Last Updated: December 2025

PRIVACY POLICY

How we handle your data and protect your privacy

TL;DR: We collect only what's necessary to run the app. We don't sell your data, we use privacy-friendly analytics (no cookies, no tracking), and we don't use advertising. Your workout data stays yours.

1. ABOUT THIS WEBSITE

This marketing website (johnzastrow.github.io/actalog) is a static informational site. Here's what it does and doesn't do:

What This Site Does NOT Do

Set cookies or use local storage
Track your browsing behavior across sites
Collect any personal information
Display advertising
Sell or share data with third parties

Analytics

This site uses GoatCounter, a privacy-friendly analytics service. GoatCounter:

Does not use cookies
Does not track users across sites
Does not collect personal information
Only counts page views and basic referrer data
Is open source and GDPR compliant

See GoatCounter's Privacy Policy for details.

External Resources

This site loads fonts from Google Fonts. When you visit, your browser requests font files from Google's servers, which transmits your IP address to Google. This is standard web practice for typography. See Google's Privacy Policy for details.

2. ABOUT THE APPLICATION

The ActaLog application (when self-hosted or used via a hosted instance) handles user data as described below.

Data We Collect

Data Type	Purpose	Required
Email address	Account identification, password recovery	Yes
Password	Authentication (stored securely hashed)	Yes
Display name	Personalization	Yes
Workout data	Core app functionality	User-provided
Profile image	Personalization	No

Data We DON'T Collect

Location data
Device sensor data
Payment information
Social media profiles
Advertising identifiers
Health data from external devices

3. HOW WE USE YOUR DATA

Purpose	Legal Basis (GDPR)
Provide workout tracking service	Contract performance
Send account emails (verification, password reset)	Contract performance
Protect against unauthorized access	Legitimate interest
Maintain security audit logs	Legitimate interest

We Do NOT

Sell your data to anyone
Share data with advertisers
Use data for marketing without consent
Profile you for automated decisions
Train AI models on your data

4. DATA SECURITY

We implement industry-standard security measures:

Password hashing: bcrypt with cost factor 12
Transport encryption: HTTPS/TLS required
SQL injection prevention: Parameterized queries only
Audit logging: All security events logged
Account protection: Automatic lockout after failed attempts

5. YOUR RIGHTS

Depending on your location, you may have the following rights:

For EU Users (GDPR)

Access: Request a copy of your data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data
Portability: Export data in standard format
Objection: Object to certain processing

For California Users (CCPA)

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale (we don't sell data)

6. DATA EXPORT

You can export your workout data at any time through the application in JSON or CSV format. For a complete export of all personal data, contact the instance administrator.

7. DATA RETENTION

Data Type	Retention Period
Account information	Until account deletion
Workout data	Until account deletion
Security audit logs	12 months
Password reset tokens	1 hour

8. THIRD-PARTY SERVICES

The application uses minimal external services:

Email (SMTP): For sending verification and password reset emails
Hosting provider: Where the application is deployed

We do not integrate with advertising networks, analytics services, or social media platforms.

9. SELF-HOSTING

ActaLog is open source. When you self-host, you are the data controller. This privacy policy applies to instances operated by the project maintainers. Self-hosted instances should maintain their own privacy documentation.

10. CHILDREN'S PRIVACY

ActaLog is not intended for children under 16. We do not knowingly collect personal information from children.

11. CHANGES TO THIS POLICY

We may update this policy from time to time. Significant changes will be announced via the application or changelog.

12. CONTACT

For privacy-related inquiries or to exercise your rights:

Open a GitHub Issue

SUMMARY

What We Do	What We Don't Do
Collect only necessary data	Sell your data
Encrypt passwords securely	Track your browsing
Allow data export	Use advertising
Delete data on request	Share with third parties
Log security events	Profile for marketing