Privacy Policy
This privacy policy explains the type, scope, and purpose of processing personal data on thc.nurrobin.de ("website").
1. Controller
Robin Gramb
Im Soppen 3, 88639 Wald
Germany
Email: privacy@nurrobin.de
2. Data protection officer
No data protection officer is required pursuant to § 38 BDSG.
3. Server logs (nginx)
Each visit to the website triggers server-side logging of the following data: date/time, IP address, requested URL, HTTP method, status code, user agent.
Purpose: Operating the website, IT security, error analysis
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Retention: 14 days (logrotate: daily rotation, 14 compressed archives).
4. Contact requests
If you contact us via email or form, we process your name, email address, and the content of your request.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual/contractual communication)
Retention: until your request is completed and thereafter only if legal retention obligations apply.
5. Cookies
The website uses only technically necessary cookies.
| Cookie | Purpose | Scope | Lifetime | Category |
|---|---|---|---|---|
pb_auth | Authenticated login session | thc.nurrobin.de / .nurrobin.de | until logout or expiry (typically up to 3 days) | Necessary |
Note (TTDSG): No analytics/marketing cookies are set; therefore a cookie banner is not required (§ 25 para. 2 no. 2 TTDSG).
6. Data subject rights
Pursuant to Art. 15 et seq. GDPR you have the right to access, rectify, erase, restrict processing, request data portability, and object under Art. 21 GDPR.
Contact: privacy@nurrobin.de
7. Withdrawal of consent
You may withdraw consent at any time with effect for the future, either by email to privacy@nurrobin.de or by deleting your account in the settings.
8. Right to lodge a complaint
Supervisory authority: The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW).
9. Obligation to provide data
Providing personal data is not legally required. However, registration is impossible without mandatory fields.
10. Automated decision-making / profiling
Does not take place.
Additional services on thc.nurrobin.de
PocketBase (database & authentication) (thcdata.nurrobin.de)
Purpose: User accounts, data management (CRUD), file uploads
Data processed: Username, optional email address, hashed passwords, profile fields, uploaded files, timestamps
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (IT security)
Recipient/processing: Self-hosted PocketBase server (Docker) on the hosting infrastructure listed below
Third-country transfer: not intended
Retention: until the user account is deleted
Access control: Authentication and role-based permissions (PocketBase ACL)
PocketBase system logs
PocketBase records technical logs (including client IP address) for operation and troubleshooting.
Legal basis: Art. 6(1)(f) GDPR
Retention: max. 5 days, then automatic deletion (according to configuration).
Cannabis sessions & dashboard (Art. 9 GDPR)
Purpose: Storage/analysis of voluntarily provided consumption data (e.g. quantity, THC content, consumption method, date/time, optional notes) to display personal statistics.
Legal basis: Art. 6(1)(a) in conjunction with Art. 9(2)(a) GDPR (explicit consent).
Consent/withdrawal: Processing only with active consent; withdrawal at any time via email or by deleting the account.
Retention: until withdrawal or account deletion.
Data portability: Export (JSON/CSV) in the account settings.
Third-country transfer: not intended.
Health data (voluntary, Art. 9 GDPR)
Purpose: Storage/analysis of voluntary health data to improve calculations and visualisations.
Legal basis: Art. 6(1)(a) in conjunction with Art. 9(2)(a) GDPR (explicit consent).
Consent/withdrawal: at any time via email or through account deletion.
Retention: until withdrawal or account deletion.
Data portability: Export (JSON/CSV).
Third-country transfer: not intended.
Social features (friends, joint sessions)
Purpose: Managing friend lists, invitations, shared sessions, comments, and reactions.
Data processed: Friend relationships, usernames, comments, reactions, timestamps.
Legal basis: Art. 6(1)(b) GDPR (fulfilment of the social features)
Retention: until deletion of the content or account.
Email communication (transactional email)
Transactional emails (e.g. verification, password reset) are sent directly via the PocketBase SMTP integration using posteo.de.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Recipient: Posteo e.K., Berlin, Germany.
Third-country transfer: not intended.
Content moderation & reports
If you report content, the report, metadata, and any follow-up actions are stored for documentation.
Legal basis: Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in maintaining community standards).
