Werkzeu.ge

Privacy Policy

Last updated: February 23, 2026

We take the protection of your data seriously. This privacy policy explains what data we collect, why we collect it, how we protect it, and what rights you have. The short version: all servers are in Germany, we use no tracking cookies, no Google services, no AI processing, and we never sell your data.

1. Data Controller (Art. 4(7), Art. 13(1)(a) GDPR)

Cryon UG (haftungsbeschränkt)
Landsberger Str. 35
04157 Leipzig
Germany

Managing Director: Jonas Kutavicius
Email: info@werkzeu.ge

We have not appointed a separate Data Protection Officer as we do not meet the requirements of Art. 37 GDPR / § 38 BDSG. For all data protection matters, please contact us at the email address above.

2. Principles of Data Processing

We process personal data exclusively according to the following principles:

  • Data minimization: We only collect data that is actually necessary for the respective purpose.
  • Purpose limitation: Data is only used for the purpose for which it was collected.
  • Transparency: This policy explains exactly what we do and why.
  • Storage limitation: We delete data once the processing purpose no longer applies.
  • No data sales: We never sell, rent, or trade your data.
  • No AI processing: Your data is never sent to AI systems, LLMs, or third parties for automated processing.

3. Hosting & Server Location

Our entire infrastructure runs on dedicated servers operated by Hetzner Online GmbH in Germany (data centers in Nuremberg and Falkenstein). Hetzner is a German company based in Gunzenhausen and is fully subject to German and European data protection law.

We explicitly do not use any of the following services:

  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • Microsoft Azure
  • Cloudflare
  • Vercel

DNS resolution is handled by Hetzner DNS (EU). Email delivery runs through our self-hosted SMTP server (Postal), also on Hetzner servers in Germany.

No personal data is transferred to third countries outside the EEA.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable and secure provision of our services).

Data processing agreement: Hetzner processes data as our processor within the meaning of Art. 28 GDPR.

4. Data Collected by Tier

4.1 Guest (no registration)

When you use Werkzeu.ge without signing in, we collect no personal data. Our guest tools run entirely in your browser (client-side). Your inputs, calculations, and results never leave your computer.

When you access any page, the following technical data is briefly processed:

  • IP address (technically necessary for the connection)
  • Browser type and version
  • Operating system
  • Referrer URL
  • Time of access

This data is stored in server log files and automatically deleted after 7 days. It is not combined with any other data sources.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing and securing the website).

4.2 Free Account

Upon registration, we store:

  • Email address
  • Display name (freely chosen)
  • Language preference (German, English, or Ukrainian)
  • Subscription status
  • Registration date

Passwords: If you sign in via magic link, no password is stored. If you optionally set a password, we store only a cryptographic hash (bcrypt/argon2) — the plaintext password is never stored and cannot be reconstructed.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4.3 Plus Subscription

In addition to Free account data:

  • Files: Uploaded and created files are stored on Hetzner Object Storage (S3-compatible) in Germany.
  • Amtsprofil (identity vault): Your personal data in the Amtsprofil (name, address, tax ID, etc.) is encrypted client-side before it reaches our servers. We store only the encrypted ciphertext (zero-knowledge architecture). We cannot read or decrypt this data.
  • Payment data: See Section 8 (Payment Processing).

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

4.4 Pro Subscription

In addition to Plus account data:

  • Community content: Posts, comments, and chat messages are stored in our PostgreSQL database on German servers.
  • Team data: For team usage, we store member-to-team assignments and permissions.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

5. Cookies & Local Storage

5.1 Cookies

We only use technically necessary cookies for session management. These cookies contain no tracking information and serve solely to keep you logged in.

CookiePurposeDurationAttributes
session_tokenAuthentication & session30 days (sliding)HTTPOnly, Secure, SameSite=Lax
localeLanguage preference1 yearSecure, SameSite=Lax

We set no tracking cookies, no advertising cookies, and no third-party cookies. Technically necessary cookies are set without consent (§ 25(2) No. 2 TDDDG). For optional categories (functional storage, analytics), we ask for your consent via our cookie banner. Details are available in our Cookie Policy.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical functionality); § 25(2) No. 2 TDDDG (technical necessity).

