Privacy Policy

Last updated: 06/13/2026

This privacy policy explains which personal data OwnYard processes, for which purposes, and what rights you have. OwnYard is a service for managing used vehicle parts and is currently in public beta.

Controller

The controller responsible for data processing under the General Data Protection Regulation (GDPR) is:

OwnYard by Marcel Kraus
Marcel Kraus
Bonner Straße 88
50374 Erftstadt
Germany
Email: mail (at) ownyard.app

Please get in touch by email first.

What data we process

Account and master data

When you register and use your account, we process:

• your username,
• your email address,
• your password (stored only as a cryptographic hash, never in plain text),
• your language preference (German or English).

The legal basis is the performance of the usage contract (Art. 6(1)(b) GDPR).

Billing data

If you book a paid plan, we additionally process your billing address (first name, last name, company (optional), street, postal code, city and country) so that we can issue an invoice. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR) and compliance with statutory retention obligations (Art. 6(1)(c) GDPR).

Profile data

You may optionally upload an avatar (profile picture). It is cropped to a square format and stored. If you do not upload an avatar, we do not process one.

Every account has a public profile page at the address /user/<your-username>, which can be opened by anyone — including without signing in. It shows your username, your avatar (if uploaded) and the month you registered. Your other content is not visible there without your release. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR).

Content data

OwnYard stores the data you record yourself: vehicles, parts, storage locations, collections, saved filters, expenses and receipts (including uploaded receipt PDFs and images), vendors and comments. This data remains your data. With the exception of your username and your avatar, none of this information is publicly visible without your release. Where you voluntarily enter personal data of third parties — such as the name of an alternative vehicle owner — we process it on your behalf; you are responsible for ensuring that you are entitled to provide this data. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR).

When you switch on your showcase (the toggle in your account), the details of the parts you marked “for sale” become publicly reachable and indexable by search engines: photos, title, specification, description, condition, quantity, OE numbers, model years, colours, mounting positions, price, the source vehicle (make, model, year — without the nickname) and the name of the vehicle group the part comes from (only groups you have made visible in the showcase and from which parts are for sale). Storage location, purchase and sale data, internal notes, an alternative owner and the nickname do not become public. You control this at any time via the showcase toggle; switching it off makes the pages inaccessible again. The legal basis is your consent through actively switching it on (Art. 6(1)(a) GDPR).

If you allow messages (the switch in your account), interested parties can contact you through a mediated contact form on the public part page. If you switch messages off, the form is removed and no such processing takes place. Their message and contact details (name, e-mail) are transmitted to us solely to forward them to you by e-mail once, and are not stored. Your own e-mail address is not disclosed to the interested party; it only becomes visible once you reply to the forwarded mail. We merely record statistically that a contact was made about a given listing (the seller and part concerned, plus — as for any page view — a truncated IP address and the browser identifier), but neither the message content nor the contact details the interested party provided (name, e-mail).

Referrals

OwnYard offers a referral programme: you can invite new users with a personal referral link. If you use this programme, we process:

• the link between the referring and the referred account (who referred whom) and the time at which the corresponding reward was granted,
• the referrer's username contained in the referral link, which we temporarily keep in your session during registration in order to associate the referral with the new account.

If you register through a referral link, we show you on the registration page the username of the person who invited you; usernames are public in any case (see Content data). No further data of the inviting or the invited person is disclosed to the respective other.

The legal basis is the performance of the contract with regard to the free-month reward granted (Art. 6(1)(b) GDPR) as well as our legitimate interest in acquiring new users through referrals (Art. 6(1)(f) GDPR).

Usage and security data

To secure the service and prevent abuse, we process:

• a login counter and the time of your last sign-in,
• a security log (audit log) of security-relevant events such as registration, email verification, plan changes, email and password changes, and account deletions. For each entry we store the time, the type of event, a truncated IP address (the host-specific part of the address is removed before storage — the last octet for IPv4, the last 80 bits for IPv6 — so that no full address is retained) and your browser identifier (user agent).

The legal basis is our legitimate interest in secure, abuse-free operation (Art. 6(1)(f) GDPR). To limit sign-in and registration attempts we additionally apply per-IP technical throttling (a maximum of five attempts per fifteen minutes).

General server access logs (web server logs) are disabled at our host.

Email delivery

We only send emails that are necessary for operating the service: verifying your email address upon registration, confirming an email address change, and confirming a plan booking. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR).

Cookies

OwnYard uses strictly necessary cookies only:

• a session cookie that keeps you signed in for the duration of a session,
• an optional “stay signed in” cookie that, when you select it at login, keeps you signed in for up to 30 days across sessions — it contains only your username, an expiry time and a signature, and becomes invalid when you change your password,
• a language cookie that stores your chosen language for up to one year.

We do not use any cookies for advertising. Fonts, icons and all embedded scripts are served directly from our own server; no external content providers (CDNs) are used.

Web analytics with Matomo

To analyse reach and usage, we use the privacy-friendly analytics software Matomo, which we host ourselves on our own infrastructure (matomo.marcelkraus.de). The data collected is processed exclusively by us and is not passed on to third parties.

We run Matomo without cookies. Visits are recognised by an anonymised digital fingerprint that is derived from a pseudonymised IP address combined with browser settings and is updated daily. This does not allow individual persons to be identified.

The legal basis is our legitimate interest in the statistical evaluation of usage to improve the service (Art. 6(1)(f) GDPR).

Recipients and processors

Hosting

OwnYard is operated with a provider whose servers are located in Germany (Uberspace, owner Jonas Pasche, Kaiserstraße 15, 55116 Mainz). A data processing agreement pursuant to Art. 28 GDPR is in place with the host. Our emails are sent via this provider's infrastructure.

Your data is not transferred to recipients in third countries outside the EU/EEA. Your data is likewise not shared for advertising purposes.

Retention

We store your data only for as long as it is necessary for the purposes described:

• We process account and content data for as long as your account exists. If you delete your account, it is first retained for seven days (during which you can restore it); after that, your data is permanently deleted.
• Entries in the security log are retained for security and evidentiary reasons; upon permanent deletion of your account, the link to you is removed so that the entries can no longer be assigned to any user.
• We retain invoice-relevant data within the scope of statutory retention periods.
• Backups of the database are created regularly and rotated (overwritten) after seven days.

Data security

Transmission takes place exclusively in encrypted form via HTTPS/TLS. Passwords are stored only as a cryptographic hash. Uploaded receipt PDFs are sanitised before storage (embedded attachments, encryption and external references are removed). Access to your data is strictly limited to your account; other users cannot view your data.

Access by the operator

The operator may, on request or with your consent, view your data in order to resolve a specific problem, for example for troubleshooting. Such access is logged. No access to your data takes place without cause and without prior consultation.

Your rights

With regard to your personal data, you have the following rights:

• access to the data stored about you (Art. 15 GDPR),
• rectification of inaccurate data (Art. 16 GDPR),
• erasure (Art. 17 GDPR),
• restriction of processing (Art. 18 GDPR),
• data portability (Art. 20 GDPR),
• objection to processing based on a legitimate interest (Art. 21 GDPR).

To exercise your right to data portability, you can download your data as an archive at any time yourself via the "My account → Export" function.

An informal message to the email address given above is sufficient to exercise your rights.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible is in particular the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Germany).

No automated decision-making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.

Changes to this privacy policy

We will adapt this privacy policy when changes to the service or to the legal situation make it necessary. The version published here applies at any given time.