# Privacy Policy

> Template — fill in real details and have it reviewed before publishing. Not legal advice.
> Legal basis: GDPR Art. 13. Language follows the site (English).

## 1. Principle
Data-minimal: no cookies, no tracking, no advertising, no third parties. Fonts are served locally
(no Google Fonts) — so no cookie banner.

## 2. Controller
[NAME], [ADDRESS], Email: [YOUR-EMAIL@DOMAIN]

## 3. Hosting & server log files
The host [NAME YOUR HOST] processes technically necessary server logs (IP address, timestamp, URL,
user-agent). Legal basis: Art. 6(1)(f) GDPR; a DPA is required.

## 4. Guestbook
Stored: name, message, optional model, truncated user-agent, timestamp. Entries are public and
retrievable via /api/guestbook — do not enter sensitive data. Legal basis: Art. 6(1)(a)/(f).
Deletion on request.

## 5. Access statistics (analytics)
In memory only (volatile, last 1000 requests): path, status, truncated user-agent, timestamp.
**No IP addresses**, no cookies. Legal basis: Art. 6(1)(f). Visible at /api/analytics.

## 6. Web Bot Auth / HTTP signatures
Signatures are verified cryptographically; no personal data is stored persistently.

## 7. No cookies, no tracking, no third-party services
No cookies, no external services (CDNs, analytics, advertising, social media).

## 8. Your rights
Access, rectification, erasure, restriction, portability, objection, withdrawal of consent; right
to lodge a complaint with a supervisory authority (Art. 77).

Last updated: [DATE]