Privacy Policy

§ 1 Scope

This privacy policy applies to the roadbeat.net website ("the Website"), operated by roadbeat e.V. The roadbeat platform consists of multiple independently operated components (Context Directory, Studio Node, Discovery Nodes, Content Pods, Web Client, Mobile App). Each component operator is responsible as a separate data controller for their instance. This policy covers the Website and provides a general overview of how data is handled across the ecosystem.

§ 2 Data Controller

The data controller for this website is:

For data protection inquiries, please contact us at the email address above. A formal Data Protection Officer (DPO) will be appointed once the association registration is complete, if legally required.

§ 3 Legal Basis for Processing

We process personal data only when we have a valid legal basis under the General Data Protection Regulation (GDPR). The legal bases we rely on are:

Consent (Art. 6(1)(a) GDPR)

For newsletter subscriptions and optional analytics.

Contract performance (Art. 6(1)(b) GDPR)

For providing platform services to registered users and publishers.

Legitimate interests (Art. 6(1)(f) GDPR)

For server security logs, fraud prevention, and service improvement. Our legitimate interest is ensuring the security and availability of our services.

Legal obligation (Art. 6(1)(c) GDPR)

Where we are legally required to retain certain data (e.g., tax-related records).

§ 4 Data Collected on This Website

The following describes data processing specific to roadbeat.net, the marketing and information website.

4.1 Server Logs

When you visit roadbeat.net, our hosting provider (Hetzner Online GmbH) automatically collects technical data necessary for delivering the website. This includes your IP address, browser type and version, operating system, the referring URL, the pages you visit, the date and time of access, and the amount of data transferred. This data is processed based on our legitimate interest in ensuring server security and stability (Art. 6(1)(f) GDPR). Server logs are automatically deleted after 14 days. This data is not combined with other data sources and is not used to identify individual users.

4.2 Lightweight Page Analytics

We use Rybbit (https://rybbit.com), a privacy-friendly, open-source analytics tool that we host on our own infrastructure (self-hosted). Rybbit collects minimal page view statistics to help us understand which pages are visited and to improve our website. It records the page path, the locale (language) of the page, the referring URL, and a general user agent string. Rybbit does NOT record your IP address, does NOT use cookies, and does NOT create user profiles. This data cannot be linked to individual visitors. No third-party analytics services (such as Google Analytics, Facebook Pixel, or similar) are used — all analytics data stays on our own servers. Legal basis: Legitimate interest in website improvement (Art. 6(1)(f) GDPR).

4.3 Newsletter

If you subscribe to our newsletter, we collect your email address and your preferred language. We use a double opt-in process: after submitting your email, you will receive a confirmation email with a unique token link. Your subscription is only activated once you confirm. We store the date of your confirmation. Legal basis: Your consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time using the link provided in every newsletter email, or by contacting us directly. Upon unsubscription, your data is deleted.

4.4 Contact Forms

When you use our contact form, we collect your name, email address, subject, and message. We also store your IP address for abuse prevention purposes. This data is used solely to respond to your inquiry and is not shared with third parties. Legal basis: Legitimate interest in responding to inquiries (Art. 6(1)(f) GDPR) and, where your inquiry relates to a contract, contract performance (Art. 6(1)(b) GDPR). Contact submissions are retained for 12 months after the inquiry is resolved, unless a longer retention period is required by law.

§ 5 Data Processed by the roadbeat Platform

roadbeat is a decentralized platform consisting of multiple independently deployable components. Each component is designed with privacy-by-design principles. The following provides an overview of what data each component processes. Self-hosted instances are controlled by their respective operators.

5.1 Context Directory

The Context Directory stores your personal context data to enable goal-driven content discovery. This includes:

• •Account credentials — A username, a one-way hash of your email address (not the email itself), and a hashed password. We do not store your email in plain text.
• •Location data — Optionally, your home country, city, and approximate coordinates (for location-based content matching). You control the precision level. Current location is only updated if you explicitly choose to share it.
• •Goals — The goals you define (e.g., "Learn Spanish", "Find cycling events near me"), including time horizon, parameters, and progress.
• •Interests and preferences — Content categories, topics, preferred content types, language preferences, timezone, and notification settings.
• •Social data — Which publishers you follow and your content bookmarks. This data is private to you; there is no public "who follows whom" graph.
• •Audit log — An access log of who accessed your data, when, and for what purpose, allowing you to verify your data sovereignty.

Design principle: The Context Directory stores only context (goals, preferences, follows), never content. Social graphs are private. Email addresses are stored only as irreversible hashes.

5.2 Studio Node (Publisher CMS)

The Studio Node is a self-hosted headless CMS for publishers and organizations. Each Studio instance is operated independently by its respective organization. Data processed includes user accounts (name, email, role within the organization), content and assets created by editors, publishing records, API keys, and webhook configurations. Publisher organizations are the data controller for their own Studio Node instances.

5.3 Discovery Nodes

Discovery Nodes are distributed search engines that index content teasers (title, description, image URL, metadata) published by publishers. Discovery Nodes do NOT store any end-user personal data. They store publisher information (organization name, domain, public key, contact email) and aggregate anonymous query statistics (total queries, average latency). Search queries are not logged on a per-user basis.

