Privacy Policy
Last updated: [DATE] · Version: 1.0
1. Data controller
[COMPANY NAME ApS]
CVR no.: [CVR-NO]
Address: [ADDRESS]
Email: gdpr@kapitel.app
2. What personal data do we collect?
| Category | Examples | Source |
|---|---|---|
| Account data | Email, display name, password (encrypted) | You provide at registration |
| Preferences | Language, favourite genres, reading format | You provide at registration and in settings |
| Book club data | Club memberships, role, invitations | Created through use of the service |
| Technical data | IP address, browser (user agent), session cookies | Automatically during use |
We do not collect payment information, national ID numbers or precise location data.
3. Purposes and legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and maintain your account | Art. 6(1)(b) — necessary to provide the service |
| Display your book clubs, preferences and content | Art. 6(1)(b) — necessary to provide the service |
| Send transactional emails (confirmations, invitations) | Art. 6(1)(b) — necessary to provide the service |
| Security and abuse prevention | Art. 6(1)(f) — legitimate interest |
| Send newsletters and recommendations | Art. 6(1)(a) — your consent (can be withdrawn at any time) |
4. Who do we share data with?
We never sell your data. We use the following data processors to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) |
| Vercel Inc. | Frontend hosting | USA / EU edge |
| Railway Corp. | Backend and queue hosting | USA |
Transfers to the USA are based on the EU-US Data Privacy Framework and/or EU Standard Contractual Clauses (SCC).
5. Retention
| Data | Retention period |
|---|---|
| Account data | As long as you have an active account |
| Book club data | As long as you have an active account |
| Preferences | As long as you have an active account |
| Technical log files | Max 90 days |
When you delete your account, your data is anonymized (email is replaced, name is removed). Data required by law (e.g. bookkeeping obligations) may be retained for up to 5 years.
6. Your rights
You have the following rights under GDPR:
- Access — obtain a copy of your data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — have your data deleted (Art. 17)
- Restriction — restrict processing (Art. 18)
- Data portability — receive your data in a structured format (Art. 20)
- Objection — object to processing based on legitimate interest (Art. 21)
- Withdraw consent — at any time, without affecting the lawfulness of prior processing (Art. 7)
You can export and anonymize your data directly in account settings. For other requests: gdpr@kapitel.app. We respond within 30 days.
7. Cookies
We only use technically necessary cookies:
| Cookie | Purpose |
|---|---|
sb-* | Supabase session (authentication) |
NEXT_LOCALE | Your selected language |
8. Children
The service is not directed at children under 13. We do not knowingly collect data from children under 13. If we discover an account belonging to a child under 13, we will delete it.
9. Changes
We may update this policy. For material changes we will notify you via email or in the service. The current version is always available at kapitel.app/privacy.
10. Complaints
If you believe we are processing your data unlawfully, you may lodge a complaint with:
Danish Data Protection Agency (Datatilsynet)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
datatilsynet.dk
If you reside in another EU/EEA country, you may also contact your local supervisory authority.
[COMPANY NAME ApS] — CVR [CVR-NO] — [ADDRESS] — gdpr@kapitel.app