ActuallyUses
Menu

Privacy policy

Controller: Stephan Lucka, Musterstraße 1, 12345 Berlin, Germany, hello@example.com. This policy explains what ActuallyUses processes and why (GDPR Art. 13).

Accounts

When you sign in we store your email, optional name/avatar from your OAuth provider, role, language and notification preferences. Legal basis: contract performance (Art. 6(1)(b)). Sessions use signed cookies strictly necessary for login.

Follows, stacks & notifications

Your follows, saved stacks and notifications are stored to provide those features (Art. 6(1)(b)). Public stacks are visible to anyone — you control the toggle.

Outbound link clicks

When you click an outbound tool link we log: timestamp, the page you came from, country-level geo (from your IP, which we do not store raw — only a salted hash), a device class (mobile/desktop), and a random click id used for affiliate attribution. Legal basis: legitimate interest in fraud-resistant commission attribution (Art. 6(1)(f)). The affiliate network sets its own cookies on the destination site — see their policies.

Analytics (consent only)

Product analytics (PostHog, EU hosting) run ONLY after you consent in the banner (Art. 6(1)(a)). No analytics before consent; you can decline with one click and we never ask again on the same device.

Creator pages

Creator pages contain exclusively public information: public content metadata, short quotes (≤120 characters) with source links, and follower counts. Creators can claim their page, correct or hide data (audited), or contact us for removal requests.

Weekly digest

If you opt in we email you a weekly digest via our email provider. Unsubscribe anytime in settings; legal basis is consent (Art. 6(1)(a)).

Storage & processors

Data lives in our EU-hosted Postgres database and S3-compatible storage. Processors: hosting provider, email delivery (Resend), analytics (PostHog EU) — each under a data processing agreement.

Your rights

Access, rectification, erasure, restriction, portability, objection (Art. 15–21): use the one-click export and delete-account functions in /account/settings, or email us. You can lodge a complaint with your supervisory authority.

Retention

Account data: until deletion. Click logs: 24 months (commission audit windows). Reports & correction audit trails: kept as integrity records with personal references minimized.