privacy policy

last updated: february 2026

who is responsible

the controller for this website and service is:

Yvent e.U.

owner: Daniel Grammer

Am Sturz 24, 2491 Steinbrunn, Austria

email: [email protected]

phone: +43 677 645 903 42

FN 509298v, Handelsgericht Eisenstadt

UID: ATU66705005

what this policy covers

this policy explains what personal data we collect, why we collect it, who we share it with, and what rights you have. it applies to the nolocal.host website, dashboard, CLI tool, and tunnel service.

what data we process

account data

when you create an account, we store your email address, display name, and authentication provider (github, google, or email/password). for email accounts, we store a hashed version of your password — never the password itself.

legal basis: Art. 6(1)(b) GDPR — performance of contract.

OAuth data

when you sign in with github or google, we receive your user ID, email, and display name from the provider. we do not receive or store your password with those services.

legal basis: Art. 6(1)(b) GDPR — performance of contract.

subscription & payment reference data

if you subscribe to pro, we store reference IDs from our payment processor (creem) — specifically a customer ID, subscription ID, subscription status, and billing period. we never see or store your credit card number, billing address, or other payment details. creem acts as the merchant of record and handles all payment data directly.

legal basis: Art. 6(1)(b) GDPR — performance of contract. retention: reference IDs kept for 7 years per Austrian tax law (BAO § 132).

tunnel metadata

when you create a tunnel, we log your IP address, the assigned subdomain, and connection timestamps. this data is used for abuse prevention and service operation.

legal basis: Art. 6(1)(f) GDPR — legitimate interest (abuse prevention). retention: logs are kept for 90 days.

subdomain claims

we store your claimed subdomain, a claim token, and timestamps. free-tier claims expire after 7 days of inactivity. pro-tier claims are deleted immediately when the subscription ends.

legal basis: Art. 6(1)(b) GDPR — performance of contract.

API tokens

if you generate a CLI token, we store a hashed version of the token and a short prefix for display purposes. the full token is shown once at creation and cannot be retrieved again.

legal basis: Art. 6(1)(b) GDPR — performance of contract.

rate limiting data

we track request counts per IP address or email to prevent abuse. this data is window-based (minutes to hours) and automatically overwritten.

legal basis: Art. 6(1)(f) GDPR — legitimate interest (abuse prevention).

transactional emails

we send verification and password reset emails to your email address. these are processed through our SMTP provider (All-Inkl.com, Germany) and are not stored on our servers after sending.

legal basis: Art. 6(1)(b) GDPR — performance of contract.

tunnel visitor data (Art. 14 GDPR)

if you visit a website through a nolocal.host tunnel (e.g. someone shared a *.nolocal.host link with you), your HTTP request passes through our infrastructure. this means your IP address, browser headers (User-Agent, etc.), and request URLs are processed in transit.

we do not persistently store this traffic on our servers. however, cloudflare processes all traffic at its edge servers as part of TLS termination and security (see "cloudflare" below). the request is then proxied through to the tunnel creator's local machine — we have no control over what the tunnel creator does with your request data on their end.

legal basis: Art. 6(1)(f) GDPR — legitimate interest (service delivery).

cloudflare TLS termination

all HTTPS traffic to nolocal.host passes through cloudflare (Cloudflare, Inc., US). cloudflare terminates TLS at its edge servers, meaning your encrypted connection is decrypted at cloudflare's infrastructure, processed for security and delivery purposes, and then re-encrypted for transmission to our server. this is standard for websites using cloudflare and is necessary for DDoS protection, bot management, and content delivery.

on our current plan (Free), cloudflare does not persistently store request logs. cloudflare is certified under the EU-US Data Privacy Framework.

who processes your data

we use the following third-party processors. where processors are located outside the EU, we rely on the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) and Standard Contractual Clauses (SCCs) as transfer mechanisms.

Cloudflare, Inc. (US)

CDN, DDoS protection, TLS termination, DNS, bot management

data: IP addresses, HTTP headers, request content in transit

transfer: EU-US DPF + SCCs

Hetzner Online GmbH (Germany)

cloud server hosting

data: all data stored on our server (database, logs)

Creem (merchant of record)

payment processing, VAT handling, invoicing, subscription management

data: email, name, payment details, subscription data

note: creem is the legal seller. we only store reference IDs.

GitHub, Inc. / Microsoft Corporation (US)

OAuth authentication (sign in with github)

data: OAuth user ID, email, display name

transfer: EU-US DPF + SCCs

Google LLC (US)

OAuth authentication (sign in with google)

data: OAuth user ID, email, display name

transfer: EU-US DPF + SCCs

ALL-INKL.COM — Neue Medien Münnich (Germany)

SMTP relay for transactional emails

data: recipient email address, email content

cookies

we only use cookies that are strictly necessary for the website to function. we do not use analytics, tracking, or marketing cookies. no consent banner is required under § 165 TKG 2021 for strictly necessary cookies.

session token

set by our app. contains your encrypted session (JWT). required for login.

duration: session or as configured. strictly necessary.

CSRF token

set by our app. protects authentication forms from cross-site request forgery.

duration: session. strictly necessary.

callback URL

set by our app. stores redirect destination after authentication.

duration: session. strictly necessary.

__cf_bm

set by cloudflare. bot management — distinguishes humans from bots.

duration: 30 minutes. strictly necessary.

cf_clearance

set by cloudflare. issued after passing a security challenge.

duration: up to 30 minutes. strictly necessary.

how long we keep your data

—tunnel connections: ephemeral — deleted when you disconnect

—free subdomain claims: 7 days after last use

—pro subdomain claims: deleted immediately when subscription ends

—user accounts: until you request deletion

—server logs (containing IPs): 90 days

—payment reference IDs: 7 years (Austrian tax law, BAO § 132)

—verification/reset tokens: 24 hours / 1 hour, cleared on use

—rate limiting data: minutes to hours (window-based, auto-overwritten)

your rights

under GDPR, you have the following rights regarding your personal data:

—access (Art. 15) — request a copy of your personal data

—rectification (Art. 16) — correct inaccurate data

—erasure (Art. 17) — request deletion of your data

—restriction (Art. 18) — restrict processing in certain circumstances

—data portability (Art. 20) — receive your data in a machine-readable format

—objection (Art. 21) — object to processing based on legitimate interest

to exercise any of these rights, email us at [email protected]. we will respond within 30 days.

right to complain

if you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Austrian data protection authority:

Österreichische Datenschutzbehörde

Barichgasse 40-42, 1030 Wien, Austria

email: [email protected]

website: dsb.gv.at

changes to this policy

we may update this privacy policy from time to time. if we make material changes, we will notify registered users by email. the current version is always available at nolocal.host/privacy.

contact

questions about this privacy policy? [email protected]