← Capypad

Privacy Policy

Effective: May 1, 2026

1. Controller

The controller within the meaning of GDPR is Markus Wiesecke. Full contact details are in the Impressum.

2. What we process

Capypad is a code-reading practice tool. We only process data needed to operate it:

  • Sign-in: When you sign in with Google or GitHub OAuth, we receive your email, name, and provider account ID. We never store passwords.
  • Learning progress: Quiz answers, streak data, completed exercises, and language preference. For anonymous use, we tie this to a random, non-identifying ID stored in a cookie.
  • Server logs: IP, timestamp, user-agent, and requested URL for the duration of the connection. Not retained or linked to user accounts.
  • Technical cookies: Auth.js session cookie (encrypted, HTTP-only), locale and theme preferences, and the anonymous run cookie. No tracking or marketing cookies.

3. Legal basis

Processing is based on Art. 6(1)(b) GDPR (contract performance) for signed-in users, and Art. 6(1)(f) GDPR (legitimate interest in operating the service) for anonymous users and server logs.

4. Processors / recipients

  • Hosting: Self-managed server in Germany (Hetzner / dedicated), operated with Coolify. Postgres runs on the same host, isolated on the Docker overlay network.
  • Cloudflare, Inc.: CDN, DDoS protection, TLS termination. Data transfer to a third country (USA) under the EU Standard Contractual Clauses. Cloudflare processes IPs and browser metadata for connection security.
  • Google LLC / GitHub Inc.: Only when you choose to sign in with the respective provider. Data transfer to the USA under the EU Standard Contractual Clauses. Only the data required for sign-in is exchanged.

5. Retention

Account data and learning progress are retained until you delete the account. You can request deletion at any time via [email protected]. Anonymous run data is deleted automatically after 90 days of inactivity.

6. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21 GDPR). Requests to [email protected].

You may also lodge a complaint with the supervisory authority — in Germany, the data-protection authority of the relevant federal state.

7. Tracking / Analytics

Capypad uses Umami Analytics on our own infrastructure at analytics.codevena.dev. Analytics run without marketing cookies and without ad networks; we collect aggregated page views, referrers, device types, and similar technical usage data to improve stability and content.

8. Changes

This policy is updated when our data processing changes. Material changes are published on this page with an updated date.