Privacy Policy
1. Data Controller
The data controller responsible for processing your personal data is:
Simon KöckEinzelunternehmen
Wolf-Huber-Straße 31
6800 Feldkirch
Austria
Email: simon@koeck.dev
2. Scope
This Privacy Policy applies to the websites shipsecu.re and app.shipsecu.re and all services provided by ShipSecure. By using our services, you acknowledge that you have read and understood this policy.
3. Data We Collect and Legal Basis
We process personal data only when we have a lawful basis under the GDPR. Below is an overview of the data we collect and the legal basis for each processing activity.
3.1 GitHub Authentication
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| GitHub username, email, profile picture | Account creation and authentication | Contract performance (Art. 6(1)(b) GDPR) | Until account deletion |
3.2 Security Audits
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Repository access, source code | Performing security audits | Contract performance (Art. 6(1)(b) GDPR) | Deleted immediately after audit completion |
| Audit reports | Delivery of service results | Contract performance (Art. 6(1)(b) GDPR) | 7 years (Austrian tax law) |
3.3 Analytics (Website Only)
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Page views, anonymized IP, button clicks | Website improvement | Legitimate interest (Art. 6(1)(f) GDPR) | 90 days |
We use PostHog, hosted in the EU, in cookieless mode. This means:
- No cookies are stored on your device
- No data is persisted in localStorage
- No cross-session tracking occurs
- IP addresses are anonymized
Our legitimate interest is improving website usability. Given the minimal, anonymized data collected without cookies, we believe this does not override your rights and freedoms.
3.4 Beta Waitlist
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Notify you when beta access is available | Consent (Art. 6(1)(a) GDPR) | Until consent withdrawn or beta ends |
4. Third-Party Services
We use the following third-party services:
4.1 PostHog (Analytics)
- Provider: PostHog Inc.
- Location: EU (Frankfurt)
- Purpose: Anonymous website analytics
- Data transferred: Anonymized page view data, no personal identifiers
4.2 Fontshare (Font Delivery)
- Provider: Indian Type Foundry
- Location: India (non-EU)
- Purpose: Delivering web fonts for typography
- Data transferred: IP address (via browser request)
- Transfer basis: Standard Contractual Clauses / your consent by using the website
4.3 Cloudflare (Hosting & Security)
- Provider: Cloudflare Inc.
- Location: Global (EU data centers used where possible)
- Purpose: Content delivery, DDoS protection
- Data transferred: IP address, request metadata
- Transfer basis: Standard Contractual Clauses, Data Processing Addendum
4.4 GitHub (Authentication & Repository Access)
- Provider: GitHub Inc. (Microsoft)
- Location: USA
- Purpose: User authentication, repository access for audits
- Data transferred: OAuth tokens, repository data you authorize
- Transfer basis: Standard Contractual Clauses, EU-US Data Privacy Framework
5. Data Transfers Outside the EU
Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to third countries
- EU-US Data Privacy Framework: For US providers certified under the framework
You can request a copy of the relevant safeguards by contacting us.
6. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS) and at rest
- Access controls and authentication
- Regular security reviews
- Immediate deletion of source code after audit completion
7. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data
- Right to rectification (Art. 16): Correct inaccurate data
- Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18): Restrict processing in certain circumstances
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interest
- Right to withdraw consent (Art. 7): Withdraw consent at any time (e.g., beta waitlist)
To exercise any of these rights, contact us at simon@koeck.dev. We will respond within 30 days.
8. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Austrian Data Protection Authority:
Österreichische DatenschutzbehördeBarichgasse 40-42
1030 Wien
Austria
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at
9. Data Sharing
We do not sell, rent, or share your personal data with third parties for their own purposes. Data is only shared with the service providers listed in Section 4, solely for the purposes described.
10. Cookies
We do not use cookies. Our analytics solution operates in cookieless mode, and we do not store any data in your browser's localStorage or sessionStorage for tracking purposes.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. For significant changes, we will notify registered users via email.
12. Contact
For any questions about this Privacy Policy or your personal data, contact:
Email: simon@koeck.dev
Last Updated: 19 February 2026
Version: 2.0