Privacy Policy
Last updated: May 2026
1. Controller
The data controller for klot.net is the klot.net project.
Contact: privacy@klot.net
2. What Data We Collect
2.1 Account Data (if you create an account)
When you register, we store your email address, chosen username, and a bcrypt-hashed password. We also track whether your email has been verified and, optionally, Two-Factor Authentication (TOTP) settings.
Purpose: Providing access to the service.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention: Until you delete your account.
2.2 User-Generated Content
Your display name and text are stored when you post comments on photo galleries, audio sets, or create public calendar events and RSVPs.
Purpose: Displaying community content.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention: Until you delete the content or your account.
2.3 User Preferences
If logged in, your selected default country, city, and timezone are saved so the calendar shows locally relevant events.
Purpose: Personalizing the experience.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
Retention: Until you change them or delete your account.
2.4 Security Logs
Your IP address is recorded during registration and login attempts to prevent abuse, brute-force attacks, and spam. These logs are retained indefinitely for security purposes.
Purpose: Fraud prevention and security monitoring.
Legal basis: Legitimate interest (GDPR Art. 6(1)(f)).
Retention: Indefinitely.
3. Cookies and Client-Side Storage
klot.net uses minimal tracking:
- Session cookie - A single server-side session cookie maintains your login state. It is httpOnly, SameSite=Lax, and expires when you close your browser or after 30 minutes of inactivity. This is strictly necessary for the service to function.
- localStorage - Your dark mode preference is stored locally in your browser. This data never leaves your device and is not personal data.
We do not use analytics cookies, advertising cookies, or any third-party tracking.
4. How We Use Your Data
Your data is used solely to operate and provide the klot.net service. We do not sell, rent, or share personal data with any third party. We do not use your data for profiling or automated decision-making.
5. Data Security
We take the following measures to protect your data:
- Passwords are hashed with bcrypt and never stored in plaintext
- All database queries use prepared statements to prevent SQL injection
- CSRF tokens protect all state-changing requests
- Sessions time out after 30 minutes of inactivity
- Two-Factor Authentication (TOTP) is available for all accounts
- Server-side security headers (HSTS, CSP, X-Frame-Options) are enforced by Nginx
6. Data Transfers
All data is processed and stored on servers located within the European Union / European Economic Area. No personal data is transferred outside the EEA.
7. Your Rights
Under GDPR, you have the right to:
- Access - request a copy of the personal data we hold about you
- Rectification - correct inaccurate data
- Erasure - request deletion of your data ("right to be forgotten")
- Portability - receive your data in a structured, machine-readable format
- Restriction - request that we limit processing of your data
- Objection - object to processing based on legitimate interest
You can manage most of these directly through your account settings page. For other requests, email privacy@klot.net.
You also have the right to lodge a complaint with your national data protection authority.
8. Changes to This Policy
We may update this privacy policy to reflect changes in how we operate. Material changes will be noted on this page with an updated date.