Privacy Policy

1. Controller

The controller responsible for data processing on this site under the GDPR is:

2. Overview

This site processes only the data strictly necessary to operate the site and, optionally, to notify you when CostGoblin launches. Specifically:

• Server-side access data (via our host, Cloudflare)
• Your email address, if you voluntarily sign up for the launch notification
• Your IP address and user agent when you submit the signup form (abuse prevention)
• A font CDN request to Bunny Fonts when the page loads
• A bot-protection challenge via Cloudflare Turnstile when you submit the form

There is no tracking, no profiling, no web analytics, and no marketing cookies.

3. Hosting and access logs

The site is hosted on infrastructure provided by Cloudflare Germany GmbH (Rosental 7, c/o Mindspace, 80331 Munich) and its US parent Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA). When you visit the site, Cloudflare necessarily processes:

• IP address of your device
• Date and time of the request
• URL requested and HTTP status
• User agent (browser, operating system)
• Referrer

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the site securely and reliably).
Storage: Cloudflare retains access logs for a short period for security purposes. A data-processing agreement under Art. 28 GDPR is in place. Transfers to the US are covered by the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and Cloudflare's certification under the EU-U.S. Data Privacy Framework.

For details see the Cloudflare Privacy Policy.

4. Launch-notification signup

The homepage offers a form to submit your email address so that you receive a single notification when CostGoblin launches publicly.

Data processed

• Email address
• IP address and user agent of the submitting device
• Timestamp of submission

Purpose

Sending one launch-notification email, and protecting the form against spam and abuse.

Legal basis

Consent under Art. 6(1)(a) GDPR (sending the notification), and legitimate interest under Art. 6(1)(f) GDPR (storing IP and user agent to prevent abuse).

Storage

Data are deleted once the launch notification has been sent, or earlier on request, or once the purpose otherwise ceases. Data are stored in a Cloudflare Workers KV store for this purpose.

Withdrawal

You can withdraw your consent at any time; an informal email to the contact address above is sufficient. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. Bot protection (Cloudflare Turnstile)

The signup form is protected against automated submissions by Cloudflare Turnstile, a CAPTCHA-like service provided by Cloudflare, Inc.

• Data processed: IP address, browser and device information, and a short-lived session token (no persistent tracking cookie).
• Purpose: distinguish human users from bots.
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing spam and automated abuse).
• Storage: per Cloudflare's published retention policies; session validation is short-lived.

Transfers to Cloudflare, Inc. in the US are covered by Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. See the Cloudflare Privacy Policy.

6. Fonts (Bunny Fonts)

Typefaces are served by Bunny Fonts, a privacy-friendly font service operated by BunnyWay d.o.o. (Cerknica, Slovenia — EU). According to its operator, Bunny Fonts does not log IP addresses and does not set cookies.

• Data processed: the technical connection data required to deliver font files.
• Purpose: consistent typography across browsers.
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a consistent, performant presentation).

See Bunny Fonts — GDPR-friendly fonts.

7. Cookies

This site sets no first-party cookies, no analytics cookies, and no marketing cookies.

Cloudflare Turnstile and the Cloudflare infrastructure may set strictly necessary, short-lived tokens (e.g. __cf_bm) as part of their security functions. These are used to detect and prevent automated abuse and are covered by § 25(2)(2) TDDDG (strictly necessary for the telemedia service explicitly requested by the user).

8. External links

This site links to external services, notably the GitHub repository. Following a link transmits data (such as your IP and referrer) to the respective provider. The operator has no control over data processing by those providers; please consult their privacy policies.

9. Your rights

Under the GDPR you have the following rights:

• Access to the data held about you (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure (Art. 17)
• Restriction of processing (Art. 18)
• Objection to processing (Art. 21)
• Data portability (Art. 20)
• Withdrawal of consent at any time (Art. 7(3))

An informal email to the controller above is sufficient to exercise any of these rights.

10. Right to complain

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77). The authority competent for this site depends on the controller's place of residence:

Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Friedrichstr. 219, 10969 Berlin, www.datenschutz-berlin.de

11. No automated decision-making

No automated decision-making or profiling under Art. 22 GDPR takes place.

12. Changes to this policy

This policy may be updated if the legal framework changes or if new features are introduced on the site. The current version is always available at this URL.

Last updated: April 2026