Privacy Policy (Datenschutzerklärung)
Last updated: 2026 · Pursuant to Art. 13/14 GDPR (DSGVO)
1. Controller
Klaus-E. Klingner / SilverDay Media[Address — see Imprint]
E-mail: k.e.klingner@gmail.com
2. Data collected and purposes
| Data | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Email address | Account creation, password reset, verification | Art. 6(1)(b) — contract | Until account deletion |
| Display name | Personalisation, shown in UI | Art. 6(1)(b) | Until account deletion |
| Argon2id password hash | Authentication | Art. 6(1)(b) | Until account deletion |
| Source preferences | Personalised feed | Art. 6(1)(b) | Until changed or account deleted |
| Last-seen timestamp | "Since last visit" feed view | Art. 6(1)(b) | Until account deletion |
| Hashed IP address (SHA-256 + key) | Login throttling, audit log | Art. 6(1)(f) — legitimate interest (security) | 30 days (login attempts); audit log: [TBD] |
| Session data | Maintaining login state | Art. 6(1)(b) | Until logout or session expiry |
| Source suggestions | Admin review queue | Art. 6(1)(b) | Until reviewed + [TBD] |
IP addresses are never stored in plaintext. They are hashed with a server-side key before storage, making them non-reversible under normal conditions.
3. No tracking, no analytics, no third-party scripts
Daybreak does not use Google Analytics, Facebook Pixel, or any other third-party tracking scripts. No cookies are set by third parties. The only cookie set is a server-side session cookie, strictly necessary for login functionality.
4. Outbound links
Clicking an article link takes you to a third-party website. That site's own privacy policy applies from that point. We do not pass your account data to external sites.
5. ransomlook.io data
Ransomware activity data is fetched from the public ransomlook.io API (CC BY 4.0). The ransomlook.io privacy policy applies to that service. We store only text-only metadata (group name, victim title, timestamp, link) — no screenshots or sensitive content.
6. NVD / NIST data
CVE data is retrieved from the NIST National Vulnerability Database public API. No personal data is transmitted during this fetch.
7. Hosting
Daybreak is hosted on a server located in the European Union. A Data Processing Agreement (DPA) is in place with the hosting provider. No data is transferred outside the EU/EEA.
8. Your rights (Art. 15–22 GDPR)
You have the right to:
- Access your personal data (Art. 15) — use the "Export my data" function in account settings.
- Rectification of inaccurate data (Art. 16) — change your display name in account settings.
- Erasure ("right to be forgotten", Art. 17) — use "Delete account" in account settings or contact us.
- Restriction of processing (Art. 18).
- Data portability (Art. 20) — use the "Export my data" function (JSON format).
- Object to processing based on legitimate interest (Art. 21).
- Lodge a complaint with a supervisory authority. The lead supervisory authority for Germany is your state data protection authority (Landesbeauftragter für Datenschutz).
To exercise any right, contact: k.e.klingner@gmail.com
9. Changes to this policy
We may update this privacy policy as the service evolves. Material changes will be noted here with an updated date.
Note: This is a draft placeholder. Final privacy policy must be reviewed by a qualified legal professional (preferably a GDPR/DSGVO specialist) before public launch. Ensure the hosting provider DPA is in place and referenced correctly.