Privacy Policy
WebLibre Feedback takes the protection of your personal data very seriously. As a German entity, we are particularly guided by the General Data Protection Regulation (GDPR). This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data within our online forum and associated websites, functions, and content (hereinafter collectively referred to as the "Service").
We use terms such as "personal data" or "processing" in accordance with their definitions in Article 4 of the GDPR.
Controller
The controller responsible for data processing within the meaning of the GDPR is:
OnDevice UG (haftungsbeschränkt)
Römerstraße 21
D-71540 Murrhardt Germany
Email: info (at) ondevice.eu
Website: https://feedback.weblibre.eu/
1. Legal Bases for Processing
In accordance with Article 13 GDPR, we inform you of the legal bases for our data processing activities:
| Legal Basis |
Application |
| Art. 6(1)(a) GDPR |
Processing based on your consent (e.g., newsletter subscription, optional cookies) |
| Art. 6(1)(b) GDPR |
Processing necessary for the performance of a contract or pre-contractual measures (e.g., user account, forum participation) |
| Art. 6(1)(c) GDPR |
Processing necessary for compliance with legal obligations |
| Art. 6(1)(f) GDPR |
Processing based on our legitimate interests (e.g., security, fraud prevention, service optimization) |
2. Categories of Data Processed
In connection with operating our forum, we process the following categories of personal data:
- Inventory and contact data: Username, email address, profile information
- Content data: Forum posts, comments, private messages, uploaded files
- Usage data: Access logs, IP addresses, browser information, timestamps
- Communication data: Contact form submissions, support requests
The categories of data subjects include visitors, registered users, and members of our forum community (hereinafter collectively referred to as "Users").
3. Security Measures
In accordance with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.
Our security measures include:
- Encryption: All data transmission between your browser and our servers is encrypted using HTTPS/TLS
- Server security: Dedicated servers located in Germany with regular security updates
- Access controls: Restricted access to personal data on a need-to-know basis
- Data protection by design: Privacy considerations integrated into the development and selection of systems
- Regular backups: To ensure data availability and integrity
4. User Accounts and Forum Participation
4.1 Registration
To participate in discussions, post content, or access certain features, you must create a user account. During registration, we collect:
- Username (required)
- Email address (required)
- Password (required, stored in hashed form)
- Optional profile information you choose to provide
The required information is minimized to what is necessary for account creation. We use a double opt-in procedure to verify your email address: after registration, you will receive an email asking you to confirm your address by clicking a link. This prevents registration with third-party email addresses. We log the timestamp and IP address of the double opt-in confirmation pursuant to Art. 6(1)(c) GDPR to document your consent.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal documentation requirements).
4.2 IP Address Logging
During registration and when using your account (particularly when posting content), we store your IP address and the corresponding timestamp for 7 days pursuant to Art. 6(1)(f) GDPR. This serves the legitimate interests of:
- Protecting against abuse and unauthorized use
- Enabling identification of authors of unlawful content for potential legal proceedings
- Defending against claims made against us
After this period, IP addresses are anonymized or deleted. IP addresses required as evidence for ongoing investigations are exempt from deletion until the matter is resolved.
4.3 Forum Posts and Content
Content you publish (posts, comments, profile information) is stored and made publicly available to enable the forum's core functionality. This processing is based on:
- Art. 6(1)(b) GDPR: Performance of the user agreement
- Art. 6(1)(f) GDPR: Our legitimate interest in providing a functional community platform
4.4 Account Deletion
You may request deletion of your account at any time, provided no legal obligations prevent this. Upon account deletion:
- Retained: Published content (forum posts, comments) generally remains visible to preserve discussion integrity, unless legal requirements dictate otherwise. Authorship may be anonymized (e.g., displayed as "Deleted User").
- Deleted: All personal data not required for legal compliance (Art. 6(1)(c) GDPR) is permanently deleted.
4.5 Banned Accounts
If your account has been suspended due to repeated or serious rule violations, we may refuse deletion requests pursuant to Art. 6(1)(f) GDPR. We have a legitimate interest in preventing the creation of new accounts to circumvent bans, thereby protecting other users and our technical infrastructure.
5. Access Logs and Server Data
5.1 Data Collected
Each time you access our Service, we automatically collect:
- URL of the accessed page
- Referring URL (previously visited page)
- Date and time of access
- IP address (and derived approximate geographic location at country level)
- HTTP status code
- Data volume transferred
- Browser type and version (User-Agent)
- Operating system
- Screen resolution and viewport size
- Language and timezone settings
- TLS version and cipher suite
Legal basis: Art. 6(1)(f) GDPR – our legitimate interest in ensuring the stability, functionality, and security of our servers and Service, as well as analyzing and optimizing our offering.
5.2 Retention Period
This data is deleted after 7 days at the latest. Beyond this period, we retain only aggregated, anonymized statistics (e.g., page view counts, browser market share) that do not permit identification of individual users.
Data required as evidence for security incidents or legal matters is exempt from deletion until the matter is resolved.
5.3 Disclosure to Third Parties
This data is not shared with third parties unless:
- We are legally obligated to do so (Art. 6(1)(c) GDPR), or
- Disclosure is necessary to assert or defend our legal rights
6. Cookies
6.1 What Are Cookies?
Cookies are small text files sent from our server (or third-party servers) to your browser and stored on your device for later retrieval. Session cookies are temporary and deleted when you close your browser; persistent cookies remain until they expire or you delete them.
