Privacy Policy
Last updated: May 2026
1. Controller
The controller responsible for processing personal data under the General Data Protection Regulation (GDPR) is:
Prokop Solutions, Inh. Jonas ProkopMatthias-Grünewald-Str. 6
78224 Singen
Germany
Email: info@addin.studio
2. General principles
We process personal data only to the extent necessary to provide a functional website, our content and services. Processing is based on consent (Art. 6 (1) (a) GDPR), contract performance (Art. 6 (1) (b) GDPR), legal obligations (Art. 6 (1) (c) GDPR) or our legitimate interest (Art. 6 (1) (f) GDPR).
3. Server log files
When you visit our site our hosting provider automatically records server log files transmitted by your browser:
- IP address (truncated after 7 days)
- Date and time of the request
- Page requested
- HTTP status code
- Bytes transferred
- Referrer URL
- Browser, OS and language
Legal basis: Art. 6 (1) (f) GDPR. Legitimate interest: site security, stability and optimisation. Logs are deleted after at most 30 days.
4. Account & authentication
If you create an account, we process the following data:
- Email address
- Password (stored only as a salted hash)
- Optional: display name, company, location
- Sign-up and last sign-in timestamps
- Session cookies to maintain your sign-in
Legal basis: Art. 6 (1) (b) GDPR (contract performance). Retention: until you delete your account. You can delete it any time under “Settings → Account deletion”; data is then erased without delay.
5. Project and library data
As part of using the service we store the ribbon projects, snippets and icon uploads you create in our database so they persist between sessions.
Legal basis: Art. 6 (1) (b) GDPR. Retention: until you delete the item or your account.
6. Payment processing via Polar
For paid plans (Pro, Team) we use the payment provider Polar Software, Inc. When you purchase, you are redirected to a secure Polar checkout page. We do not receive your payment details (card number, bank data) — only confirmation of the payment and invoicing data.
Legal basis: Art. 6 (1) (b) GDPR (contract performance) and Art. 6 (1) (c) GDPR (statutory retention obligations under § 147 of the German Tax Code). Tax-relevant records are retained for 10 years.
Polar privacy notice: polar.sh/legal/privacy.
7. Cookies
We use only strictly necessary cookies:
- Supabase auth cookies (sb-access-token, sb-refresh-token): keep you signed in. Lifetime: until logout or token expiry.
- NEXT_LOCALE: chosen language (de/en). Lifetime: 1 year.
- theme: light/dark preference. Lifetime: 1 year.
We do not set any tracking, advertising or analytics cookies. Legal basis: Art. 6 (1) (f) GDPR (for necessary cookies) / § 25 (2) No. 2 TDDDG (exemption for strictly necessary cookies).
8. Fonts
We use the typefaces “Plus Jakarta Sans”, “Instrument Serif” and “JetBrains Mono”, served directly from our own server (self-hosting via Next.js). Your browser does not connect to Google Fonts or any other third-party font CDN.
9. Processors / recipients
We use the following processors. We have concluded data processing agreements with each of them under Art. 28 GDPR:
- Mittwald CM Service GmbH & Co. KG — Web hosting (server, database, log files)
Königsberger Straße 4–6, 32339 Espelkamp, Deutschland
Region: EU (Deutschland)
https://www.mittwald.de/datenschutz - Supabase Inc. — Authentication, database hosting (project data, snippets, icons)
970 Toa Payoh North #07-04, Singapore 318992
Region: EU-Region (Frankfurt) — Standardvertragsklauseln
https://supabase.com/privacy - Polar Software, Inc. — Payment processing (Pro/Team plans)
2261 Market Street #4382, San Francisco, CA 94114, USA
Region: USA — Standardvertragsklauseln + EU-US Data Privacy Framework
https://polar.sh/legal/privacy
10. International data transfers
Where data is transferred to recipients outside the European Economic Area (e.g. Polar in the US, Supabase headquartered in Singapore), the transfer is based on the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR). For US transfers we additionally rely on the EU-US Data Privacy Framework where the recipient is certified. Our Supabase database region is set to EU (Frankfurt).
11. Your rights
Under the GDPR you have the following rights:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdrawal of consent at any time (Art. 7 (3))
To exercise your rights, an informal message to info@addin.studio is sufficient.
Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). In Germany, this is the state data protection authority of your federal state; an overview is available at bfdi.bund.de.
12. Data security
This site uses TLS encryption (HTTPS, HSTS pre-loaded) to protect the transmission of confidential content. Passwords are stored only as a salted hash (bcrypt/scrypt via Supabase Auth).
13. Changes to this policy
We may update this privacy policy when new features are introduced or the legal situation changes. The current version is always available on this page.