bytewurst.de

Privacy Policy

Last Update: 2025-04-01 // v1.2.0

Introduction and Summary

This is the privacy policy for bytewurst.de. It describes how and why we collect, store, use, share, and disclose (let’s summarize it as “process”) information about you when you use the website, its functions, or even just consume its content (our “services”). bytewurst.de is a website under construction.

So who is “we”? We are Codepals OÜ and we are responsible for the mentioned services. We are the owner and data controller of the personal data that is collected when you use the website. If you want to get in touch with us, you will find below some ways to do so.

Responsible

Codepals OÜ

Address:
Sepapaja tn 6
15551 Tallinn
Estonia

Email: privacy@codepals.com

General Structure of This Privacy Policy

Each service we provide is described in a separate section. We explain

  • what data we (and our infrastructure provider) process
  • what role our infrastructure provider plays
  • how long we keep the data
  • whether data is transferred to third countries

Service: General Website & Content Delivery

Data We (and Our Infrastructure Provider) Process

Actually, in order to make this website work (e.g. display blog posts or this privacy policy), there is no data required that you have to input manually. Before you see anything from our website, your browser sends requests to the server to get such content. Doing so, it also transfers metadata to the server, such as:

  • IP address
  • Browser type and version
  • Operating system type and version
  • The language used
  • The referral source

The IP address is considered personal data and can be used to identify you. For example, if you visit this website again within the next few hours, it may be possible to see that it’s the same IP address and therefore very likely the same person returning. We use this data to ensure our services work safely (e.g., blocking IPs associated with suspicious activity). We therefore have a legitimate interest in processing this data.

Use of Cloudflare

Our service runs on infrastructure provided by Cloudflare, Inc., based in the USA. Cloudflare helps deliver our content efficiently and securely by using your IP address to determine the nearest server. For more about their privacy policy, visit Cloudflare Privacy Policy.

Out of the IP address, it is possible to derive the approximate location of the user (e.g., country, city, region). This data is used to improve our services, such as offering localized content, but mainly we use it to ensure that our services are working properly and to protect our website from attacks. To do this on our own we would need to invest a lot of time and money. We therefore have a legitimate interest in using Cloudflare. If this website generates revenue at some point in the future we might consider to switch to a different provider that is located in the EU.

Data Deletion / Retention

  • Most IP addresses are deleted the same day from server logs.
  • In cases of errors or suspected attacks, they may be stored longer for troubleshooting.
  • Cloudflare states that they retain logs for 1 week under certain circumstances.

Data Transfers to Third Countries

Cloudflare operates globally, including in the USA. As they are subject to U.S. laws, it is possible for U.S. authorities to access metadata. We have no control over this but use Cloudflare to ensure efficient service delivery.

Service: User Authentication & Account Management

Some of our services require you to create an account. Instead of building our own password-based login, we use OAuth authentication via Google and GitHub (Microsoft). This is a deliberate security-by-design decision: we never store your password. Google and GitHub are industry leaders in authentication security and invest heavily in protecting your credentials — far beyond what a small startup could responsibly implement on its own. By delegating password storage to them, we minimize the risk of password breaches on our side.

When you click “Sign in with Google” or “Sign in with GitHub”, you are redirected to the respective provider where you authenticate directly. We never see or handle your password at any point.

Data We Process

After you authenticate with your chosen provider, we receive and store the following data:

  • Email address — used as your primary identifier across our services
  • Display name — your name as provided by the OAuth provider
  • Profile picture URL — to personalize your experience (actually we do not make use of it right now)
  • Username — derived from your provider profile or email
  • Provider-specific profile data — such as company, location, and bio (if publicly available on your provider profile)
  • Provider user ID — a unique identifier from Google or GitHub that links your provider account to your account on our platform

We store this data in our database hosted on Cloudflare D1. We do not store your password, access tokens, or refresh tokens.

Session Management

After a successful login, we create a session token (JWT — JSON Web Token) that is stored in your browser as an httpOnly cookie. This cookie:

  • Is not accessible by JavaScript running on the page (httpOnly)
  • Is protected against cross-site request forgery (sameSite: lax)
  • Uses secure transmission in production (HTTPS only)
  • Expires after 7 days, after which you need to log in again

The session token contains your user ID, display name, profile picture URL, and your permissions for the current domain. It does not contain your email address or any sensitive provider data.

Roles and Permissions

Each domain on our platform can assign you a role (e.g., admin, author, viewer). Your role determines which features you can access. Permissions are embedded in your session token and are the sole authority for access control decisions. Your role assignment is stored in our database and linked to both your user account and the specific domain.

Data Deletion / Retention

Your account data is stored for as long as your account exists. You can request account deletion at any time by contacting us at privacy@codepals.com. Upon deletion, we remove:

  • Your user record and all associated metadata
  • Your OAuth provider data (Google/GitHub profile stored on our side)
  • All role and permission assignments
  • All organization memberships

Domain ownership is handled separately — if you own domains, ownership will be transferred or cleared before deletion.

Data Transfers to Third Countries

During the login process, your browser communicates directly with Google (USA) or GitHub/Microsoft (USA) to authenticate. After authentication, your provider profile data is sent to our server and stored on Cloudflare D1 infrastructure. Cloudflare operates globally, including in the USA. For details on Cloudflare’s data handling, see the “Use of Cloudflare” section above.

We do not share your account data with any other third parties.

As an alternative to OAuth login via Google or GitHub, we offer email-based passwordless login using magic links. When you enter your email address on the login or registration page and click “Send login link”, we send you a one-time link to your email address. Clicking this link authenticates you — no password is ever created, stored, or required.

