Privacy Policy

1. Data Controller Information

Company Name: WeKeKe
Email: privacy@flingpalm.com, wekekeprivacy@gmail.com
Address: Raffineriestraße 46, 06112, Halle (Saale)
Data Protection Officer: privacy@flingpalm.com, wekekeprivacy@gmail.com

2. What Personal Data Do We Collect?

When You Sign In with Google (FedCM)

When you authenticate through FedCM, we collect:

• Email address (your Google account email)
• Full name (from your Google profile)
• Profile picture URL (optional, if available)
• Google account unique identifier (sub claim)

Automatically Collected Information

• IP address (for security and abuse prevention)
• Device type and browser information
• Pages visited and features used (analytics)
• Login timestamps and authentication events

Legal Basis for Collection

Lawful Basis (GDPR Article 6):

• Consent: You explicitly consent by clicking "Sign in with Google" and accepting the FedCM dialog
• Legitimate Interest: Preventing fraud, maintaining account security, improving service quality
• Necessity: Data required to create and manage your account

3. How We Use Your Data

• Account Creation and Management: Create your account, manage login credentials, recover access
• Security: Prevent fraud, detect unauthorized access, maintain system security
• Communication: Send critical account notifications, security alerts, password resets
• Legal Compliance: Comply with tax, employment, and legal obligations
• Analytics (with consent): Understand how you use our service to improve features

What We Do Not Do

• We do not sell or trade your data to third parties
• We do not use your data for targeted advertising
• We do not share with marketing partners
• We do not use for price discrimination
• We do not track you across other websites (FedCM prevents this)

4. Google Integration and Data Sharing

FedCM (Federated Credential Management)

When you sign in with Google, we use the browser's FedCM API for a privacy-preserving authentication experience:

• Privacy-First: Google does not track you across websites when using FedCM
• No Third-Party Cookies: FedCM explicitly blocks cross-site cookie tracking
• Explicit Consent: Each login requires your manual approval in the FedCM dialog
• Minimal Data: Only essential identity information is shared (email, name, picture)

Data Shared with Google

Your use of Google Sign-In is governed by Google's Privacy Policy. We share only the minimum data necessary for authentication. Google processes your data according to their own privacy policies, which may differ from ours.

5. Your Rights (GDPR Articles 12-22)

If you are a resident of the EU/EEA, you have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of all personal data we hold about you in a machine-readable format.

Right of Rectification (Article 16)

Request correction of inaccurate or incomplete data. You can update your profile information directly in your account settings.

Right to Erasure (Article 17 - Right to be Forgotten)

Request deletion of your data, except where we have a legal obligation to retain it. Account deletion is permanent and irreversible.

Right to Restrict Processing (Article 18)

Request that we limit how we use your data while you dispute its accuracy or our lawful basis.

Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format (JSON) and transfer it to another service.

Right to Object (Article 21)

Object to the processing of your data for marketing, analytics, or other legitimate interests.

How to Exercise Your Rights

Email privacy@flingpalm.com or wekekeprivacy@gmail.com with the subject line "GDPR Request: [Type of Request]" and include:

• Your full name and email address
• Type of request (access, rectification, erasure, etc.)
• Specific data you are requesting
• Copy of ID verification (last 4 digits of ID number)

Response Time: We will respond within 30 days (extendable to 90 days for complex requests).

6. Data Retention

• Account Data: Retained while your account is active
• After Account Deletion: Permanently deleted within 30 days (soft delete with 30-day recovery window)
• Backup Data: Retained for up to 90 days for disaster recovery, then purged
• Security Logs: Retained for 90 days for fraud detection and abuse prevention
• Analytics: Aggregated data (no personal identifiers) retained for 12 months
• Legal Holds: Data may be retained longer if required by law (court orders, tax obligations, etc.)

7. International Data Transfers

Data Transfers Outside the EU/EEA

If we transfer your data outside the EU/EEA (for example, to cloud infrastructure), we use Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure GDPR compliance.

Google Transfers

Google has certified its adequacy under the EU-US Data Privacy Framework. Your data may be transferred to US servers when using Google Sign-In.

8. Security Measures

• HTTPS Encryption: All data in transit is encrypted with TLS 1.3
• Password Hashing: Passwords are hashed with bcrypt (not stored in plaintext)
• Token Security: Authentication tokens are encrypted and stored securely
• Database Encryption: Data at rest is encrypted using AES-256
• Access Controls: Role-based access control limits who can access data
• Audit Logs: All data access is logged and monitored
• Regular Security Audits: Third-party security assessments conducted annually
• Incident Response: 72-hour breach notification as required by GDPR

9. Cookies and Local Storage

Essential Cookies (No Consent Required)

• Authentication Token: Keeps you logged in (expires after 30 days of inactivity)
• CSRF Token: Prevents cross-site request forgery attacks
• Session ID: Tracks your current session

Non-Essential Cookies (Requires Consent)

• Analytics Cookies: Google Analytics (anonymized, can be disabled)
• Preference Cookies: Theme preference (dark or light mode)

FedCM and Cookies

FedCM explicitly prevents third-party cookies and cross-site tracking. Even if Google sets first-party cookies for their services, they cannot be used for cross-site tracking under FedCM compliance.

How to Control Cookies

You can control cookies in your browser settings. Disabling essential cookies may prevent login functionality. Non-essential cookies can be disabled without impacting core features.

10. Third-Party Services

We use the following third-party services, which have their own privacy policies:

• Google Sign-In: Google Privacy Policy
• Firebase (Backend): Google Cloud Privacy
• Analytics: Google Analytics Privacy

We are not responsible for the privacy practices of third-party services. Review their policies before use.

11. Data Breaches and Incident Response

EU and GDPR Requirement (Article 33): If we discover a personal data breach, we will:

1. Notify affected users within 72 hours of discovery
2. Notify the supervisory authority (your national data protection authority)
3. Provide clear information about what data was compromised
4. Recommend protective measures

In Germany, breaches must be reported to the German Federal Data Protection Commissioner (BfDI) or your regional data protection authority.

12. EU Data Protection Authorities (Supervisory Authorities)

If you believe your rights have been violated or want to file a complaint, you can contact your national data protection authority:

• Germany (Saxony-Anhalt): Landesbeauftragte fuer Datenschutz Sachsen-Anhalt
• Germany (Federal): Bundesbeauftragte fuer Datenschutz und Informationsfreiheit (BfDI)
• Complete List: European Data Protection Board Members

Complaints are free and you do not need a lawyer. The authority will investigate your complaint at no cost.

13. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be notified to you via email or prominent notice on our website. Your continued use of our service constitutes acceptance of the updated policy.

14. Contact and Support

Questions about this privacy policy?

• Email: privacy@flingpalm.com or wekekeprivacy@gmail.com
• Data Protection Officer (if applicable): privacy@flingpalm.com or wekekeprivacy@gmail.com
• Mailing Address: [Your Company Address]

We will respond to all inquiries within 10 business days.