Privacy Policy · CashColt

1. Controller (Art. 4 (7) GDPR)

Cosmic Drift Game Studio Marc Frost Slevogtstr. 10 04159 Leipzig Germany Privacy contact: hello@kumiko.rocks

2. What we process

Account data: e-mail address, display name and a hashed password once you create an account.
Financing data: loan and amortization figures you enter (loan amount, interest rate, term, extra payments). They stay tied to your account and are not shared with third parties for marketing or advertising.
Session data: a strictly necessary cookie keeps you signed in.

3. Purpose and legal basis

Processing is for providing the service (GDPR Art. 6(1)(b)) and for legitimate interests in secure operation (Art. 6(1)(f)).

4. Retention and security

Financing data: while your account is active; deleted with your account within 30 days unless statutory retention applies.
Server logs: max. 7 days.
Support email correspondence: until handled, at most 24 months.

Financing data is stored in databases on servers in Germany. Passwords are stored hashed only; production data access is limited to operations.

5. Cookies

We use only a strictly necessary auth-session cookie (Art. 6(1)(f)). No tracking, no analytics, no cookie banner required.

6. Your rights in the service

CashColt provides data export and account deletion directly from account settings.

The German version of this policy (/legal/datenschutz) is the legally binding one.

Sub-processors

We use the following sub-processors per GDPR Art. 28:

| Provider | Purpose | Location | Data processed | |---|---|---|---| | Hetzner Online GmbH | App hosting, database, server logs | Germany (Falkenstein) | IP address, user-agent, request time, application and account data | | Meilisearch (on Hetzner) | Full-text search of application data (where enabled) | Germany | Indexed text and metadata | | Brevo (Sendinblue GmbH / Brevo SAS) | Transactional email (e.g. password reset, when configured) | EU/France | Email address, name, delivery status | | Stripe Payments Europe, Ltd. / Mollie B.V. | Payment processing (when enabled for the app) | EU (Ireland/Netherlands) | Payment status, billing data |

We have DPAs with Hetzner and configured EU providers per GDPR Art. 28.

Third-country transfers

Transfers to third countries occur only where necessary for operation (e.g. via configured payment or email providers) and are safeguarded by DPAs and Standard Contractual Clauses (SCC) or equivalent guarantees. Core application data and search indexes are processed at Hetzner in Germany.

Details: Sub-processor list

Your Rights

Per Art. 15–22 GDPR. Requests to hello@kumiko.rocks.

Right to Complain

You may complain to your local supervisory authority or to the supervisory authority responsible for us: Saxon Data Protection and Transparency Commissioner (SDTB), Maternistraße 17, 01067 Dresden, Germany, post@sdtb.sachsen.de, https://www.datenschutz.sachsen.de/.