Privacy Policy

Last updated: 2026-04-28

1. Controller

Leon Becker

Postal address:

2. What we collect

We collect the minimum data required to provide the service:

• Account data: email address, hashed password
• Site data: WordPress content you create, site configuration, subdomain
• Usage data: container uptime, bandwidth consumption (for enforcing limits)
• Server logs: IP address, request timestamps, HTTP method and path (retained 30 days)
• Payment data: processed by Mollie (our payment provider); we store only a transaction reference, not your bank/card details

3. Legal basis

• Contract performance (Art. 6(1)(b) GDPR): account data, site data, usage data, necessary to provide the service you signed up for
• Legitimate interest (Art. 6(1)(f) GDPR): server logs, necessary for security, abuse prevention, and debugging

4. Cookies and local storage

We use a single session cookie on your WordPress editor subdomain to keep you signed in while editing. This cookie is strictly necessary for authentication, is scoped to your editor subdomain only, and does not require consent under ePrivacy regulations. It expires after 30 days, when the server restarts, or when you regenerate your editor link from the dashboard (which immediately revokes any active editor sessions).

The Stelae dashboard uses an authentication cookie to keep you signed in. This cookie is strictly necessary, HttpOnly (not accessible to JavaScript), and expires after 14 days or when you sign out.

We use browser local storage on your editor subdomain to remember your editor link, so that when your session expires you can sign in again with one click instead of looking up the link in your dashboard. This is strictly necessary for the editor sign-in flow, scoped to your editor subdomain, and never read by any third party.

We do not use any tracking cookies, analytics cookies, third-party cookies, or any other tracking technology.

5. Third-party processors

• IONOS SE (Montabaur, DE): VPS gateway (TLS termination, traffic routing). See their privacy policy.
• Scaleway (Iliad Group) (Paris, FR): transactional email delivery (account verification, password reset) via Scaleway TEM. See their privacy policy.
• Mollie B.V. (Amsterdam, NL): payment processing. See their privacy policy.

All processors handling personal data on our behalf are located in the EU. Personal data is also stored on backup infrastructure under our direct operational control, located in Germany. No personal data is transferred outside the European Economic Area.

Your hosting provider: if you deploy your static site to a third-party host (Cloudflare, statichost.eu, GitHub, etc.), that is a direct relationship between you and that provider. Stelae pushes files using credentials you provide but does not control how your host processes data.

6. Data retention

• Account and site data: retained while your account is active. Deleted from live systems immediately upon account deletion (no 30-day grace period).
• Backups: daily backups are retained for 30 days, then automatically rotated out. After you delete your account, your data is purged from live systems immediately and naturally rotates out of all backups within 30 days. We do not selectively edit backup archives. In the rare event of a disaster restore, deletion requests received between the backup time and the restore time may be undone. We cannot identify these requests after the fact, because we do not keep a separate offsite log of deletions (which would itself create a privacy concern). If a restore happens, we will notify all users by email that the system was restored from a backup, that any edits since that backup were lost, and that anyone who had requested account deletion in the affected window must request deletion again.
• Server logs: retained for 30 days.
• Billing records: retained for 10 years as required by German tax law (§ 147 AO). After account deletion, only the minimum tax-required fields (invoice ID, amount, date, and the country and company/billing identity required for VAT) are retained; your email, password, and site data are deleted as described above.

7. Your rights

Under the GDPR you have the right to:

• Access your data (Art. 15) via the data export feature in your account settings
• Rectification (Art. 16): contact us to correct inaccurate data
• Erasure (Art. 17): delete your account from the account settings page
• Data portability (Art. 20) via the data export feature; WordPress content can be exported from the WordPress editor
• Restriction (Art. 18) and objection (Art. 21): contact us
• Lodge a complaint with a supervisory authority

8. Security

Your WordPress editor is protected by a login page with session-based authentication and runs in an isolated container with resource limits. Passwords are hashed. All connections use TLS encryption. We do not store payment card or bank account details.

Backups are transferred to an offsite location in Germany over an authenticated, encrypted (SSH) channel and stored on a LUKS-encrypted volume (encryption at rest) on infrastructure under our sole operational control. The remote backup host is access-restricted to the operator account.

9. Contact

For privacy-related questions: support@stelae.eu