Privacy Policy

Last updated: March 2026

1. Data controller

Sam Wallmeier Ringofenstraße 87 63773 Goldbach Germany Email: hello@bolyst.eu

2. Data we collect

We collect and process the following data when you use Bolyst:

  • Account data: name, email address (provided via Clerk authentication)
  • Usage data: anonymized page views and interactions (via Vercel Analytics)
  • Content data: listings, comments, tags, and board content you create

3. Purpose of processing

  • Providing and operating the Bolyst service (Art. 6(1)(b) GDPR — contract performance)
  • User authentication and account management via Clerk (Art. 6(1)(b) GDPR)
  • Sending transactional emails such as board invitations via Brevo (Art. 6(1)(b) GDPR)
  • Anonymized usage analytics via Vercel Analytics (Art. 6(1)(f) GDPR — legitimate interest)

4. Third-party processors

  • ClerkAuthentication and user management (USA, with EU Standard Contractual Clauses)
  • SupabaseDatabase hosting and file storage (EU — Frankfurt, eu-central-1)
  • VercelWebsite hosting and anonymized analytics (global CDN, company based in USA with EU SCCs)
  • BrevoTransactional email delivery (EU — France)

5. Cookies

Bolyst uses only essential cookies required for the service to function: authentication session cookies (Clerk) and a language preference cookie (NEXT_LOCALE). We do not use any advertising or tracking cookies. No cookie consent banner is required as these are strictly necessary cookies exempt under Art. 5(3) of the ePrivacy Directive.

6. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)

To exercise any of these rights, email us at hello@bolyst.eu.

7. Data retention

We retain your data for as long as your account is active. When you delete your account, all personal data and content you created will be deleted within 30 days. Anonymized analytics data is not linked to your identity and may be retained indefinitely.

8. Supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your state of residence. A list of authorities can be found at: https://www.bfdi.bund.de