Errarium

Privacy Policy

Last updated: March 20, 2026

1. Data controller

The data controller is the Errarium project (errarium.org), hereinafter "Errarium", "we". Contact address: [email protected].

2. Data we collect

During registration and sign-in:

  • Via OAuth providers (Google, Apple, GitHub): name, email, profile photo — transmitted by the provider automatically
  • Via email/phone + password: email or phone number, password hash (bcrypt, plain password is never stored)

During service use (voluntary):

  • Date, time, and place of birth — for method calculations
  • Analysis and calculation results
  • Journal entries
  • Interface preferences (language, theme)

Automatically:

  • Sign-in date and provider (login log, last 200 entries)
  • Technical request data (IP address, User-Agent) — processed by hosting (Vercel), we do not store them separately

3. Legal basis for processing

  • Performance of a contract (Art. 6(1)(b) GDPR) — providing service functionality
  • Consent (Art. 6(1)(a) GDPR) — processing date of birth and other voluntary data
  • Legitimate interest (Art. 6(1)(f) GDPR) — service security, login audit log

4. Purposes of processing

  • User authentication and identification
  • Performing calculations using selected methods
  • Saving analysis results in your personal space
  • Maintaining a journal
  • Security (detecting unauthorized access)

5. Third parties and data transfers

We use the following data processors:

  • Vercel Inc. (USA) — application hosting
  • Neon Inc. (USA) — cloud PostgreSQL database
  • Google LLCOAuth authentication (only if Google sign-in is chosen)
  • Apple Inc.OAuth authentication (only if Apple sign-in is chosen)
  • GitHub Inc.OAuth authentication (only if GitHub sign-in is chosen)

Data may be transferred to the USA where the servers of the listed companies are located. Transfers are based on Standard Contractual Clauses (SCC) and/or adequacy decisions adopted by the European Commission.

We do not sell, rent, or share your data with advertisers or other third parties.

6. Storage and retention

  • Account data — until account deletion by user or upon request
  • Analysis results and journal — until deleted by user or account
  • Login log — last 200 entries (older entries are deleted automatically)
  • After account deletion, all associated data is removed within 30 days

7. Cookies

We only use strictly necessary (technical) cookies for maintaining the authentication session (NextAuth.js session token, CSRF token). No advertising, analytics, or marketing cookies are used. A cookie consent banner is not required as only necessary cookies are used (Recital 30, ePrivacy Directive).

8. Your rights

Under GDPR and applicable law, you have the right to:

  • Access — view your data in your personal space
  • Rectification — edit your profile and data
  • Erasure — request complete deletion of your account and all data
  • Portability — export your data in a machine-readable format
  • Restriction — pause processing upon request
  • Objection — withdraw consent for voluntary data processing
  • Complaint — contact your country's data protection authority

To exercise your rights, send a request to [email protected]. We will respond within 30 days.

9. Children

The service is not intended for persons under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with their data, contact us to have it removed.

10. Security

  • Data transmission encryption (HTTPS/TLS)
  • Password hashing (bcrypt, 12 rounds)
  • JWT tokens for sessions (not stored on the server)
  • Role-based access control (user, expert, admin)

11. Changes to this policy

We may update this policy. The current version is always available on this page with the last updated date. For significant changes, we will notify registered users by email.

12. Contact

For all questions related to privacy and data protection: [email protected]