6.2 Essential Cookies (Without User Account)
For basic use of our forum without a user account, cookies are not strictly required, though functionality may be limited. We use cookies to:
- Store your preferences (e.g., theme, language settings)
- Maintain session state for security purposes
- Remember consent choices
6.3 Cookies for Registered Users
For logged-in users, cookies are required to maintain your authenticated session across page views.
- "Remember me" enabled: A persistent cookie keeps you logged in until you explicitly log out
- "Remember me" disabled: A session cookie is used, which is deleted when you close your browser
6.4 Forum-Specific Cookies
Our Flarum forum may set the following cookies:
| Cookie Name |
Purpose |
Duration |
Type |
flarum_session |
Session identification |
Session |
Essential |
flarum_remember |
Persistent login |
5 years |
Essential (if enabled) |
flarum_locale |
Language preference |
1 year |
Functional |
6.5 Legal Basis
- Art. 6(1)(b) GDPR: Cookies necessary for contract performance (user account functionality)
- Art. 6(1)(f) GDPR: Cookies serving our legitimate interest in optimal Service functionality
- Art. 6(1)(a) GDPR: Non-essential cookies (analytics, advertising) only with your explicit consent
6.6 Managing Cookies
You can configure your browser to reject cookies entirely. Please note that this may prevent you from using all features of our Service. Instructions for managing cookies:
7. Embedded Third-Party Content
7.1 Share Links
Social media share buttons on our pages are simple hyperlinks. They do not transmit any data to third parties until you actively click them.
7.2 Embedded Media
On certain pages (e.g., specific forum posts), we may embed content from third-party providers such as:
- YouTube videos
- Other media platforms
These embeds are deactivated by default and require your explicit activation (consent) pursuant to Art. 6(1)(a) GDPR. When you activate an embed, it is technically necessary for the third-party provider to receive your IP address to deliver the content.
7.3 Third-Party Providers
When you activate embedded content, the respective provider's privacy policy applies:
8. Cooperation with Processors and Third Parties
8.1 General Principles
We disclose personal data to other parties only when:
- There is a legal basis (e.g., Art. 6(1)(b) GDPR for payment processors)
- You have consented
- A legal obligation requires disclosure
- Our legitimate interests justify it (e.g., hosting providers)
8.2 Data Processing Agreements
Where we engage third parties to process data on our behalf, we conclude data processing agreements pursuant to Art. 28 GDPR.
8.3 Hosting Provider
Our forum is hosted by:
Hetzner: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz. Data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
The hosting provider processes data on our behalf to provide server infrastructure. This includes access to server logs and stored data as technically necessary.
Legal basis: Art. 6(1)(f) GDPR – our legitimate interest in stable and secure hosting infrastructure.
8.4 International Data Transfers
We process data primarily within the European Union/European Economic Area. If data is transferred to third countries (outside the EU/EEA), this occurs only:
- With your explicit consent
- Where necessary for contract performance
- On the basis of an adequacy decision by the European Commission
- Subject to appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules)
- Under certified frameworks (e.g., EU-US Data Privacy Framework)
9. Contact Requests
When you contact us (e.g., via email or contact form), the information you provide is processed to handle your inquiry pursuant to Art. 6(1)(b) GDPR (if related to a contractual relationship) or Art. 6(1)(f) GDPR (our legitimate interest in responding to inquiries).
Email provider:
- mailbox.org: Email hosting; Service provider: Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.mailbox.org. Privacy policy: https://mailbox.org/de/datenschutz; Data processing agreement: Provided by the service provider.
10. Rights of Data Subjects
Under the GDPR, you have the following rights:
| Right |
Article |
Description |
| Access |
Art. 15 |
Obtain confirmation and information about your stored personal data |
| Rectification |
Art. 16 |
Request correction of inaccurate or completion of incomplete data |
| Erasure |
Art. 17 |
Request deletion of your data ("right to be forgotten") |
| Restriction |
Art. 18 |
Request limitation of processing under certain conditions |
| Data Portability |
Art. 20 |
Receive your data in a structured, machine-readable format |
| Object |
Art. 21 |
Object to processing based on legitimate interests, including direct marketing |
| Withdraw Consent |
Art. 7(3) |
Withdraw consent at any time with effect for the future |
| Lodge Complaint |
Art. 77 |
File a complaint with a supervisory authority |
To exercise your rights, please navigate to your user settings, or contact us at: info (at) ondevice.eu
11. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected or as required by law. Statutory retention periods (e.g., commercial and tax law: 6–10 years under German law) may prevent immediate deletion.
| Data Category |
Retention Period |
| Server logs / IP addresses |
7 days |
| User account data |
Until account deletion + legal retention periods |
| Forum posts |
Indefinitely (anonymized upon account deletion) |
| Contract/billing data |
10 years (tax law) |
| Consent records |
3 years after consent withdrawal |
Data that cannot be deleted due to legal requirements will be restricted from further processing.
12. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you as described in Art. 22 GDPR.
13. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our data processing practices or legal requirements. We encourage you to review this policy periodically. If changes require your consent or individual notification, we will inform you accordingly.
14. Contact for Privacy Matters
For questions regarding data protection or to exercise your rights:
OnDevice UG (haftungsbeschränkt)
Email: info (at) ondevice.eu
Last updated: 11.12.2025
