Privacy Policy

Last updated: April 2026

Eine deutsche Fassung ist auf Anfrage erhältlich — hello@paywatcher.dev

1. Data Controller

masemIT e.U.

Mario Semper

Alleegasse 26, 3851 Kautzen, Austria

Email: hello@paywatcher.dev

Commercial Register: FN 661236g

VAT ID: ATU82330407

2. Data We Collect

We collect only the data necessary to provide and improve our service. Here is exactly what we collect, when, and why:

Data	When	Legal Basis	Retention
Email address (request access)	Landing page form	Art. 6(1)(b) — pre-contractual	Until onboarding or 6 months
Name, company, use case (request access)	Landing page form	Art. 6(1)(b) — pre-contractual	Until onboarding or 6 months
Email address (login)	Magic link login	Art. 6(1)(b) — contract performance	Duration of business relationship
Auth session token (cookie)	After login	Art. 6(1)(b) — contract performance	Session duration (max 30 days)
Tenant API key (encrypted)	After onboarding	Art. 6(1)(b) — contract performance	Duration of business relationship
Payment data (amount, status, txHash)	API usage	Art. 6(1)(b) — contract performance	7 years (Austrian retention law)
Webhook URLs	Settings configuration	Art. 6(1)(b) — contract performance	Duration of business relationship
IP address, browser info	Automatically on page visit	Art. 6(1)(f) — legitimate interest (security)	30 days (server logs)
Anonymous engagement metrics (page views, time on page, UTM source)	Automatically on page visit	Art. 6(1)(f) — legitimate interest	26 months
Analytics events — user behavior (section views, clicks, custom events)	With consent only	Art. 6(1)(a) — consent	26 months
Consent banner performance events (anonymous, aggregate)	When the banner is shown or a choice is made	Art. 6(1)(f) — legitimate interest	26 months

3. Legal Basis for Processing

We process your data under the following legal bases as defined by GDPR Article 6(1):

Consent — Art. 6(1)(a): Analytics tracking. You can grant or revoke consent at any time via the cookie banner or "Cookie Settings" in the footer.
Contract performance — Art. 6(1)(b): Login, API access, payment verification, webhook delivery — everything required to provide the service you signed up for.
Legitimate interest — Art. 6(1)(f): Security logging (IP address, user agent) to protect our systems and detect abuse.

4. Cookies & Tracking

Essential Cookies (always active)

These are required for the service to function. No consent needed.

Auth session cookie (NextAuth)
CSRF protection token
Consent preference (your cookie choice)
Device ID (anonymous identifier for consent audit trail)

Anonymous engagement metrics (no consent required)

We use masemIT Analytics (self-hosted at analytics.masem.at) — a privacy-focused analytics solution. The tracker runs in an anonymous mode by default and records only aggregate engagement metrics: page views, time-on-page buckets, UTM source, and referrer. No IP, no personal identifiers, no cross-site tracking. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding site usage.

Analytics — user behavior (only with your consent)

Detailed behavior tracking — section views, clicks, custom product events — is only activated after you click "Accept All" on the cookie banner. You can revoke this consent at any time via "Cookie Settings" in the footer.

Consent banner performance (no consent required)

To measure how our consent banner performs, we record three anonymous server-side events regardless of your choice:

banner_shown — the banner was displayed
granted: true — "Accept All" was clicked
granted: false — "Essential Only" was clicked

These events contain no personal data beyond your anonymous device ID (used for deduplication) and are used only to compute aggregate acceptance rates. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in measuring and improving our consent experience.

5. Sub-Processors

We use the following third-party services to operate PayWatcher:

Service	Purpose	Location	Transfer Mechanism
Vercel	Hosting & CDN	USA	EU Standard Contractual Clauses
Neon	PostgreSQL database	EU (Frankfurt)	—
Resend	Transactional email	USA	EU Standard Contractual Clauses
QStash / Upstash	Message queue & cache	EU	—

7. Retention Periods

Auth tokens: Session duration (max 30 days)
Request access data: Until onboarding is completed or 6 months, whichever comes first
Payment verification data: 7 years (Austrian statutory retention requirement)
Analytics data: 26 months
Server logs: 30 days

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access — Request a copy of your data
Right to rectification — Correct inaccurate data
Right to erasure — Request deletion of your data
Right to restriction — Limit how we process your data
Right to data portability — Receive your data in a portable format
Right to object — Object to processing based on legitimate interest
Right to withdraw consent — Revoke analytics consent at any time via "Cookie Settings"

To exercise any of these rights, contact us at hello@paywatcher.dev.

You also have the right to lodge a complaint with the Austrian Data Protection Authority: dsb.gv.at

9. International Transfers

Some of our sub-processors (Vercel, Resend) are based in the USA. Data transfers to these services are safeguarded by EU Standard Contractual Clauses (SCCs), ensuring your data receives an adequate level of protection as required by GDPR.

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be published on this page with an updated "Last updated" date. We encourage you to review this page periodically.