5.2 Local Storage

We use your browser's local storage to temporarily save draft data (e.g., partially filled forms) so you don't lose your work if you accidentally close a tab. This data:

  • Never leaves your browser
  • Is automatically deleted after 30 minutes of inactivity
  • Is stored with a tool-specific key (werkzeuge:draft:*)
  • Can be deleted at any time via your browser settings

We also store desktop settings (window positions, theme selection, wallpaper) in local storage so your workspace is restored on your next visit.

6. Web Analytics (Plausible Analytics)

We use Plausible Analytics in a self-hosted instance on our own servers in Germany. Plausible is a privacy-friendly analytics tool that:

  • Sets no cookies
  • Collects no personal data
  • Does not store IP addresses or share them with third parties
  • Does not create user-specific profiles
  • Does not enable cross-device tracking

Plausible produces exclusively aggregated statistics (page views, referrers, device categories) with no way to identify individual visitors.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analyzing website usage to improve the service).

7. Authentication

Login is primarily handled via magic links: you enter your email address and receive a one-time login link by email. No password is stored in this case.

You may optionally set a password. It is stored as a cryptographic hash and cannot be reconstructed.

We do not use third-party login (no “Login with Google/Facebook/Apple”). Your authentication data is processed exclusively on our own servers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

8. Payment Processing

For paid subscriptions (Plus, Pro), we use the following payment service providers:

8.1 PayPal

PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg.
Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

8.2 Klarna

Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden.
Privacy policy: https://www.klarna.com/de/datenschutz/

When you make a payment, the following data is transmitted to the respective payment provider:

  • Email address
  • Subscription type and amount
  • Transaction ID

We do not store credit card data, bank account details, or payment instrument details. The complete payment processing and storage of sensitive payment data is handled exclusively by the respective provider. We only store the transaction ID, payment status, and payment timestamp for booking reconciliation.

We have data processing agreements with both payment providers pursuant to Art. 28 GDPR. PayPal and Klarna are based in the EEA. No data transfer to third countries takes place.

Legal basis: Art. 6(1)(b) GDPR (performance of contract); Art. 6(1)(c) GDPR (legal obligation for tax record-keeping of invoice data).

9. File Storage

Files you create or upload as a Plus or Pro user are stored on Hetzner Object Storage (S3-compatible) in Germany. The storage includes:

  • The file itself
  • Metadata (file name, size, creation date, associated tool)
  • Access permissions (which user owns the file)

Files are completely removed upon account deletion (see Section 14).

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

10. Amtsprofil (Identity Vault)

The Amtsprofil is an encrypted identity vault that stores personal data (name, address, tax ID, marital status, etc.) to auto-fill forms.

Zero-knowledge architecture: All data in the Amtsprofil is encrypted client-side in your browser before it reaches our servers. The encryption key is derived from your password/token and never leaves your browser. On our servers, only encrypted ciphertext is stored, which we cannot decrypt.

This means: even in a hypothetical server breach, your Amtsprofil data would be useless to attackers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract); Art. 6(1)(a) GDPR (consent for special categories of data, if you voluntarily enter them).

11. Community Features

When you use community features (posts, comments, chat, groups), the following data is stored:

  • Content of your posts and comments
  • Chat messages
  • Group memberships
  • Activity timestamps
  • Your publicly visible display name

This data is stored in our PostgreSQL database on Hetzner servers in Germany. Community posts are publicly visible or group-restricted, depending on your settings.

You can edit or delete your posts at any time. Upon account deletion, your community content is anonymized or, upon request, completely deleted.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

12. Email Communication

We send you emails in the following cases:

  • Magic links for login — technically required, no consent needed
  • Transactional emails — payment confirmations, invoices, subscription changes
  • Deadline reminders — reminders for regulatory deadlines you have set yourself
  • Security notifications — unusual login activity, password changes

We do not send newsletters without your explicit consent. Email delivery runs through our self-hosted SMTP server (Postal) on Hetzner servers in Germany. No external email service provider is used.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) for transactional emails; Art. 6(1)(a) GDPR (consent) for any future newsletter.

