Privacy Policy

5.1 License Verification (/api/verify-license)

Purpose:

Verification of the Premium license key to unlock paid features.

Data:

License key (entered by user), User-Agent and Accept-Language headers for rate-limit bucketing, proof-of-work challenge response.

Legal basis:

Art. 6(1)(b) GDPR (performance of a contract — delivery of purchased Premium functions).

Recipients:

Sold through Link, LLC (f/k/a Lemon Squeezy LLC), USA. See section 8 (International Data Transfers).

Retention:

License keys are not stored server-side. Rate-limit data is kept in the memory of the serverless function only and is cleared when the instance terminates (typically within minutes).

5.2 OpenStreetMap Tiles and Nominatim Geocoding

Purpose:

Displaying GPS coordinates extracted from metadata on a map; optional location search when editing GPS.

Data:

Your IP address (to the OSM tile servers for tile delivery); the search term entered by the user (only when actively searching). GPS coordinates from your file are NOT transmitted.

Legal basis:

Art. 6(1)(f) GDPR (legitimate interest — visualising the detected GPS data as a core function of a privacy tool).

Recipients:

OpenStreetMap Foundation (United Kingdom). An EU adequacy decision for the UK is in place (Art. 45 GDPR).

Trigger:

The map is only loaded when GPS coordinates are found in your file. Geocoding only runs on explicit input.

5.3 Hosting (Vercel)

Purpose:

Delivery and technical operation of the website; abuse protection.

Data:

IP address, browser type, referrer, HTTP request timestamp, requested URL.

Legal basis:

Art. 6(1)(f) GDPR (legitimate interest in secure, performant delivery of the website).

Recipients:

Vercel Inc., USA (server region Frankfurt, Germany). See section 8.

Retention:

Vercel retains access and function logs per standard retention of the booked tier (typically 1–7 days). Details at vercel.com/docs/observability/logs.

5.4 Payment Processing (LemonSqueezy Checkout)

Purpose:

Processing Premium purchases and delivering the license key.

Data:

Name, email address, payment information, billing address (all inputs happen directly on the external LemonSqueezy checkout page, not on our site).

Legal basis:

Art. 6(1)(b) GDPR (performance of a contract — purchase and license delivery).

Recipients:

Sold through Link, LLC (f/k/a Lemon Squeezy LLC), USA — as merchant of record and independent controller (not processor). See section 8.

Retention:

Transaction data is retained by LemonSqueezy according to their commercial and tax retention obligations (typically 10 years). We do not store payment data ourselves.

LemonSqueezy Privacy: https://www.lemonsqueezy.com/privacy

5.5 Donations (Ko-fi, voluntary)

Purpose:

Accepting voluntary support.

Data:

Collected directly by Ko-fi. We do not receive payment data.

Legal basis:

Art. 6(1)(a) GDPR (consent through voluntary click on the Ko-fi link).

Recipients:

Ko-fi Labs Ltd. (United Kingdom). An EU-UK adequacy decision is in place.

Ko-fi Privacy: https://ko-fi.com/privacy

6.1 Cookie: NEXT_LOCALE

Purpose:

Store the user-selected language (German or English) so the site opens in the preferred language on subsequent visits.

Contents:

de / en

Type:

First-party, functional, SameSite=Lax

Lifetime:

1 year (or until manually removed)

Legal basis:

§ 25(2) No. 2 TTDSG (strictly necessary) in conjunction with Art. 6(1)(f) GDPR (legitimate interest).

The cookie is set automatically on your first visit and when you change the language. You may delete it at any time via your browser settings. Without the cookie, your language selection will not persist across sessions.

6.2 Local Storage / SessionStorage

The following values are stored exclusively on your device and never transmitted to our or third-party servers:

• mdg_license — Premium license status and tier. Lifetime: until license expiry (3 years) or manual deletion.
• mdg_theme — Light/dark theme. Lifetime: until manually removed.
• mdg_backoff — Temporary cool-down after failed entries. Session storage — cleared when the tab closes.
• mdg_free_strip_count — Counter of free removals in the current browser tab. Session storage.

Legal basis: § 25(2) No. 2 TTDSG in conjunction with Art. 6(1)(f) GDPR.

6.3 External Cookies During Checkout

When switching to the Premium checkout, you are redirected to the external LemonSqueezy page. Further cookies may be set there. See LemonSqueezy Privacy (https://www.lemonsqueezy.com/privacy).

8.1 Vercel Inc. (Hosting, USA)

Vercel Inc. is certified under the EU-US Data Privacy Framework (EU-US DPF). The European Commission adopted an adequacy decision for this framework on 10 July 2023. We transfer personal data to Vercel on the basis of this adequacy decision pursuant to Art. 45 GDPR.

Current certification: dataprivacyframework.gov/s/participant-search

8.2 Sold through Link, LLC (LemonSqueezy) (Payment Processing, USA)

Sold through Link, LLC — operating under the name "Lemon Squeezy" — processes payment data in the United States. We could not confirm a public EU-US Data Privacy Framework certification as of the date of this policy. Transfers therefore rely on the European Commission's Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, as incorporated in the LemonSqueezy Data Processing Agreement.

LemonSqueezy DPA: lemonsqueezy.com/dpa