Security & Privacy
How we collect, use, and protect your data — and what your rights are under the GDPR.
Data Controller
[Company Name], [Address], Austria is the data controller responsible for your personal data processed through Recently. Contact: privacy@recently.so
What We Collect
We collect only what is necessary to operate the Service:
- Account data — email address and password (hashed) when you register
- Usage data — pages visited, products followed, session identifiers
- Technical data — IP address, browser type, device type (for security and analytics)
- Publisher data — company name, contact email, submitted update content
We do not collect payment data, sensitive personal data, or sell your data to third parties. Ever.
Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6(1)(b)) — processing your email to operate your account
- Legitimate interests (Art. 6(1)(f)) — security logging, fraud prevention, service improvement
- Consent (Art. 6(1)(a)) — analytics cookies and optional marketing communications (you can withdraw at any time)
- Legal obligation (Art. 6(1)(c)) — where required by Austrian or EU law
How We Use Your Data
- Providing and improving the Service
- Sending transactional emails (account, notifications you opt into)
- Analysing aggregate usage to improve product features
- Detecting and preventing abuse, fraud, or security incidents
- Complying with legal obligations
Data Retention
- Account data is retained for the lifetime of your account, then deleted within 30 days of account deletion
- Server logs are retained for 90 days for security purposes
- Anonymised analytics data may be retained indefinitely
- Legal records may be retained for up to 7 years as required by Austrian law
Third-Party Processors
We use a limited number of trusted sub-processors, all operating under GDPR-compliant data processing agreements:
- Supabase — database and authentication (hosted in EU)
- Vercel — hosting and edge delivery (EU region where applicable)
- Vercel Analytics — privacy-preserving, cookieless page analytics
We do not use Google Analytics, Meta Pixel, or other invasive third-party tracking.
Your Rights (GDPR)
Under the GDPR you have the following rights, exercisable by contacting privacy@recently.so:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
- Restriction (Art. 18) — limit how we process your data in certain circumstances
- Portability (Art. 20) — receive your data in a machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interests
- Withdraw consent — at any time where processing is based on consent
We will respond to all requests within 30 days. You also have the right to lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at).
Security Measures
- All data transmitted over TLS 1.2+ (HTTPS enforced)
- Passwords hashed using bcrypt with a strong work factor
- Database access restricted by row-level security policies
- Infrastructure hosted within EU data centres
- Regular dependency audits and security updates
- No sensitive data stored in client-side storage
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Austrian Data Protection Authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.
International Transfers
We aim to process all data within the EU/EEA. Where any transfer outside the EEA is necessary (e.g. via a sub-processor), we ensure it is covered by Standard Contractual Clauses (SCCs) approved by the European Commission.
Contact & DPO
For privacy inquiries, data subject requests, or to reach our Data Protection contact: privacy@recently.so. We aim to respond within 5 business days.
Last updated: April 2025