Privacy Policy

What information is collected, why it is collected, and how you maintain control of your data.

Overview

This Privacy Policy explains what information is collected and why it is collected. During the pilot phase, account changes, exports, and deletions are handled by emailing info@loxal.net — there is no self-serve account dashboard yet.

Depending on your use of the loxal website and its products, two types of information are collected: personal data and non-personal data.

Controller (Art. 4 No. 7, Art. 13(1)(a) GDPR)

Alexander Orlov (natural person, trading under the unregistered name "loxal")
Clementine-von-Braunmühl-Weg 11, 81541 München, Germany
E-Mail: info@loxal.net
Data-protection enquiries: info@loxal.net

The controller operates as a natural person under the Kleinunternehmer scheme (§ 19 UStG). No Data Protection Officer is mandatory because § 38 BDSG only requires one where 20 or more persons are regularly engaged in personal-data processing. The primary contact for data-protection enquiries is info@loxal.net.

Legal bases for processing (Art. 6 GDPR)

Art. 6(1)(b) — Contract performance: Account creation, API key issuance, delivery of purchased services, and pre-contractual communication initiated by you (e.g. emailing info@loxal.net to request a pilot).
Art. 6(1)(f) — Legitimate interest: IT security via server logs (Recital 49 GDPR), anti-abuse rate limiting on anonymous API traffic, and basic aggregated usage statistics without user-level tracking.
Art. 6(1)(c) — Legal obligation: Retention of invoicing / accounting records for 10 years per § 147 AO.
Art. 6(1)(a) — Consent: Only where explicitly collected (e.g. opt-in to non-essential communication). None is required or requested for using the pilot products today.

Retention periods

Account / key-issuance emails: for the duration of the service relationship + 30 days.
Server access logs (including IP addresses): 30 days, then auto-deleted. BayLDA recognises 30 days for IT-security legitimate interest.
API request log (metering): retained for the duration of your service relationship. Within 30 days of the relationship ending (key revocation or written request), all rows tied to your API key are deleted. Aggregated, non-identifying counts may be retained for billing reconciliation. This matches the deletion timeline in the DPA § 4.
Site Search crawled index & search logs: duration of the customer relationship + 30 days after termination.
Invoicing / accounting records: 10 years (§ 147 AO).
Aggregated, anonymised usage statistics: retained indefinitely.

Recipients / processors

OVH SAS (2 rue Kellermann, 59100 Roubaix, France) — infrastructure hosting (EU). A GDPR-compliant data processing agreement (Art. 28) is in place.
Stripe Payments Europe, Ltd. — payment processing. Sensitive payment data (card number, CVC) is submitted directly to Stripe and is never stored on our servers.
DB-IP (by 2VIA S.A.) — DB-IP Lite geolocation database (CC BY 4.0). IP addresses are looked up locally against a database hosted by us; no end-user IP is sent to DB-IP. Published with required attribution.

No personal data is transferred outside the EEA except where a recipient named above operates infrastructure within the EU. Where international transfers are unavoidable, we rely on Art. 46 GDPR safeguards (Standard Contractual Clauses).

Your rights (Art. 15–22 GDPR)

Access (Art. 15) — a copy of the personal data we hold about you.
Rectification (Art. 16) — correction of inaccurate data.
Erasure / "right to be forgotten" (Art. 17).
Restriction of processing (Art. 18).
Data portability (Art. 20) — structured, machine-readable export.
Objection (Art. 21) — in particular to processing based on legitimate interest.
Revoke consent (Art. 7(3)) — where consent was the legal basis.
No automated individual decision-making (Art. 22) — we do not subject you to automated decisions with legal effect.

To exercise any of these rights, email info@loxal.net. We respond within one month (Art. 12(3) GDPR). We may verify your identity by requiring the request to come from the email address registered with the service.

Supervisory authority

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for this service is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
lda.bayern.de

Types of Data

Personal Data

As defined in GDPR, or "Personally identifiable Information" (PII), is any information that may be used to identify, contact, or locate you as an individual.

