Back

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller pursuant to Art. 4(7) GDPR is:

Felix Auer
1140 Vienna, Austria
scurrysheets@felixauer.at

2. Overview

The following information provides an overview of what happens to your personal data when you use this app.

3. Data Collection & Processing

When using the app, the following data is processed:

  • Authentication: Sign-in via OAuth (Google, Microsoft, or Dropbox). An access token is created during this process.
  • Stored on our server: Only a session token (JWT cookie) containing your OAuth refresh token and cloud folder ID. No email addresses or personal data are stored on our server.
  • Worksheet data: All worksheets, images, and tags are stored on your own cloud storage (Google Drive, OneDrive, or Dropbox). The operator has no access to this data.
  • Gemini API key: Stored exclusively in your browser (IndexedDB). The key is never transmitted to our servers.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

4. Cookies

This app only uses a technically necessary session cookie (JWT) for authentication. No tracking cookies or advertising cookies are used.

5. Analytics (Umami)

This app uses the Umami analytics tracker to collect anonymous usage statistics in order to improve the quality and usability of the app.

Data collected:

  • Page views (which pages are visited)
  • Device type (desktop, tablet, mobile)
  • Browser type
  • Approximate region/country (no precise location)

Not collected:

IP addresses are anonymized. No personal data is collected, no cookies are set, and no cross-site tracking is performed.

Purpose: Improving the app through anonymous usage statistics.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

Provider: Umami Software, Inc. — umami.is

Umami is GDPR-compliant and does not require a cookie banner as no personal data is collected.

6. Hosting

This app is hosted by:

Vercel Inc.
440 N Barranca Ave #4133, Covina, CA 91723, USA

Server-side functions execute in Frankfurt, Germany (EU). Vercel briefly processes technical data such as IP address and browser information for content delivery. Data is processed within the EU.

7. Third-Party Services

  • Google Gemini API: Only used when the OCR feature is activated, with your own API key. Images are sent to Google for text recognition.
  • OAuth providers: Google, Microsoft, and Dropbox for authentication and cloud storage access.

8. Data Retention

Server-side data (OAuth token, folder ID) is deleted when you sign out. Local data (IndexedDB, cache) is removed from the browser upon sign-out.

9. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

Contact: scurrysheets@felixauer.at

10. Right to Complain

You have the right to lodge a complaint with a supervisory authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
www.dsb.gv.at