5.4 Content Pods

Content Pods are portable content hosting spaces for individuals and organizations. If you use the managed pod hosting service, we store your account credentials (email, name, hashed password), your pod configuration (subdomain, custom domain, storage quota), and the content you publish. Content Pods are designed for data portability: you can export and migrate your pod at any time.

5.5 Web Client

The standalone Web Client stores minimal session data locally: a session identifier, your Context Directory user ID, display name, and an encrypted access token. It also stores your notification preferences and onboarding progress. Actual user data (goals, follows, bookmarks) lives in the Context Directory, not the Web Client. Session data is automatically cleaned up when sessions expire.

5.6 Mobile App

The roadbeat mobile app stores data locally on your device using an encrypted SQLite database. This includes cached content, offline bookmarks, draft content, and your account credentials. The app communicates with the Context Directory and Discovery Nodes using encrypted HTTPS connections. Location data is only accessed with your explicit permission and is never transmitted without your consent.

§ 6 Cookies and Similar Technologies

roadbeat.net does NOT use cookies for tracking, advertising, or analytics. The platform components may use strictly necessary cookies (such as session cookies for authenticated users) where required for functionality. These are first-party, httpOnly, secure cookies that cannot be read by third parties. We do not use any third-party cookies. No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive, but we inform you of their use here for transparency.

§ 7 What We Do NOT Collect

• No cookies for tracking or advertising purposes
• No behavioral profiling or interest inference from browsing behavior
• No cross-site tracking or fingerprinting
• No data sharing with third parties for advertising or marketing
• No social media tracking pixels or embedded trackers
• No algorithmic content ranking based on personal data
• No sale of personal data to any third party, ever

This is not merely a policy choice — it is an architectural decision. The roadbeat platform is designed so that these forms of tracking are technically impossible within the system.

§ 8 Hosting and Infrastructure

All roadbeat infrastructure is hosted on Hetzner Online GmbH servers located exclusively in Germany (data centers in Nuremberg and Falkenstein). Hetzner is a German company subject to GDPR and German data protection law. No data is transferred to or processed in non-EU/EEA countries.

§ 9 Third-Party Services

We minimize the use of third-party services. The following are currently in use:

• Hetzner Online GmbH — Server hosting and DNS (Germany, GDPR-compliant). Data processed: server logs, network traffic data.
• Rybbit (self-hosted) — Privacy-friendly, open-source web analytics (https://rybbit.com). Self-hosted on our own infrastructure; no data is sent to external servers.
• documentation.ai — Documentation creation and hosting for our project documentation sites. Data processed: publicly available documentation content only, no user personal data.
• Gitea (self-hosted) — Source code management and CI/CD. Hosted on our own infrastructure, no third-party access.

We do NOT use Google Fonts, Google Analytics, Cloudflare, AWS, or any US-based cloud services for processing personal data. All fonts are self-hosted.

§ 10 Data Retention

We retain personal data only as long as necessary for the purpose for which it was collected:

• Server logs: 14 days (automatic deletion)
• Page view analytics: 90 days (aggregated, non-identifiable)
• Newsletter subscriptions: Until you unsubscribe
• Contact form submissions: 12 months after inquiry resolution
• Context Directory accounts: Until you delete your account
• Studio Node accounts: Managed by the respective organization operator
• Content Pod data: Until you delete your pod or account
• Session data: Automatically cleaned up upon expiration (typically 30 days)

When you delete your account, all associated personal data is permanently removed. Content you published publicly may have been indexed by Discovery Nodes; unpublishing your content will remove it from active indexes.

§ 11 International Data Transfers

We do not transfer your personal data to countries outside the European Union (EU) or European Economic Area (EEA). All servers, databases, and backup storage are located in Germany. Our organizational structure, hosting provider, and all subprocessors are based in the EU. In the event that an international transfer ever becomes necessary (e.g., at your explicit request), we will ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR.

§ 12 Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit — All data is transmitted via HTTPS/TLS. No unencrypted connections are accepted.
• Encryption at rest — Passwords are stored using bcrypt hashing. Email addresses in the Context Directory are stored as SHA-256 hashes.
• Access control — Role-based access control in all platform components. Administrative access is restricted and logged.
• Content signing — Published content is cryptographically signed using Ed25519 keys, ensuring integrity and authenticity.
• Regular updates — All software dependencies are regularly updated to address known vulnerabilities.
• Minimal data collection — We only collect data that is necessary for the stated purpose (data minimization principle).

§ 13 Children's Privacy

roadbeat is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at hello@roadbeat.net and we will take steps to delete such data.

§ 14 Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to access that data and receive a copy.
• Right to rectification (Art. 16 GDPR) — You have the right to request correction of inaccurate personal data without undue delay.
• Right to erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data ("right to be forgotten") when the data is no longer necessary, you withdraw consent, or there is no overriding legitimate interest.
• Right to restriction of processing (Art. 18 GDPR) — You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. roadbeat supports full data export in JSON format.
• Right to object (Art. 21 GDPR) — You have the right to object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

To exercise any of these rights, please contact us at hello@roadbeat.net. We will respond to your request within 30 days, as required by law. You will not be charged a fee for exercising your rights, unless your request is manifestly unfounded or excessive.

§ 15 Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for roadbeat e.V. is:

You may also contact the supervisory authority in the EU member state of your habitual residence or place of work.

§ 16 Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date below. We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

§ 17 Contact

If you have any questions about this privacy policy or our data processing practices, please contact us: