Privacy Policy
This is a courtesy translation of the German version at /de/privacy. In case of discrepancies, the German version prevails.
1. Data Controller
Controller for data processing on this website:
Balane GmbH
Balanstraße 84
81541 München
Germany
Email: contact@balane.tech
Managing Director: Jonas David Höttler
2. Data Protection Officer
No DPO has been appointed, as the statutory requirements under Art. 37 GDPR and § 38 BDSG do not apply. For data protection matters please contact us directly at contact@balane.tech.
3. General Information
- SSL/TLS encryption: This website uses transport encryption to protect data in transit.
- Web fonts: We use Fraunces and Inter. These fonts are downloaded by Next.js via
next/font/googleat build time and served from our own domain. At runtime there is no connection to Google servers. - Automated decision-making under Art. 22 GDPR does not take place.
4. Hosting & Server Logs (Vercel)
Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA.
Processed data: IP address, access date and time, requested file names and URLs, referrer URL, browser and operating system information.
Purpose: Technical provision of the website, system security, service optimisation.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and functional operation).
Retention: Typically 7–30 days.
Third-country transfer: The provider is based in the USA. The transfer takes place on the basis of certification under the EU-US Data Privacy Framework (Art. 45(3) GDPR) and additionally on the basis of Standard Contractual Clauses. Official US surveillance access cannot be fully excluded.
5. The Calmloop app — local, no servers
Calmloop (the mobile app for iPhone, iPad, Android phones and tablets) is built so that your entries (moods, notes, plans, experiments) are stored only on your device. There are no Calmloop servers that receive this data.
If you enable device sync, your data travels through your own iCloud account (iOS/iPadOS) or Google Drive (Android). Calmloop itself never sees these entries.
The app uses no trackers, no analytics SDKs and no advertising identifiers. You are not required to provide personal data to use the app.
6. Reach Measurement (Umami)
For website analytics we use Umami, a privacy-focused open-source analytics tool that we host on our own instance.
Processed data: truncated/hashed IP address, anonymised device and browser info, page viewed, referrer URL, timestamp, approximate country-level location.
Cookies / device access: Umami sets no cookies and does not access information stored on your device within the meaning of § 25(1) TDDDG. The IP hash is regenerated server-side daily and then discarded.
Purpose: Reach measurement, aggregated analysis of usage behaviour, service optimisation.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest; no consent required as no device access takes place).
Hosting of the Umami instance: Railway Corp., 2261 Market Street #4059, San Francisco, CA 94114, USA, server location: Amsterdam, Netherlands. Standard Contractual Clauses are in place. US authorities' access cannot be fully excluded; the hashing mechanism provides supplementary protection.
Retention: Aggregated statistics 24 months; pseudonymous individual records maximum 30 days.
7. Session Replay (OpenReplay)
With your explicit consent we use OpenReplay, a self-hosted tool for recording anonymised usage sessions. Without your consent nothing is recorded; the tracker is not even loaded.
Processed data: mouse movements, clicks, scroll events, keyboard input (masked by default), DOM snapshots of the pages you visit, browser and operating-system info, truncated IP address, session timestamps.
Automatic masking: email addresses, numbers and all input fields are obscured in the browser (obscureTextEmails,obscureInputNumbers, defaultInputMode: 1) and never leave your device in plain text. Sensitive areas are additionally marked with data-openreplay-hidden / -obscured.
Browser storage entries: __openreplay_token, __openreplay_pageno and __openreplay_tabid in sessionStorage (discarded when you close the tab) plus __openreplay_uuid in localStorage to recognise the same browser.
Purpose: UX analysis, bug diagnosis, service improvement.
Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (consent). Consent is voluntary and can be withdrawn at any time with effect for the future — via the “Cookie settings” link in the footer of every page or by email to contact@balane.tech.
Hosting: Balane GmbH (self-hosted). Data is processed on our own infrastructure at replay.balane.tech in Germany. There is no third-country transfer and no external processor involved in session replay processing.
Retention: 30 days on a rolling basis, then deleted automatically.
Do Not Track: If your browser sends a Do Not Track signal, the tracker is not activated even after consent (respectDoNotTrack).
8. Contact by Email
We do not use contact forms. Communication happens via mailto: links that open your local email client. The data you send us (email address, name, subject, message) is used to process your request.
Legal basis: Art. 6(1)(b) GDPR (for contract-related inquiries) and Art. 6(1)(f) GDPR (legitimate interest in responding).
Provision: Providing your data is neither legally nor contractually required, but necessary for a response.
Email provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Processing takes place on servers in Germany; no third-country transfer occurs. A data processing agreement is in place.
Retention: Deleted after processing unless statutory retention obligations apply (§ 257 HGB, § 147 AO). Non-business inquiries are deleted within 12 months of last contact.
9. External Links to App Stores and Third Parties
We link to the Apple App Store and Google Play. When you follow such links, the privacy policies of the respective providers apply. We disclaim responsibility for their data processing.
10. Recipient Overview
Personal data is transferred only to the following processors pursuant to Art. 28 GDPR:
- Vercel Inc. (USA) — hosting
- Railway Corp. (USA, servers in EU) — Umami hosting
- IONOS SE (Germany) — email services
Session replay (OpenReplay) has no external processor involved, as we host the instance ourselves. No advertising or other third-party transfers take place.
11. Data Backups
Encrypted backups of our Umami instance are created regularly. Backups are overwritten on a rolling basis within 30 days at most.
Legal basis: Art. 6(1)(f) GDPR in conjunction with Art. 32 GDPR (security of processing).
12. Your Rights as a Data Subject
You may exercise the following rights informally via email to contact@balane.tech:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
13. Right to Object (Art. 21 GDPR)
Where we process data on the basis of our legitimate interest (Art. 6(1)(f) GDPR), you may object at any time for reasons arising from your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or unless processing serves to establish, exercise or defend legal claims.
Objections by email to contact@balane.tech.
14. Competent Supervisory Authority
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Phone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de
15. Changes to This Privacy Policy
We reserve the right to adapt this policy to new legal or factual circumstances. The version in force at the time of your visit applies.
Last updated: April 24, 2026