Privacy Policy
Controller
Gerhard Benjamin Peter (sole proprietor)
Weidenhäuser Str. 73
35037 Marburg, Germany
Email: bp@ben-peter.com
What This Policy Covers
This policy describes how Web Resource Ledger (“WRL”, “the service”) collects, uses, stores, and protects personal data when you use the WRL API or web interface at api.webresourceledger.com.
Data We Collect
Account Data (GitHub OAuth)
When you sign in with GitHub, we receive and store:
- GitHub user ID — a stable numeric identifier assigned by GitHub
- GitHub username — your current GitHub display name (updated on each login)
We request the read:user user:email scopes from GitHub. This allows us to receive your GitHub user ID, username, and primary verified email address. The GitHub access token used during login is discarded immediately after fetching your identity — it is never stored.
Email Addresses
We collect and store your email address in two ways:
- From GitHub OAuth — when you sign in, we receive your primary verified email address from GitHub (via the
user:emailscope) and store it in your notification preferences as the default delivery address for transactional notifications. - Manual entry — you may update your notification email address directly in the web interface. Only the verified address is stored; any pending (unverified) address is held temporarily until the verification link is clicked.
Email addresses are used solely to deliver transactional notifications (capture failures, quota alerts, email verification messages). They are not used for marketing.
Session Data
When you log in, we create a server-side session:
- A session cookie (
__Host-wrl_session) is set in your browser. It is HttpOnly, Secure, SameSite=Lax, and expires after 7 days. - Only a SHA-256 hash of the session value is stored on our servers. The raw session value exists only in your browser cookie.
This cookie is strictly necessary for authentication. It is not used for tracking or advertising.
API Keys
When you create an API key, we store a SHA-256 hash of the key for authentication. The raw key is shown once at creation and never stored.
IP Addresses
We do not store your raw IP address. For rate limiting and abuse prevention, we compute a pseudonymized identifier from your IP address using HMAC-SHA-256 with a daily rotating key. This identifier:
- Cannot be reversed to recover your IP address
- Changes every 24 hours (a different IP hash is produced each day)
- Is used in operational logs for abuse detection
This constitutes pseudonymized data under GDPR Article 4(5).
Capture Data
Each capture you submit records:
- The URL you requested to capture
- Timestamps (creation, completion)
- Capture artifacts (screenshot, rendered HTML, HTTP headers, signed WACZ bundle)
- The resolved IP address of the target website (not your IP — this is the IP address of the server hosting the page you captured)
Capture data is attributed to your tenant ID, not to your personal identity directly.
Terms of Service Acceptance
We record when you accepted the Terms of Service and which version you accepted.
Usage Data
We track monthly capture counts and storage usage per tenant for quota enforcement. This is operational data tied to your tenant ID.
Website Analytics
We count page visits across all WRL properties (landing page, documentation, API) using Pirsch Analytics, a privacy-focused analytics service operated by Emvi Software GmbH in Germany. Pirsch operates entirely server-side:
- No cookies are set for analytics purposes
- No client-side JavaScript is loaded for analytics
- Your IP address is transmitted to Pirsch for session fingerprinting but is never stored — it is hashed with a daily-rotating salt and discarded within milliseconds
- The resulting hash is domain-specific and cannot be used for cross-site tracking
We also track anonymous conversion events (signup, first API capture, payment activation) to understand how visitors become users. These events include your tenant ID but no personal data beyond what is listed above.
