Privacy

As of: April 2026.

1. Controller

Markus Flagner
Kiefernweg 19, 97084 Würzburg
Email: markus@flagner.com

2. What we collect

dadirri is intentionally data-thin. We only collect what's needed for generating your newsletter and signing you in.

2.1 Phrase

During onboarding you choose a three-word phrase. We store two derivations from it:

• A SHA-256 hash as the file name. Not reversible — the phrase cannot be reconstructed from the hash.
• A bcrypt hash inside the file, used to verify the phrase at sign-in. Also not reversible.

The phrase itself is never stored in plaintext or written to any log.

2.2 Personalisation prompt

What you tell us about yourself in onboarding step 3 is encrypted with AES-256-GCM and stored on the server. The key sits in a separate file with restricted read permissions. We decrypt the prompt only when generating a newsletter and then transmit it to the LLM provider (see section 4).

2.3 Push subscriptions

If you enable push notifications, we store the subscription provided by your browser (an endpoint URL plus two cryptographic keys). This lets us send a Sunday morning notification to your device. You can remove the subscription at any time from the settings page.

2.4 Session cookie

After sign-in we set a single httpOnly cookie (`dadirri_sid`) containing your user ID, signed with HMAC-SHA256. Lifetime one year. It is only sent to dadirri domains, never to third parties.

2.5 Server logs

At sign-in we briefly capture IP address, user agent and timestamp to enforce the rate limit (10 attempts per hour per IP). These logs are not retained or shared.

2.6 What we don't collect

No tracking cookies. No analytics. No third-party scripts. No advertising cookies. No email address.

3. Purposes and legal basis

All of the above is processed on the basis of Art. 6 (1) (b) GDPR (performance of contract) — specifically: to generate and deliver the weekly newsletter you requested.

4. Processors

We use two external service providers:

Anthropic, PBC (USA)

Writes the newsletter from your personalisation prompt and the weekly research. Anthropic is certified under the EU-US Data Privacy Framework. More: anthropic.com/privacy.

Hetzner Online GmbH, Nuremberg, Germany

Hosts the server. EU-based, so no third-country transfer. More: hetzner.com/legal/privacy-policy.

Data processing agreements are in place with both providers.

5. Retention

Your data stays as long as your account exists. From the settings page you can choose "Delete account" at any time — all your data (hashes, encrypted prompt, push subscriptions, stored newsletter) is removed from the server immediately and completely.

Anonymous cost logs (for our own API budgeting) are kept without personal reference for at most 30 days.

6. Your rights

Under GDPR you have the following rights:

• Access (Art. 15) — request to markus@flagner.com.
• Rectification (Art. 16) — you can edit the personalisation prompt directly from the settings page.
• Erasure (Art. 17) — directly in settings via "Delete account", no need to go through us.
• Data portability (Art. 20) — on request we send you a JSON file with your decrypted data.
• Complaint to the supervisory authority (Art. 77).

7. Cookies

We only use a single session cookie (see 2.4). It is technically required, hence no cookie banner. No third-party cookies.

8. Web push

Web push runs through the push servers of the browser vendors — Google for Chrome, Mozilla for Firefox, Apple for Safari (on iOS 16.4+ only inside apps added to the home screen as a PWA). When you enable push, your browser establishes a subscription with its vendor and hands us an endpoint URL plus two keys. We use these only to send a short Sunday-morning notification ("Your dadirri is here"). Push payloads are encrypted — the browser vendor only sees that a notification is being delivered to your device.

9. Privacy contact

Email: markus@flagner.com

Language: Deutsch