Privacy policy
The German versionof this policy is authoritative; this translation is provided as a courtesy.
1. Controller
TODO_AUSFÜLLEN(name)
TODO_AUSFÜLLEN(address)
Email: TODO_AUSFÜLLEN(email address)
2. The important part first
The public pages of this website are static. They set no cookies, useno tracking, no analytics and no ads. Fonts and all other resources are served from our own host — nothing is loaded from Google, Meta or other third-party CDNs. Your theme choice is stored only locally in your browser (localStorage) and is never transmitted to us. The calculator (rolldown widget) runs entirely in your browser — no inputs are sent to us. Data is processed only if you voluntarily create an account or take out a subscription (sections 5 and 6).
3. Hosting (server logs)
This website is hosted by Cloudflare (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA). When you visit, Cloudflare technically processes your IP address plus date, time, requested file, user agent and referrer in server logs. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure, performant operation). Transfers to the USA rely on the EU-US Data Privacy Framework, which Cloudflare participates in.
4. The Dolfo app
The downloadable app runs entirely locally on your PC and transmits no game data to us. Optional data updates fetch files from our update server; this produces the technical access data described in section 3.
5. Account (login for website and app)
Applies once the login system goes live. An account is voluntary; it provides access to the app and the subscription. One account covers website and app at once. We process:
- Email address (sign-in, account recovery).
- Password — never in plaintext, only as a cryptographic hash (PBKDF2-SHA256 with a random salt and a server-side pepper).
- Device identifier to bind an account to one device — as a hash value only; the underlying raw identifier never reaches us.
- Session token (stored only as a hash) for signed-in requests.
- Security / abuse log (audit_log): IP address, country, browser identifier (user agent), timestamp and type of event (registration, login, device change, license retrieval). Purpose: detecting and preventing abuse (multi-accounting, account sharing, automated attacks). Legal basis Art. 6 (1) (f) GDPR (legitimate interest in abuse-resistant access). These log entries are deleted after90 days at the latest.
Legal basis for the account and sign-in is Art. 6 (1) (b) GDPR (performance of the usage contract). To protect the registration form against automated attacks we useCloudflare Turnstile (no cookie, no user profiling; Cloudflare, Inc.). The account runs on Cloudflare server infrastructure (worker + database; see section 3 on data transfer). TODO_AUSFÜLLEN(Before go-live: confirm the data processing agreement with Cloudflare.)
6. Payment processing (subscription)
Applies once sales are activated. The Premium subscription is sold throughPaddle as merchant of record (Paddle.com Market Ltd.). Paddle collects and processes the data needed for payment and invoicing (name, email, payment details, country for VAT) on its own responsibility; from Paddle we receive only your subscription status (paid until / cancelled), linked to your account email. Legal basis Art. 6 (1) (b) GDPR. Paddle's privacy notice: TODO_AUSFÜLLEN(link to paddle.com/legal/privacy). TODO_AUSFÜLLEN(If Bitcoin payment via BTCPay is offered: add it as a further recipient/processor — no personal payment data is collected, only the mapping payment → account.)
7. Your rights
Under the GDPR you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21), plus the right to lodge a complaint with a supervisory authority (Art. 77).
8. Version
TODO_AUSFÜLLEN(go-live date). This policy will be updated as soon as the website's functionality changes (e.g. introduction of the premium subscription with a payment provider — recipients, purposes and legal bases will then be added).