13. Legal Bases for Processing (Art. 6 GDPR)

Processing ActivityLegal Basis
Server log files (IP, browser data)Art. 6(1)(f) (legitimate interest)
Session cookieArt. 6(1)(f) (legitimate interest); § 25(2) No. 2 TDDDG
Registration & account dataArt. 6(1)(b) (performance of contract)
Payment processingArt. 6(1)(b) (performance of contract)
Invoices & bookkeepingArt. 6(1)(c) (legal obligation, § 147 AO, § 257 HGB)
File storageArt. 6(1)(b) (performance of contract)
Amtsprofil (encrypted)Art. 6(1)(b) (performance of contract); Art. 6(1)(a) (consent) for special categories
Community contentArt. 6(1)(b) (performance of contract)
Transactional emailsArt. 6(1)(b) (performance of contract)
Plausible AnalyticsArt. 6(1)(f) (legitimate interest)
Security measures (WAF, rate limiting)Art. 6(1)(f) (legitimate interest)

14. Data Retention Periods

DataRetentionBasis
Server log files7 daysLegitimate interest
Session data30 days (or until logout)Technical necessity
Account dataUntil account deletionPerformance of contract
Files (Plus/Pro)Until deleted by user or account deletionPerformance of contract
Community contentUntil deleted by user or account deletionPerformance of contract
Invoice data10 years after end of calendar year§ 147 AO, § 257 HGB (German tax/commercial law)
Payment receipts10 years after end of calendar year§ 147 AO, § 257 HGB (German tax/commercial law)
Local storage drafts30 minutes (client-side, automatic)Legitimate interest

After statutory retention periods expire, data is automatically deleted. Upon account deletion, all data not subject to statutory retention requirements is deleted within 30 days.

15. Your Rights

Under the GDPR, you have the following rights:

15.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to access that data and receive a copy.

15.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate data and the completion of incomplete data. You can change most data directly in your profile settings.

15.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data, provided no statutory retention obligations apply. You can delete your account at any time in the settings. Deletion is also possible by emailing info@werkzeu.ge.

15.4 Right to Restriction (Art. 18 GDPR)

You have the right to request restriction of processing if you contest the accuracy of the data, the processing is unlawful, we no longer need the data, or you have lodged an objection.

15.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format. We offer a data export feature in the profile settings.

15.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your data based on Art. 6(1)(f) GDPR (legitimate interest). We will then cease processing unless we can demonstrate compelling legitimate grounds.

15.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw it at any time with effect for the future.

Exercising your rights: Simply email us at info@werkzeu.ge. We will respond within 30 days (Art. 12(3) GDPR). In most cases, it will be faster.

16. Right to Lodge a Complaint with a Supervisory Authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Sächsischer Datenschutz- und Transparenzbeauftragter
(Saxon Data Protection and Transparency Commissioner)
Devrientstraße 5
01067 Dresden, Germany
Website: https://www.datenschutz.sachsen.de

17. Security Measures

We employ extensive technical and organizational measures to protect your data:

  • Transport encryption: All connections are TLS-encrypted (HTTPS). Internal server-to-server communication uses a private certificate authority (Private CA).
  • Web Application Firewall: CrowdSec and Coraza WAF protect against common attack vectors (SQL injection, XSS, CSRF, etc.) — self-hosted, no third-party services.
  • Rate limiting: Protection against brute-force attacks and abuse.
  • Zero-knowledge encryption: Particularly sensitive data (Amtsprofil) is encrypted client-side. We cannot access the plaintext.
  • Password hashing: Optional passwords are hashed with bcrypt/argon2.
  • HTTPOnly cookies: Session cookies cannot be read by JavaScript.
  • Regular backups: Encrypted backups on separate servers.
  • Encrypted secrets: All credentials and keys are stored encrypted (SOPS).
  • Access restriction: Production server access only via encrypted VPN (WireGuard).

18. No Data Transfer to Third Countries

All personal data is processed and stored exclusively on servers in Germany or within the European Economic Area (EEA). No transfer to countries outside the EEA takes place. Our payment providers PayPal (Luxembourg) and Klarna (Sweden) are also based in the EEA.

19. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. We do not use AI systems or machine learning to process your data.

20. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the legal framework or changes to our service. The current version is always available on this page. For significant changes affecting your rights, we will notify registered users by email.

21. Contact

For questions about data protection, exercising your rights, or this privacy policy, you can reach us at:

Cryon UG (haftungsbeschränkt)
Landsberger Str. 35
04157 Leipzig, Germany
Email: info@werkzeu.ge