Privacy Policy

Last updated: April 2026

This policy explains what data WG-Lotse collects, why, and what your rights are. We have tried to keep it short and concrete.

1. Data controller

Michiel Van de Vyver
c/o IP-Management #8874
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
Email: wglotse@gmail.com

2. What we collect and why

2.1 Free tier — no data collected

All scoring, red flag analysis, and district mapping runs entirely in your browser using Chrome's local storage (chrome.storage.local). Your preferences (budget, move-in date, about-me text, etc.) never leave your device. We receive no data at all for free-tier usage.

2.2 Account creation (required for AI features only)

When you request access to AI features, we collect:

• Email address — to identify your account and send transactional emails (magic login links, purchase confirmations)

We use magic link authentication: instead of a password, we send a temporary single-use link to your email. Clicking it creates your account (if new) and logs you in. The link expires after 15 minutes. We do not store passwords.

Legal basis: contract performance (Art. 6(1)(b) GDPR) — authentication is necessary to manage your paid access.

2.3 AI feature usage (on-demand only)

When you trigger an AI feature (smart base draft, about-me translation), the following text is sent to our backend and forwarded to our AI provider:

• Smart base draft: your profile preferences (name, about-me text, languages, city, move-in timing, and lifestyle preferences such as smoker/pet status) - no listing content is sent
• About-me translation: your about-me text

This text is used solely to generate the response and is not stored on our servers beyond the duration of the request. Legal basis: contract performance (Art. 6(1)(b) GDPR).

2.4 Payment data

Payments are processed by Lemon Squeezy (lemonsqueezy.com). We do not store credit card numbers or full payment details on our servers. We receive a webhook notification confirming the transaction, your email address, and the tier/duration purchased. Legal basis: contract performance (Art. 6(1)(b) GDPR).

2.5 Technical data

Our servers log standard technical data (IP address, timestamp, HTTP method, response code) for security and error monitoring. Logs are retained for a maximum of 30 days and are not used for profiling. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — securing and operating the service.

2.6 Website analytics (Google Analytics)

With your consent, the WG-Lotse marketing website uses Google Analytics 4 to collect anonymised usage statistics — for example, which pages are visited, how long visitors stay, and which countries they visit from. This helps us understand whether the site is useful and where to improve it.

What this means in practice:

• Analytics are only loaded after you click Accept in the cookie banner. If you click Decline (or ignore the banner), no analytics data is collected.
• IP addresses are anonymised before being sent to Google (anonymize_ip: true).
• We do not use this data for advertising or retargeting, and we do not share it with any third party beyond Google.
• Your choice is saved in your browser's localStorage so you are not asked again on return visits. You can withdraw consent at any time by clearing your browser's site data for this domain.

Google Analytics data is processed by Google LLC (USA). Google is certified under the EU–US Data Privacy Framework, providing an adequate level of data protection. See Google's Privacy Policy for details.

Legal basis: consent (Art. 6(1)(a) GDPR).

3. What we never collect

• Your browsing history on WG-Gesucht or Kleinanzeigen
• Which listings you viewed or applied to
• Any data from the free tier (everything stays local)
• Tracking pixels, cookies for advertising, or cross-site identifiers
• Data from users under 16 years of age (the service is not directed at children)

4. Third-party processors

We use the following sub-processors. All are bound by GDPR-compliant data processing agreements or equivalent safeguards.

• Google LLC (google.com) — Google Analytics 4 for anonymised website analytics, loaded only with your consent. Certified under the EU–US Data Privacy Framework. Google Privacy Policy.
• OpenAI Inc. (openai.com) — AI API for smart base draft and about-me translation. Only the text you explicitly trigger is sent, and only when you request it. Under OpenAI's API Data Privacy Policy, your data is not used to train or improve their models. OpenAI API Data Usage Policies.
• Brevo SAS (brevo.com) — Transactional email delivery (magic login links, purchase confirmations). Only your email address is shared. Brevo is headquartered in France and processes data within the EU. Brevo Privacy Policy.
• Lemon Squeezy LLC (lemonsqueezy.com) — Payment processing for paid passes. We receive transaction confirmations and your email; we do not see or store your card details. Lemon Squeezy Privacy Policy.
• Railway Corporation (railway.app) — Cloud infrastructure hosting the backend API and data storage. Account data and server logs are stored on Railway's managed infrastructure. Railway Privacy Policy.
• Sentry Inc. (sentry.io) — Backend error tracking and crash reporting. PII collection is disabled; only anonymised stack traces and error logs are retained. Sentry Privacy Policy.

5. Data retention

• Account data: retained while your account is active. Upon account deletion (by emailing us), all personal data is permanently deleted within 30 days, except a one-way hash of your email address retained indefinitely to prevent abuse.
• Magic link tokens: expire after 15 minutes if unused; discarded immediately after a successful login.
• AI request text: sent to OpenAI in real time and not stored on our servers beyond the duration of the request. OpenAI's retention is governed by their API Data Usage Policy.
• Server logs: standard HTTP access logs (IP address, timestamp, response code) are deleted after 30 days.
• Local extension data: all preferences, scores, and cached drafts are stored in your browser via chrome.storage.local and never synced to our servers. Deleted when you uninstall the extension or clear its data.

6. Your rights under GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and all associated data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we limit how we process your data
• Lodge a complaint — with your national supervisory authority (in Germany: your state's Datenschutzbehörde; EU list at edpb.europa.eu)

To exercise any of these rights, email wglotse@gmail.com. We will respond within 30 days.

7. Cookies and local storage

Marketing website: This site does not set cookies. If you consent to analytics, Google Analytics uses its own cookies (_ga, _ga_*) to distinguish visitors and sessions. Your consent choice is stored in localStorage (not a cookie) under the key wglotse-ga-consent. You can delete this at any time by clearing site data for this domain in your browser settings.

Chrome extension: The extension uses Chrome's chrome.storage.local API — this is browser-local storage, not a cookie, and is not accessible to websites. If you create an account for AI features, a session token is stored in the extension's local storage to keep you logged in. It is not shared with any third party.

8. Changes to this policy

We will update the "last updated" date at the top of this page when changes are made. Material changes will be communicated via email if you have an account.

9. Contact

For privacy-related enquiries:
wglotse@gmail.com