Privacy Policy

Last updated: December 7, 2025

1. Controller / Verantwortlicher

Name: Maximilian Daub
Address: Quermatenweg 98, 14163 Berlin, Germany
Email: datenschutz@tpwrtr.app
Website: https://tpwrtr.app

2. Data We Collect

2.1 Account Information (via Google OAuth)

When you sign up using Google Sign-In, we collect:

  • Email address: Used for account identification and communication
  • Name: Displayed in your profile (you can edit this)
  • Profile picture: Optional, displayed in the user interface

Legal basis: Art. 6(1)(b) GDPR (contract performance) - necessary for account creation and service provision.

2.2 Usage Data

We automatically collect:

  • Typing test results: Words per minute (WPM), accuracy, errors, timestamps
  • Progress data: Personal bests, test history
  • Preferences: Theme selection, test mode preferences

Legal basis: Art. 6(1)(b) GDPR (contract performance) - necessary to provide the typing trainer service.

2.3 Analytics Data (with your consent)

If you accept cookies, we collect anonymized usage data via PostHog (EU instance):

  • Page views and navigation patterns
  • Test started/completed/abandoned events
  • Feature usage statistics
  • Browser type and device information

Legal basis: Art. 6(1)(a) GDPR (consent) - you can withdraw consent anytime via cookie settings.

Data processor: PostHog Inc., EU instance (eu.i.posthog.com)
Location: European Union
Privacy policy: https://posthog.com/privacy

3. How We Use Your Data

  • Account management: Create and maintain your account
  • Service provision: Store and display your typing test results and progress
  • Product improvement: Analyze usage patterns (anonymized) to improve features
  • Communication: Send important service updates (rarely, only when necessary)

We do NOT:

  • Sell or share your data with third parties
  • Use your data for advertising or marketing
  • Access your Gmail, Google Drive, or other Google services

4. Data Storage & Security

4.1 Where We Store Your Data

All user data is stored in the European Union:

  • Supabase (EU region): Account data, test results, preferences
  • PostHog (EU instance): Anonymized analytics data

No data transfer outside the EU. We comply with GDPR data localization requirements.

4.2 Security Measures

  • HTTPS encryption for all connections
  • Password-less authentication (OAuth + magic links only)
  • Regular security updates and monitoring
  • Access controls and encrypted database storage

5. Data Retention

We retain your data as follows:

  • Active accounts: Data stored as long as your account is active
  • Deleted accounts: Data deleted within 30 days of account deletion
  • Analytics data: Anonymized data retained for up to 12 months

6. Your Rights (GDPR)

Under GDPR, you have the following rights:

6.1 Right to Access (Art. 15 GDPR)

You can view and download all your personal data anytime in Account Settings → “Download My Data”.

6.2 Right to Rectification (Art. 16 GDPR)

You can edit your name and preferences in Account Settings.

6.3 Right to Erasure (Art. 17 GDPR)

You can delete your account anytime in Account Settings → “Delete Account”. All your data will be permanently deleted within 30 days.

6.4 Right to Data Portability (Art. 20 GDPR)

You can export your data as JSON via Account Settings → “Download My Data”.

6.5 Right to Object (Art. 21 GDPR)

You can object to data processing by deleting your account or disabling analytics cookies.

6.6 Right to Lodge a Complaint

If you believe we are not complying with GDPR, you can file a complaint with your local data protection authority or the German Federal Commissioner for Data Protection and Freedom of Information (BfDI):

Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: https://www.bfdi.bund.de/

7. Cookies & Consent Management

We use cookies to provide essential functionality and optionally improve your experience through analytics. Your consent is required before any non-essential cookies are set.

7.1 Essential Cookies (No Consent Required)

These cookies are necessary for the website to function and cannot be disabled:

  • Authentication cookies (Supabase): Keep you logged in securely
  • Security cookies (CSRF tokens): Protect against cross-site attacks
  • Preference cookies (localStorage): Remember your theme choice (dark/light mode)
  • Consent cookies (c15t): Remember your cookie preferences

Legal basis: Art. 6(1)(f) GDPR (legitimate interest) - necessary for website functionality

7.2 Analytics Cookies (Consent Required)

These cookies are only set if you explicitly accept them via the cookie banner:

  • PostHog cookies (ph_*): Track anonymized usage patterns to help us improve tpwrtr
    • ph_<project_id>_posthog: Session data, distinct ID, feature flags
    • ph_<project_id>_posthog_ses: Session ID (expires after 30 min inactivity)

Legal basis: Art. 6(1)(a) GDPR (consent) - you can withdraw consent anytime

7.3 Managing Your Cookie Preferences

You have full control over your cookie preferences:

  • On first visit: Cookie banner appears, allowing you to accept or reject analytics cookies
  • Change anytime: Click “Manage Cookies” in the footer to update your preferences
  • Withdraw consent: Disable analytics cookies at any time - tracking will stop immediately

7.4 Cookie Consent Storage

Your cookie preferences are stored securely in our database (Supabase, EU region) and locally in your browser. This ensures your choices are remembered across sessions and devices (if logged in).

7.5 No Cookies = Privacy-Preserving Tracking

If you reject analytics cookies, PostHog uses privacy-preserving methods:

  • No cookies are set in your browser
  • We only count anonymous page views using privacy hashes (no personal data)
  • Your IP address is not stored or logged

8. Third-Party Services

8.1 Google OAuth

Purpose: User authentication
Data shared: Email, name, profile picture
Privacy policy: https://policies.google.com/privacy

8.2 Supabase

Purpose: Database and authentication infrastructure
Location: European Union
Privacy policy: https://supabase.com/privacy

8.3 PostHog (Optional, with Consent)

Purpose: Product analytics
Location: EU instance (eu.i.posthog.com)
Privacy policy: https://posthog.com/privacy

8.4 Vercel

Purpose: Website hosting
Privacy policy: https://vercel.com/legal/privacy-policy

9. Children's Privacy

tpwrtr is designed for users aged 16 and older. We do not knowingly collect data from children under 16 without parental consent (GDPR requirement for Germany).

If you believe we have inadvertently collected data from a child under 16, please contact us at datenschutz@tpwrtr.app, and we will delete it immediately.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify you via email or a prominent notice on the website

We encourage you to review this policy periodically.

11. Contact Us

If you have questions about this privacy policy or how we handle your data, please contact us:

Email: datenschutz@tpwrtr.app
Name: Maximilian Daub
Address: Quermatenweg 98, 14163 Berlin, Germany

We will respond to your inquiry within 30 days (GDPR requirement).

Note: This privacy policy is provided in English for your convenience. The German version (Datenschutzerklärung) is the legally binding version. If you need the German version, please contact us.

Privacy Policy — tpwrtr