Privacy Policy

1. Data Controller

StatMyLife, based in Norway, is the data controller responsible for your personal information. Given the nature and scale of our data processing, we are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For privacy-related inquiries, contact markusfhc@statmylife.com.

2. Information We Collect

Information you provide directly:

Account Data: Email address, username, and encrypted password.

User Content: Activity logs, time tracking entries, and user preferences that you voluntarily input into the Service.

Information collected automatically:

Technical Data: IP address (used solely for rate limiting and security; see Section 10 for retention details), browser type and version, device information, and access times.

We do not collect location data, biometric data, or any information beyond what is strictly necessary to provide the Service.

3. Legal Basis for Processing

We process your personal data under the following legal bases:

Contractual Necessity: Processing is necessary to provide the Service you have requested (GDPR Article 6(1)(b)).

Consent: Where required, we obtain your explicit consent for specific processing activities (GDPR Article 6(1)(a)).

Legitimate Interests: We may process data to improve the Service, prevent fraud, and ensure security, where such interests are not overridden by your rights (GDPR Article 6(1)(f)).

4. How We Use Your Data

Your personal data is used exclusively for the following purposes:

(a) Providing access to and functionality of the Service;

(b) Authenticating your identity and maintaining account security;

(c) Sending transactional emails, including account verification codes;

(d) Analyzing aggregated usage patterns to improve Service features and performance;

(e) Complying with legal obligations and responding to lawful requests from authorities.

We do not use your data for marketing, profiling, automated decision-making, or any purpose not explicitly stated above.

5. Cookies and Tracking Technologies

We use only essential cookies and technologies required for Service functionality and security:

Authentication Cookie (auth_token): An httpOnly, secure cookie used to maintain your login session. This cookie cannot be accessed by JavaScript and expires after 7 days.

Cloudflare Turnstile: We use Cloudflare Turnstile on certain forms (e.g., registration, login) to prevent automated abuse. Turnstile may set essential cookies (such as cf_clearance) and process client-side metadata (browser characteristics, interaction signals) to distinguish legitimate users from bots. No personal data is stored by Turnstile beyond what is needed for the challenge. See Cloudflare's privacy policy for details.

Cloudflare CDN Cookies: Our website is served through Cloudflare's content delivery network, which may set functional cookies (such as __cf_bm) for bot management and security purposes. These cookies are strictly necessary and are not used for tracking or advertising.

We do not use analytics cookies, advertising cookies, social media tracking pixels, or third-party tracking technologies.

You may disable cookies through your browser settings, but this will prevent you from using the Service.

6. Data Storage and Security

Storage Location: Your data is stored on secure MySQL database servers hosted by Hostinger in the European Union (Lithuania). Data at rest remains within the EU.

Security Measures: We implement industry-standard security measures including SSL/TLS encryption for all data transmissions, scrypt-based password hashing with random salts, httpOnly and secure cookies, access controls, and regular security monitoring.

Data Breach Protocol: In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

7. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties under any circumstances.

Service Providers: We share limited data with the following third-party service providers solely to deliver the Service:

• Brevo (Sendinblue SAS): For transactional email delivery (verification codes only). Brevo processes data under GDPR-compliant terms. See their privacy policy at brevo.com/legal/privacypolicy.
• Cloudflare, Inc.: For CDN, DDoS protection, SSL termination, and bot management (Turnstile). Cloudflare processes IP addresses, HTTP request headers, and TLS metadata at edge servers worldwide. Data processed by Cloudflare is subject to their privacy policy and GDPR commitments. Cloudflare acts as a data processor under Standard Contractual Clauses (SCCs) for any data transferred outside the EEA.
• Hostinger International Ltd.: For database hosting within the EU. Hostinger processes data under GDPR-compliant terms. See their privacy policy at hostinger.com/privacy-policy.

Legal Disclosure: We may disclose your information if required by law, court order, or to protect our rights, safety, or property, or that of others.

8. International Data Transfers

Your primary data is stored on servers within the European Union. However, some data may be transferred internationally in the following circumstances:

Cloudflare: As a CDN provider, Cloudflare routes traffic through global edge servers, meaning your IP address and request metadata may be processed outside the EEA. These transfers are protected by Standard Contractual Clauses (SCCs) and Cloudflare's binding corporate rules.

Brevo: Transactional emails are processed within the EU. In the event data is routed through non-EU infrastructure, Brevo applies SCCs and additional safeguards.

We ensure that any international transfers comply with applicable data protection laws through appropriate safeguards including encryption, SCCs, and secure protocols.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15): Request a copy of all personal data we hold about you.

Right to Rectification (Article 16): Correct any inaccurate or incomplete data.

Right to Erasure (Article 17): Request deletion of your account and all associated personal data ("right to be forgotten").

Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format (JSON) and transmit it to another controller.

Right to Restriction of Processing (Article 18): Request temporary restriction of data processing under certain conditions.

Right to Object (Article 21): Object to processing based on legitimate interests.

Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact markusfhc@statmylife.com. We will respond within 30 days as required by GDPR Article 12.

You also have the right to lodge a complaint with your national data protection authority. For users in Norway, this is the Norwegian Data Protection Authority (Datatilsynet).

10. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy:

Active Accounts: Data is retained for the duration of your account's active status.

IP Addresses: IP addresses collected for rate limiting and security are stored in server memory only and are not persisted to the database. They are automatically purged when the server process restarts or the rate-limit window expires (typically within minutes to hours).

Deleted Accounts: Upon account deletion, all personal data is permanently deleted from our active database and application systems within 30 days. Automated database backups that may contain residual data are overwritten on a rolling cycle not exceeding 30 days, after which no recoverable copy remains. Retention beyond this period occurs only where required by law (e.g., tax records, legal disputes).

11. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it immediately. Parents or guardians who believe their child has provided us with personal data should contact markusfhc@statmylife.com.

12. Automated Decision-Making

We do not use automated decision-making or profiling as defined under GDPR Article 22. All decisions regarding your account are made by human review when necessary.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email to your registered address at least 30 days prior to taking effect. The updated policy will be posted on this page with a revised effective date. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Information

For questions, concerns, or to exercise your data protection rights, contact:

Email: markusfhc@statmylife.com
Data Controller: StatMyLife
Location: Norway