Privacy Policy for erikwalther.eu
The short version: This site logs your IP address and browser type for up to 30 days for security purposes, then deletes them permanently. It sets one cookie, a security token that contains no personal data. There are no analytics, no tracking, and no third-party data sharing. The sections below explain the legal detail behind those four sentences.
This privacy policy describes how Erik Walther ("I", "my") handles personal data when you visit erikwalther.eu. My approach is minimal data collection and full transparency about what is collected and why.
Who Operates This Site?
Erik Walther, self-employed. Contact details are at the bottom of this page.
What Data Is Collected and How?
Server Logs
Like any web server, mine automatically logs certain information for security and maintenance. These logs contain:
- Your device's IP address
- The date and time of your visit
- The page you requested
- Your browser and operating system (User-Agent string)
- The referring URL (which site you came from, if any)
These logs are retained for 30 days and then permanently deleted. They are used only for debugging, detecting attacks, diagnosing errors and nothing else. I do not analyse them for traffic statistics or visitor behaviour.
Cookies
This site sets exactly one cookie:
| Name | Purpose | Contains personal data? | Expires |
|---|---|---|---|
csrftoken |
Prevents cross-site request forgery attacks (set automatically by Django) | No | 1 year |
There are no analytics cookies, session tracking cookies, or advertising pixels. You can verify this by opening your browser's developer tools.
No Analytics
I do not use Google Analytics, Matomo, Plausible, or any other analytics tool. I do not know how many people visit this site, where they are from, or what they click on.
Data Processors
Two third parties are involved in running this site:
- Hetzner Online GmbH (Falkenstein, Germany) is the VPS hosting provider. All data is processed and stored on Hetzner infrastructure within the EU. As the network provider, Hetzner has infrastructure-level visibility into traffic, independent of anything at the application layer. Hetzner's privacy policy applies to their processing.
- Njalla is the domain registration proxy. Njalla holds legal ownership of the erikwalther.eu domain on my behalf. They process domain registration data under their own privacy policy.
I do not sell, rent, or share your personal data with any third parties for marketing purposes. Data may be disclosed to law enforcement if I am legally required to do so.
Tor Onion Service
This site is also accessible as a Tor v3 Hidden Service at:
hcb724zual6bxrg2jncfask2kwxlq3pnnjd2s2iq2vspwedz5b7sjqid.onion
Users accessing via the onion address benefit from stronger anonymity guarantees: traffic is encrypted end-to-end within the Tor network and neither this site, Njalla nor Hetzner can identify your IP address. No additional data is collected compared to the clearnet version; the same log retention and deletion rules apply.
Legal Basis for Processing
Processing of server logs is based on my legitimate interest (GDPR Article 6(1)(f)) in ensuring the security and proper functioning of the website. In plain terms: I need to be able to see if someone is attacking the site, and IP addresses are unavoidable for that purpose.
The CSRF cookie is strictly necessary for the security of the service (GDPR Article 6(1)(b) and the ePrivacy Directive). It cannot be disabled without breaking the site's security model.
Cross-Border Data Transfers
All data is processed and stored within the European Union. No data is transferred outside the EU.
Your Rights
Under the GDPR, you have the following rights regarding your data:
- Right to access: You may request a copy of any server log entries containing your IP address. To help me locate them, please include the approximate date and time of your visit and your IP address if known.
- Right to erasure: You may request immediate deletion of your IP address from the logs. I will comply unless I am subject to a legal obligation requiring retention for a specific period.
- Right to object: You may object to the processing of your data for security logging. Note that this may affect my ability to protect the site.
- Right to complain: You have the right to lodge a complaint with the data protection authority in your country of residence. If you are based in Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). A full list of EU supervisory authorities is available at edpb.europa.eu.
To exercise any of these rights, contact me using the details below.
Changes to This Policy
If I make significant changes to this policy, I will update the effective date at the top and note the change on my Mastodon account where possible. Minor clarifications will be published silently.
Contact
For questions about this policy or to exercise your rights:
- Email: erik@erikwalther.eu
- Mastodon: @breqoftoren@social.linux.pizza
Reporting Security Vulnerabilities
If you find a security vulnerability on this site, please report it responsibly. I commit to not taking legal action against researchers who follow these guidelines.
How to Report
- Email: erik@erikwalther.eu PGP-encrypted reports preferred; my public key is at
/.well-known/security.txt. - Mastodon: @breqoftoren@social.linux.pizza For initial contact only; do not share technical details publicly.
My Commitments
- I will acknowledge your report within 48 hours.
- I will keep all information you share confidential until the issue is resolved.
- I aim to resolve reported issues within 30 days and will coordinate disclosure timing with you.
- I will not pursue legal action against anyone who reports in good faith under these guidelines.
Responsible Disclosure Guidelines
- Give me a reasonable time to fix the issue before publishing preferably 30 days.
- Do not access, modify, or delete data belonging to other users.
- Do not use a vulnerability to pivot to other systems.
- Do not include personal data of others in proof-of-concept material.