Privacy Policy
patchletter is built to be deliberately data-minimal: the only required datum is an email address. No tracking pixels in emails, no advertising cookies, servers in Germany.
1. Controller
Kolja Sagorski, sagorski.it, Meisterweg 16, 45896 Gelsenkirchen, Germany — hello@patchletter.com
2. What data we process — and why
a) Account & sign-in (magic link)
To sign you in, we store your email address and the time of confirmation (double-opt-in record). There is no password; the sign-in link is valid for 15 minutes. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
b) Update emails
We store your subscribed products and delivery settings (frequency, time, time zone, “security only”) and a log of the notifications sent (subject, referenced releases, provider ID) for 12 months. Our emails contain no open trackers. Every email includes a one-click unsubscribe link. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
c) Deliverability events
Our mail service reports non-delivery (bounce) and complaints to us. We store these events for 24 months and suppress affected addresses from sending. Legal basis: legitimate interest in deliverability and abuse prevention (Art. 6(1)(f) GDPR).
d) Server logs
When the website is accessed, technically necessary logs are created (IP address, time, requested URL, user agent). They serve operation and attack detection and are deleted after 14 days. Legal basis: Art. 6(1)(f) GDPR.
e) Analytics (Umami)
We use the self-hosted, cookieless analytics tool Umami. No cookies are set and no cross-device profiles are created; IP addresses are not stored. Legal basis: Art. 6(1)(f) GDPR. Only technically necessary session cookies for the login are used — hence no cookie banner.
f) Tool suggestions
When you suggest a tool, we store the name/URL/note and, optionally, your email address (only to notify you if it is added).
3. Recipients & processors
- Hetzner Online GmbH, Germany — hosting (data-processing agreement in place)
- Email delivery via our own mail server (smtp.sagorski.it) at Hetzner in Germany — no external delivery provider
- Cloudflare, Inc. — solely DNS name resolution for the domain; website and mail traffic do not run through Cloudflare
No transfer to third countries takes place.
4. Retention & deletion
- Account: until you delete it — in the dashboard with one click, an immediate hard delete of all data.
- Inactive accounts (24 months without login) receive a reactivation email and are otherwise deleted.
- Notification log: 12 months · deliverability events: 24 months · server logs: 14 days.
5. Your rights
You have the right to access, rectification, erasure, restriction of processing, data portability and objection (Art. 15–21 GDPR). To exercise them, contact hello@patchletter.com. Right to complain: the competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Germany).
Last updated: July 2026