Retention: until the case is resolved; stored longer only where statutory requirements apply.
Technical infrastructure
Hosting (Oracle Cloud Infrastructure)
The hosting infrastructure runs on Oracle Cloud Infrastructure (OCI) (compute/network; "Always Free").
Data processing agreement: Oracle DPA in accordance with Art. 28 GDPR (June 2025). Public version: https://www.oracle.com/contracts/docs/data-processing-agreement-oracle-services-060225.pdf (an archive copy is retained for evidence).
Third-country transfer: not intended; operation takes place in an EU region. Should a third-country transfer be required, it will only occur in accordance with Art. 44 et seq. GDPR (e.g. EU standard contractual clauses).
Cloudflare CDN & security
We use Cloudflare (Content Delivery Network, Web Application Firewall, DDoS protection) for secure and performant delivery, bot defence, request rate-limiting, TLS termination, and security/operation metrics.
Data processed: IP address, requested URL/path, HTTP headers (including user agent, referrer), timestamps, protocol/TLS metadata, and derived security/operation logs.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, efficient operation).
Processing agreement/data transfer: Cloudflare Customer Data Processing Addendum (DPA) including EU Standard Contractual Clauses (SCC).
– DPA: https://www.cloudflare.com/cloudflare-customer-dpa/
– SCC: https://www.cloudflare.com/cloudflare-customer-scc/
Data localisation/third-country transfer: Cloudflare operates a global network (including EU/EEA and USA). Transfers rely on DPA/SCC. A dedicated data localisation setting is not in place. (Backups via R2 are described separately under “Backups (Cloudflare R2 – EU)”.)
Cloudflare cookies (security only, technically required):
| Cookie | Purpose | Lifetime | Category |
|---|---|---|---|
__cf_bm | Bot detection/mitigation | usually ≤ 30 min | Necessary |
cf_clearance | Proof of completed challenge (WAF) | variable | Necessary |
__cfruid / _cfuvid | Rate limiting/bot protection | session/short | Necessary |
No Cloudflare analytics via client-side JavaScript (Web Analytics Beacon) are used.
TLS/HTTPS
All connections to the website are encrypted via HTTPS (TLS); certificates are managed server-side in nginx.
Backups (Cloudflare R2 – EU)
Purpose: Daily backups of the application/database for redundancy and disaster recovery.
Scope: Snapshots of PocketBase data (e.g. user/profile data, content/usage data, system/error logs; depending on your usage).
Automation & retention: Automated daily backups; max. 7 backups retained (rolling retention). Older backups are deleted automatically.
Provider/recipient: Cloudflare, Inc. – R2 Object Storage (S3-compatible).
Storage location/jurisdiction: Backups are stored in an R2 bucket with jurisdiction “European Union (EU)”; objects remain within the EU.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliability and recovery).
Processing agreement & transfer framework: Cloudflare Customer DPA including SCC; Cloudflare is also certified under the EU-US Data Privacy Framework (DPF).
– DPA: https://www.cloudflare.com/cloudflare-customer-dpa/
– SCC: https://www.cloudflare.com/cloudflare-customer-scc/
– DPF listing: https://www.dataprivacyframework.gov/ (search for “Cloudflare, Inc.”)
Possible third-country transfers: Despite EU storage, ancillary processing (e.g. support cases or processing-related metadata) may involve third countries. Transfers rely on the DPF and/or SCC per the DPA. Cloudflare publishes a list of subprocessors.
– Sub-processor overview: https://www.cloudflare.com/trust-hub/ (section “Subprocessors”)
Retention: 7 days, then automatic deletion.
Security: Cloudflare protects stored data according to state of the art (including encryption). Backups can optionally be additionally encrypted client-side before transfer.
Backups (local/offline)
Manual encrypted backups may occasionally be stored offline for disaster recovery.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in data security).
Retention: until the backup is replaced by a newer version; old copies are securely deleted.
External content / third parties
Apart from Cloudflare (see above) no external analytics, marketing, or font services (e.g. Google Analytics, Google Fonts, reCAPTCHA) are embedded.
Changes to this privacy policy
This policy is updated when technical or organisational changes require it. The version indicated above (“Last updated”) is authoritative.