Privacy Policy | prokodo

1. Controller and Contact

The controller within the meaning of the GDPR is: prokodo (sole proprietorship), owner: Christian Salat, Fritz-Erler-Straße 24b, 81737, München, Deutschland. Email: info(at)prokodo.com, phone: +49 (0) 89 244 119 790, VAT ID: DE345200489.

For questions about data protection or to exercise your rights, please contact us via email at the address stated above.

2. Scope

This privacy policy applies to the use of the „prokodo Marketplace“ platform at prokodo.com and associated services.

The platform is open to all users. Free listings and OSS content may also be used by consumers. Monetization features (paid listings, seller account) are available exclusively to entrepreneurs within the meaning of § 14 BGB. Further details are set out in the Terms (AGB) (section 3).

This privacy policy constitutes informational compliance documentation and is not an independent contract. The Terms (AGB) and the contractual documents incorporated therein remain authoritative for the contractual relationship.

3. Legal Bases for Processing

We process personal data exclusively on the basis of a relevant legal ground under Art. 6(1) GDPR:

Consent (Art. 6(1)(a) GDPR): e.g. consent to analytics/marketing cookies, newsletter subscription.
Performance of a contract (Art. 6(1)(b) GDPR): e.g. registration, profile management, order processing, payment processing, and communication relating to ongoing contracts.
Legal obligation (Art. 6(1)(c) GDPR): e.g. retention obligations for accounting records (tax/commercial law).
Legitimate interest (Art. 6(1)(f) GDPR): e.g. technical error monitoring (Bugsnag), security logging, platform operation, fraud prevention, and abuse protection. The legitimate interest arises from the secure and reliable operation of the platform.

4. Categories of Data Collected

We collect and process the following categories of personal data:

Identity and account data: email address, password (hashed, Firebase-managed), display name, profile picture, OAuth provider IDs (Google, GitHub), MFA enrollment data (TOTP).
Business data (sellers): company name, address, VAT ID, Stripe Connect account linking ID, billing data.
Usage data: pages visited, time of access, referrer, browser type, device information, IP address (pseudonymized for analytics).
Transaction data: orders, payment status, payment metadata (via Stripe), license information.
Communication data: email address for transactional emails (e.g. OTP for account deletion), newsletter subscription status.
Listing/artifact data: listing content, uploaded artifacts (software packages), version history, verification results.
Security and log data: audit logs (admin read access), erasure logs, error telemetry, session metadata.

5. Hosting and Infrastructure

The platform is operated on the following infrastructure:

Vercel Inc. (USA): frontend hosting (Next.js) with configured serverless region fra1 (Frankfurt). Processes: edge request metadata, function execution logs. Vercel is a US-based company; the serverless region is configured to the EU.
Google Cloud Platform / Firebase (Google LLC): core platform for backend, database (Firestore), authentication (Firebase Auth), Cloud Functions, Cloud Storage, Cloud KMS, Secret Manager, Cloud Logging, and Cloud Monitoring. Primary region: europe-west3 (Frankfurt). Secret Manager replication: europe-west4 (Netherlands).
Typesense (self-hosted on Google Compute Engine): search index for marketplace listings in europe-west3 (Frankfurt), operated on a Shielded VM with TLS via Caddy reverse proxy.

6. Authentication and Sessions

Firebase Authentication is used for authentication. Supported methods are email/password, Google OAuth, and GitHub OAuth. Multi-factor authentication (TOTP) is available.

After successful login, a session cookie (__session) is set and verified server-side. This cookie is technically necessary and serves solely for authentication purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — access to user account).

7. Payment Processing

We use Stripe, Inc. (USA) for payment processing. Stripe processes payment data on behalf of the user and is a certified PCI DSS Level 1 service provider.

For sellers, Stripe Connect is used for KYC/AML checks and payouts. The Stripe account linking ID is stored in our system.

Third-country transfer (USA) possible; Stripe relies on EU SCCs and supplementary measures. Details are available in Stripe's privacy policy at https://stripe.com/privacy.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — payment processing).

8. Cookies and Consent Management

We use cookies and similar technologies. On your first visit, a cookie banner is displayed through which you can manage your preferences (Consent Mode v2).

