Vadorna · Legal

Privacy Policy

What data we collect, why, and the control you have over it.

Draft for legal review. This template reflects how Vadorna is built (minimal data, no advertising/tracking at launch). Fields in {{…}} must be completed, and the whole document should be reviewed by an Austrian lawyer before launch. It is not legal advice.

Last updated: {{DATE}} · Version 0.1 (draft)

1Who is responsible

The controller responsible for your personal data under the GDPR is:

{{LEGAL NAME / Vadorna GmbH}}
{{STREET, POSTCODE, CITY, AUSTRIA}}
Email: privacy@vadorna.com
{{Data Protection Officer, if appointed: dpo@vadorna.com}}

2What we collect

  • Browsing (no account): the archive is fully readable without signing up. We process only basic server logs (IP address, browser/device, time of request) needed to deliver and secure the site.
  • Account data (only if you register): email address, a chosen handle, and a hashed password. A display name is optional. We do not require your real name.
  • Content you submit: entries, edits, comments, forum posts, and photos you upload. Photos are stripped of GPS/location metadata on upload.
  • Lists: your “I have / I want / wishlist” selections.
  • Cookies: none in the current read-only phase; when accounts launch, only strictly necessary cookies (login/session). See section 6.

We do not run advertising networks or cross-site tracking, and we do not sell or rent personal data. We also do not train generative or other AI on your content (photos, posts, comments) without your separate, opt-in consent, license your personal data to advertisers, or repurpose your personal data outside the archive context.

3Why we process it & legal basis

  • Run your account and the community — Art. 6(1)(b) GDPR (performance of a contract / terms of use).
  • Keep the site secure & prevent abuse/spam (logs, rate limits, moderation) — Art. 6(1)(f) (legitimate interests).
  • Newsletter or other optional features — Art. 6(1)(a) (your consent, withdrawable any time).
  • Legal obligations (e.g. responding to lawful requests) — Art. 6(1)(c).

4Who processes data for us

We use a small number of processors under data-processing agreements (Art. 28 GDPR):

ProcessorPurposeLocation
Cloudflare, Inc.Hosting, CDN, securityEU / USA
SupabaseDatabase, authentication, file storage (once the backend is live){{EU region}} / USA
{{Transactional email provider}}Account & verification emails{{…}}

We do not share your data with anyone else except where legally required.

5International transfers

Some processors are based in or transfer data to the United States. Where that happens, transfers are safeguarded by the EU Standard Contractual Clauses and/or the provider’s certification under the EU–US Data Privacy Framework. {{Confirm the safeguard your providers actually use.}}

6Cookies

In the current read-only phase we set no cookies at all — there is no sign-in, so not even a session cookie is used, and there are no analytics or tracking scripts. When accounts launch we will use only strictly necessary cookies (to keep you logged in and maintain your session) — these do not require consent. If we later add analytics or any non-essential cookies, we will ask for your consent first via a cookie banner and list them here.

7Aggregate analytics & insights

To understand how the archive is used and to improve it — and to build an anonymous picture of collecting trends (e.g. which colours, materials, models and brands are most owned, wanted or searched) — we analyse activity such as your “I have / I want / wishlist” entries, page views, searches and outbound resale clicks. This member-activity analysis applies only once accounts and activity tracking launch; it is not active in the current read-only phase.

Legal basis. This internal analysis rests on our legitimate interest (Art. 6(1)(f) GDPR) in operating, securing and improving the service. You can object at any time (Art. 21 GDPR) via privacy@vadorna.com or your Settings. Any analytics that relies on non-essential cookies or cross-site/device tracking is switched on only with your prior consent (Art. 6(1)(a) GDPR) via the cookie banner.

Always aggregated & anonymised. These insights are produced as aggregate statistics that never identify an individual member and never expose anyone's personal collection. Where a public figure is shown on an item (e.g. “X members want this”), it is a count only. Access to the internal analytics dashboards is restricted to the operator (owner/admin).

We do not sell your personal data. We do not sell or rent data that identifies you, we do not license it to advertisers, and we do not repurpose it outside the archive context. We also do not train generative or other AI on your content (photos, posts, comments) without your separate, opt-in consent. We may, now or in the future, use, publish or share aggregate, anonymised trend reports (for example most-owned colours, materials, models and brands) — because these contain no personal data and cannot be linked back to any individual, they fall outside the scope of the GDPR, and we may use and share them freely, including commercially. Should we ever wish to process your personal data for a genuinely new purpose, we will inform you beforehand and, where the law requires it, ask for your consent first.

8How long we keep it

  • Account data: for as long as your account exists. When you delete your account, your profile, comments, messages and photos are removed from the public archive immediately and from backups within 30 days.
  • Public contributions to the archive (factual entries/edits) may be retained in anonymised form to preserve the historical record, with your handle removed.
  • Server logs: 30 days (consistent with our Terms), then deleted or anonymised.

9Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, data portability, and objection, and to withdraw consent at any time (without affecting prior processing). You can export your data yourself in Settings → Export, or contact privacy@vadorna.com. We respond within one month.

You also have the right to lodge a complaint with the supervisory authority:
Österreichische Datenschutzbehörde, Barichgasse 40–42, 1030 Wien — dsb.gv.at.

10Children

Vadorna is not directed at children. In Austria the minimum age for valid consent to information-society services is 14; you must be at least 14 to create an account. If we learn we hold data of a younger child without proper consent, we delete it.

11Security

We use reasonable technical and organisational measures — HTTPS in transit, hashed passwords, access controls, and stripping of photo location metadata. No system is perfectly secure; in the event of a data breach affecting your rights we will notify the authority within 72 hours and you where legally required.

12Changes

We may update this policy. Material changes will be posted here and, for registered users, announced by email with reasonable notice before they take effect.

13Contact

Questions or requests about your data: privacy@vadorna.com. Full provider details are in our Impressum.