Non-Personal Data

Information that cannot be used to identify or contact you. E.g., browser settings, search queries, and statistical data involving the use of Page Finder website.

When Data is Collected

When you integrate Page Finder into your website
When you log in to access your Page Finder dashboard
When you simply browse this website

Page Finder Integration — What Data is Collected from Your Users?

When we process your visitors' data on your behalf as a data processor under the Data Processing Agreement, we permanently ensure that our operations are executed in accordance with GDPR requirements. To make sure your privacy is protected:

Technical and organizational measures taken by our infrastructure provider (ISO/IEC 27001 certified)
Quality compliance certificate issued by the German certification body TÜV Rheinland
Technical and organizational measures taken by us as a contractor

User's Search Query

Search queries provide the core of your search analytics. This information is aggregated in your dashboard and is not personally identifiable. Stored until you delete your account.

User's IP Address

Used to ignore logging from certain users and to prevent spam and abuse techniques. Blocked-IP entries (anti-abuse list) are retained for 14 days. General server access logs that incidentally contain IP addresses are retained for 30 days per the "Retention periods" section above.

All communication is encrypted in transit (TLS).
What we store about your end users: their search query (Site Search) or their IP address (IP Intelligence API) for the duration of the service relationship + 30 days, then deleted. We do not store names, emails, or other contact data of your end users.

What we collect when you request access

During the pilot phase access is granted manually by email. When you email info@loxal.net to request a Free or Pro API key (or a Page Finder pilot install), we collect only what you supply:

Email address
Name (optional)
Domain (Page Finder only)
Tier (Free / Pro)

How we use this information

To issue an API key and reply to you.
To understand how the pilot is being used so we can prioritise.
To send service messages (e.g. key revocation notice). We do NOT send marketing emails — there's no list to be on.

To update or delete your record, email info@loxal.net. There is no self-serve dashboard / "Profile settings" UI yet — pilot scale doesn't justify building one. We respond within one month per Art. 12(3) GDPR.

Payment Information

All transactions are processed by our payment provider Stripe. All sensitive information, such as credit card number, expiration date and CVC/CVV are securely provided directly to Stripe and are never saved or stored on our servers.

Website Browsing Data

When browsing our site, you automatically send us non-personal data such as your device's IP address, referring website, pages visited, and browser information. We use this aggregated data to:

Collect website usage statistics to improve performance and content
Remember your language preference for future visits

Cookies — essential only, no banner

This website uses only strictly-necessary cookies that are essential for the operation of the requested service (e.g. session cookies, CSRF tokens). Per § 25 Abs. 2 Nr. 2 TDDDG, such cookies are exempt from the consent requirement and we therefore do not show a cookie banner. We do not use analytics, tracking, advertising, or third-party cookies.

If we ever add non-essential cookies, we will request explicit opt-in consent via a banner with an equally-prominent "reject all" option (consistent with DSK Orientierungshilfe Telemedien v1.2, Nov 2024, and VG Hannover, 19 March 2025).

If your browser blocks essential cookies entirely, parts of the service (e.g. session continuity, form submission) will not work. You can still call the public API endpoints with curl without any cookies.

Protecting Your Information

Your personal information is contained behind secured networks and is only accessible by a limited number of persons with special access rights who are required to keep the information confidential. All sensitive information is encrypted via SSL.

Sharing Your Information

We do not sell, rent, trade, or otherwise transfer any personal data without your consent. We do not run analytics, advertising-network integrations, or third-party tracking pixels — see the cookie section below.

Legal Compliance

CalOPPA

California Online Privacy Protection Act compliance—we state exactly what information we collect.

COPPA

Children Online Privacy Protection Act—we do not market to children under 13.

Fair Information Practices

We implement these principles and have updated our breach management process for GDPR compliance.

Data Breach Notification

Should a personal data breach occur and if it is likely to put our users' privacy at risk:

We will notify users by email and via in-site notification within seven business days
We will notify designated supervisory authorities within 72 hours