Legal Basis for Processing
| Data | Legal Basis | GDPR Article |
|---|---|---|
| GitHub identity (user ID, username) | Contract performance (providing the service you signed up for) | Art. 6(1)(b) |
| Email address | Contract performance (delivering transactional notifications you requested) | Art. 6(1)(b) |
| Session data | Contract performance (authenticating your requests) | Art. 6(1)(b) |
| API key hashes | Contract performance (authenticating your API requests) | Art. 6(1)(b) |
| Pseudonymized IP | Legitimate interest (abuse prevention, service security) | Art. 6(1)(f) |
| Capture data | Contract performance (the core service you requested) | Art. 6(1)(b) |
| Usage counters | Contract performance (quota enforcement) | Art. 6(1)(b) |
| Analytics data (IP, User-Agent, page URL) | Legitimate interest (understanding visitor traffic to improve the service) | Art. 6(1)(f) |
Data Retention
| Data | Retention |
|---|---|
| Account data (GitHub ID, username) | Until you request deletion or the service is discontinued |
| Email address | Until you remove it, request account deletion, or the service is discontinued |
| Sessions | 7 days from creation, then automatically deleted |
| API key hashes | Until you revoke the key or request account deletion |
| Pseudonymized IP hashes | In operational logs for up to 90 days |
| Capture data | Indefinitely, unless removed by the operator or upon your deletion request |
| Usage counters | Retained for the current and previous billing periods |
Third-Party Processors
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Cloudflare | Infrastructure (Workers, D1 database, KV storage, R2 object storage, Browser Rendering) | All service data | Global (Cloudflare network) |
| GitHub | Authentication (OAuth identity provider) | GitHub user ID and username during login only | USA |
| Coralogix | Operational logging and monitoring | Pseudonymized IP, tenant ID, event metadata (no raw personal data) | EU (eu2 region) |
| DigiCert | RFC 3161 timestamping (standard captures) | SHA-256 hash of capture bundle only (no personal data) | USA |
| Sectigo | eIDAS-qualified RFC 3161 timestamping (when eIDAS timestamps are enabled) | SHA-256 hash of capture bundle only (no personal data) | USA |
| Stripe | Payment processing (when applicable) | Payment and billing information you provide to Stripe | USA |
| Resend | Transactional email delivery (notifications, email verification) | Recipient email addresses and notification content | USA |
| Google (Web Risk API) | URL threat screening before capture is initiated | The URL submitted for capture (may contain personal data in query strings) | USA |
| Pirsch Analytics (Emvi Software GmbH) | Privacy-focused website analytics (server-side, no cookies) | IP address (processed transiently, never stored), User-Agent, page URL, Referer | Germany (EU) |
We maintain data processing agreements with our infrastructure providers as required by GDPR Article 28. For a detailed list of all subprocessors including data transfer mechanisms, see our Subprocessor List.
Your Rights
Under GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — request correction of inaccurate data (note: your GitHub username is automatically updated on each login)
- Erasure (Art. 17) — request deletion of your account and associated data
- Restriction (Art. 18) — request that we limit processing of your data
- Portability (Art. 20) — request your data in a structured, machine-readable format
- Object (Art. 21) — object to processing based on legitimate interest (pseudonymized IP processing)
To exercise any of these rights, email bp@ben-peter.com with the subject line “Data Request”. Include your GitHub username so we can locate your account. We will respond within 30 days.
Account Deletion
You may request complete deletion of your account and all associated data. Upon receiving a verified deletion request, we will:
- Delete your GitHub user record and all sessions
- Revoke all API keys
- Delete all capture records and stored artifacts
- Remove your tenant record and usage data
Pseudonymized IP hashes in operational logs cannot be attributed back to you after deletion and will expire naturally within 90 days.
Data Security
We implement the following security measures:
- All API keys and session tokens are stored as SHA-256 hashes — raw values are never persisted
- Session cookies use HMAC signing, the
__Host-prefix, and the Secure, HttpOnly, SameSite=Lax attributes - Ed25519 cryptographic signatures ensure capture integrity
- IP addresses are pseudonymized with daily key rotation
- All data in transit is encrypted via TLS
- OAuth authentication uses PKCE (Proof Key for Code Exchange) to prevent authorization code interception
- Rate limiting protects against abuse at multiple levels
Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for the controller is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 31 63
65021 Wiesbaden, Germany
https://datenschutz.hessen.de
International Data Transfers
Some of our processors (GitHub, DigiCert, Sectigo, Stripe, Resend, Google) are based in the USA. Cloudflare processes data globally across its network. These transfers are conducted under appropriate safeguards, including the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable. Pirsch Analytics processes all data exclusively on servers within the European Union (Germany). No international data transfer is required for analytics. See the Subprocessor List for the specific transfer mechanism for each processor.
Children
WRL is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at bp@ben-peter.com and we will delete it.
Changes to This Policy
We may update this policy from time to time. The effective date at the top reflects the most recent revision. We will not reduce your rights under this policy without your explicit consent.
Disclaimer
This document is a reasonable-effort privacy policy for a small, early-stage project. It is not professional legal advice. If your situation requires legal certainty, consult a qualified attorney.