How It Works

  1. You enter your email address on the login or registration page.
  2. We generate a cryptographically signed, single-use token containing your email address, the domain, and a unique nonce (random identifier).
  3. This token is stored temporarily in our database (Cloudflare D1) and sent to your email address via our email delivery provider Brevo (formerly Sendinblue).
  4. When you click the magic link in your email, our server verifies the token, checks that it has not been used before, and creates or retrieves your user account.
  5. A session is created using the same JWT-based mechanism described in the “User Authentication & Account Management” section above.

Data We Process

  • Email address — entered by you on the login/registration form. Used as your primary identifier and as the recipient for the magic link email.
  • Domain name — the website you are logging into, embedded in the token for verification.
  • Unique nonce — a random identifier to ensure each magic link can only be used once.
  • Timestamps — creation time and expiration time of each token, used for rate limiting and expiry enforcement.

We do not store your password at any point — this login method is entirely passwordless by design.

Rate Limiting

To prevent abuse, we limit the number of magic link requests to 3 per email address within a 15-minute window. If you exceed this limit, you will need to wait before requesting a new link.

Data Sent to Third Parties: Brevo (Email Delivery)

To deliver the magic link email, we use Brevo (Sendinblue GmbH, based in Germany). When we send you a magic link, the following data is transmitted to Brevo’s API:

  • Your email address (as the recipient)
  • The email subject and content (which includes the magic link URL)

Brevo processes this data solely for the purpose of delivering the email on our behalf. Brevo acts as a data processor under GDPR. For details on Brevo’s data handling, see their privacy policy at https://www.brevo.com/legal/privacypolicy/.

Token Retention and Deletion

Magic link tokens are short-lived and automatically cleaned up:

  • Tokens expire after 10 minutes and cannot be used after expiration.
  • Each token can only be used once — after you click the link, the token is marked as consumed and cannot be reused.
  • Expired and consumed tokens are periodically deleted from the database during routine cleanup operations.

Legal Basis

The processing of your email address for magic link authentication is based on Art. 6(1)(a) GDPR (Consent) — you actively initiate the process by entering your email address and clicking “Send login link”. If you do not wish to use this feature, you can log in via Google or GitHub instead.

Service: Authentication Event Logging

To protect your account and detect abuse, we log security-relevant events during the authentication process — regardless of whether you log in via magic link, Google, or GitHub. These logs help us identify suspicious activity such as brute-force attempts, token replay attacks, or unauthorized access across our domains.

Events We Log

We record the following authentication events:

  • Magic link requested — when you submit your email address to receive a login link
  • Magic link verified — when you successfully log in by clicking the link
  • Magic link failed — when a verification attempt fails (e.g., expired token, already-used link, or domain mismatch)
  • Rate limit triggered — when too many magic link requests are made for the same email address within a short time window
  • OAuth login successful — when you successfully log in via Google or GitHub
  • OAuth login failed — when the token exchange with Google or GitHub fails during the login process

Data We Process

For each event, the following data is recorded:

  • IP address — as provided by Cloudflare (cf-connecting-ip header)
  • Approximate location — city and country, derived from your IP address by Cloudflare
  • User agent — your browser identification string
  • Domain name — the website where the authentication event occurred
  • Email address — the email address involved in the authentication attempt (magic link events only)
  • User ID — your internal account identifier (only for successful logins)
  • Authentication provider — which login method was used (magic link, Google, or GitHub)
  • Event metadata — contextual details such as the failure reason for failed attempts

This data is sent to our own analytics service CP Insights, which runs as a Cloudflare Worker and stores data in a Cloudflare D1 database. No third-party analytics providers are involved.

Data Retention and Deletion

Authentication event logs are periodically reviewed and either deleted or anonymized (IP addresses and email addresses are obfuscated). You can request deletion of your authentication logs at any time by contacting us at privacy@codepals.com.

Legal Basis

The processing of authentication event data is based on Art. 6(1)(f) GDPR (Legitimate Interest). We have a legitimate interest in detecting and preventing unauthorized access, abuse, and security incidents on our platform. The data collected is limited to what is necessary for security monitoring, and we do not use it for marketing or profiling purposes.

Service: Get in Touch with Us

We provide ways to contact us, such as email or postal mail. Relevant third-party providers include:

Data We (and Our Third-Party Providers) Process

If you contact us, the data you share is processed, stored, and deleted when no longer necessary.

Data Deletion / Retention

Data retention depends on the purpose for which it was shared. For example, we may keep email addresses to follow up on inquiries or provide updates.

Your Rights

Deletion of Data on Request

We explained the data we process and how we use it. If you want us to delete your data, contact us.

Exporting / Transferring Your Data

As we don’t store data long-term, exporting data may not be applicable.

Find Out What Data Is Stored About You

You have the right to request details about the data we store. However, we typically do not retain personally identifiable data like IP addresses for long periods.

You have the right to withdraw consent at any time. Currently, we do not process data requiring consent.

Correcting Data

You have the right to correct your data. However, we process minimal personal data (e.g., IP addresses).

Lodge a Complaint

You have the right to lodge complaints with a data protection authority. Find your local authority via the EDPB Members List.

Cookies

When you select a different language than the default one (which is the one your browser is setup to) we will safe this information inside your browser by setting a cookie. Besides that we do not use other cookies. We have a legitimate interest to make our customers (you) understand the content we provide on our website.

Web Beacons

We use a script from Cloudflare to collect anonymized analytics, such as visitor interactions and general location (country). This data is used to improve the website.

Data Security

We prioritize data protection through privacy-focused design and partnerships with trusted providers. The website uses HTTPS and TSL/SSL encryption for secure communication.

Last Update: 2025-04-01 // v1.2.0