Privacy Policy
Last updated: 2025-04-21
This policy explains how Gaians.net (the "Service") handles your personal data. We aim to keep it short, plain, and honest.
1. Who we are
The data controller is:
- Name: Gaians.net Association
- Address: Planet Earth, Northern hemisphere
- General contact: elves@gaians.net
- Privacy / data protection contact: dpo@gaians.net
- Hosting: Hetzner Online GmbH, EU data center (Germany/Finland)
2. What data we collect and why
We only process what we need to run the Service. Each activity below lists the data involved and the legal basis under Article 6 GDPR.
| Purpose | Data | Legal basis |
|---|---|---|
| Creating and maintaining your account | Email, first name, hashed password, account metadata | Contract — Art. 6(1)(b) |
| Keeping you logged in (long-lived session tokens) | Session token, IP and user agent at issuance | Contract — Art. 6(1)(b) |
| Storing and displaying your profile, posts, and uploaded images | Profile text, post text, images, coordinates, timestamps | Contract — Art. 6(1)(b) |
| Showing you the base map | IP, viewport, zoom — sent by your browser to HERE (see §4) | Legitimate interest — Art. 6(1)(f). Interest: core map functionality. |
| Search / geocoding | Your search text and IP — sent by your browser to public Photon (see §4) | Legitimate interest — Art. 6(1)(f). Interest: core search functionality. |
| Transactional email (account, security, service-critical) | Email, first name, message content | Contract — Art. 6(1)(b) |
| Opt-in announcements | Email, first name, opt-in state, consent timestamp | Consent — Art. 6(1)(a) |
| Web server logs (debugging, security, abuse investigation) | IP, user agent, request path, timestamp, response code | Legitimate interest — Art. 6(1)(f). Interest: security and reliability. |
| Backups (disaster recovery) | Mirror of production data | Legitimate interest — Art. 6(1)(f). Interest: service continuity. |
3. What we do not do
This is a not-for-profit service, developed and run by volunteers. We strongly object to any form of tracking and misusing data for marketing purposes, therefore:
- We do not use analytics or tracking cookies.
- We do not sell or share your data with advertisers or marketers.
- We do not use your data for automated decision-making or profiling.
- We do not require age verification; the Service is open to anyone. If you are a minor under applicable local law, please use the Service with the involvement of a parent or guardian.
4. Third parties
Two third parties receive data directly from your browser when you use the Service. We have no control over what they retain; please consult their own notices.
HERE (map tiles)
When you view the map, your browser requests tiles from HERE Global B.V. (Netherlands, EU). HERE receives your IP, the map area you are viewing, and your zoom level. HERE is established in the EU.
Their privacy notice: https://legal.here.com/privacy
Photon (geocoding / search)
When you type in the search box, your browser sends your query and IP to the public Photon geocoder operated by komoot (EU). Be aware that the contents of your search are visible to this third party.
Their privacy notice: https://www.komoot.com/privacy
Hetzner (hosting)
Our servers and backups are hosted by Hetzner Online GmbH in the EU. They act as our processor under a standard data processing agreement.
5. International transfers
Your personal data is stored in the European Union. We do not transfer your data outside the EEA. Requests that your browser makes directly to HERE and Photon stay within the EU based on the current operation of those services.
6. How long we keep your data
- Account and content: until you delete them or close your account. Deletion propagates through backups within 30 days.
- Session tokens: until the session expires, you log out, or you delete your account.
- Web server logs: 30 days rolling.
- Opt-in consent records: we keep the record of your opt-in for up to 3 years after you opt out, to demonstrate compliance.
- Backups: ==[e.g. daily 7 days / weekly 4 weeks / monthly 6 months]==.
7. Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, where processing is based on consent. Withdrawal does not affect processing that already happened.
- Lodge a complaint with a supervisory authority.
To exercise any of these rights, email dpo@gaians.net. We will respond within one month.
In Hungary, the supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
- Address: 1055 Budapest, Falk Miksa utca 9–11, Hungary
- Email: ugyfelszolgalat@naih.hu
- Website: https://naih.hu
You can also complain to the supervisory authority in your own EU country of residence.
8. Security
We protect your data with encryption in transit (HTTPS/TLS) and at rest, hashed passwords, access controls on the server side, and encrypted backups. No system is perfectly secure; if a breach affects your rights, we will notify you and the relevant authority as required by Articles 33 and 34 GDPR.
9. Cookies and similar technologies
We do not use tracking or analytics cookies. The Service uses only technical storage strictly necessary to keep you logged in (your session/access token). This does not require consent under the ePrivacy rules.
10. Changes to this policy
If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or on the Service. Continued use after changes means you have seen the updated version.