.

8.6 Right to Object (Art. 21 GDPR)

Object to data processing based on legitimate interest.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Withdraw consent for analytics cookies (if applicable).

How to Exercise Your Rights

Send requests to: sceptical.investor@hieblinger.at
We will respond within 30 days as required by GDPR.

9. Cookies

This website does not use cookies.

No session cookies, no tracking cookies, no advertising cookies, no third-party cookies. We don't store anything on your device. Rate limiting is IP-based and does not require cookies.

Because we set no cookies, no cookie consent banner is required under the EU ePrivacy Directive (2002/58/EC) or its Austrian implementation (TKG 2021 §165).

Note: If we enable analytics in the future, we will implement a proper cookie consent mechanism before any cookies are set, as required by EU law.

10. International Data Transfers

Our servers are located in Austria (EU). All assets (CSS, images) are served locally from our own server. We do not currently transfer data outside the EU.

If Google Analytics is enabled in the future, data may be transferred to the US (Google's GDPR safeguards would apply). A cookie consent mechanism will be implemented before any such transfer occurs.

11. Children's Privacy

This website is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided data, contact us for deletion.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Updates will be posted on this page with a new effective date.

13. Supervisory Authority

You have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Vienna, Austria
Website: https://www.dsb.gv.at/

14. Contact

For privacy-related questions or to exercise your rights:

Email: sceptical.investor@hieblinger.at
Subject: "Privacy Request - Silver Bullion Stock Checker"