Technically necessary cookies are set without consent (Art. 6(1)(f) GDPR). Analytics and marketing cookies are activated only after explicit consent (Art. 6(1)(a) GDPR).

__session: authentication session token (Firebase). HttpOnly. Technically necessary.
cookie_settings: stores your cookie consent preferences (JSON). HttpOnly. Technically necessary.
tracking: tracking consent and attribution data. Functional.
theme_mode: your preference for UI color scheme (dark/light). Functional.

9. Local Storage

In addition to cookies, we use the browser's local storage for the following purposes:

core-storage: persisted app state (Zustand framework).
user-storage: persisted user-related state.
theme: color scheme preference.
Visitor ID / Session ID: pseudonymized session deduplication for analytics (with inactivity timeout). Not a cookie; based on localStorage.

10. Analytics and Tracking

We use the following analytics and monitoring services. Google Consent Mode v2 default: all consent categories (analytics_storage, ad_storage, ad_user_data, ad_personalization) are set to “denied” by default and are only activated after explicit consent.

Google Tag Manager (GTM): client-side tag management. Controls the delivery of analytics and marketing tags based on your cookie settings. Without your consent for the respective category, no data is collected via GTM. Provider: Google Ireland Limited. Legal basis: Art. 6(1)(a) GDPR (consent).
Google Analytics 4 (via GTM): web analytics for improving the platform. Collects pseudonymized usage data (page views, events, device information). IP anonymization is enabled. Provider: Google Ireland Limited. Third-country transfer (USA) possible; adequacy decision (EU-US Data Privacy Framework). Legal basis: Art. 6(1)(a) GDPR (consent).
Vercel Analytics: client-side web analytics (production only). Collects anonymized performance and usage metrics. Provider: Vercel Inc. (USA). Legal basis: Art. 6(1)(a) GDPR (consent).
Bugsnag (SmartBear Software): error monitoring and performance telemetry. Captures error stack data, session metadata, and user-correlating context data for diagnosing technical issues. Third-country transfer possible. Legal basis: Art. 6(1)(f) GDPR (legitimate interest — operational security and quality assurance).

11. Email Services

We use email services for the following purposes:

Amazon Web Services / SES (eu-central-1): transactional email delivery (e.g. OTP codes for account deletion). Short-lived processing; no permanent storage intended. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Mailchimp (The Rocket Science Group LLC / Intuit, USA): newsletter processing. Processes: email address, subscription metadata, opt-in/opt-out status. Third-country transfer (USA); Mailchimp relies on EU SCCs. Deletion: subscriber removal via API (MD5 hash of email) in the erasure workflow. Legal basis: Art. 6(1)(a) GDPR (consent — newsletter subscription).

12. External Content and CDNs

The following external resources are integrated for platform presentation:

Google Fonts (fonts.googleapis.com / fonts.gstatic.com): web fonts. When loading fonts, your IP address is transmitted to Google servers. Provider: Google Ireland Limited.
jsDelivr CDN / LottieFiles (cdn.jsdelivr.net, lottie.host): animation libraries (dotLottie WASM). When loading, your IP address is transmitted to the CDN provider.
Google / GitHub profile images (lh3.googleusercontent.com, avatars.githubusercontent.com): profile pictures from the respective OAuth providers are embedded upon login.
Stripe Connect JS (connect-js.stripe.com): embedded Stripe Connect components for seller onboarding.

13. International Data Transfers

Some of the services we use are based outside the EEA (particularly in the USA). Transfers to third countries are made on the basis of the following safeguards:

EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR): where the recipient is certified (e.g. Google, Stripe).
EU Standard Contractual Clauses (SCCs, Art. 46(2)(c) GDPR): where no adequacy decision exists or as additional safeguard.
Supplementary technical and organizational measures: in line with EDPB recommendations, documented in our DPA / SCC / TIA documentation.
A list of all currently engaged processors can be found in the Subprocessors documentation.

14. Security Measures

We implement technical and organizational measures to protect personal data, including:

Encryption: encryption at rest for Firestore and Cloud Storage (Google-managed). Cloud KMS for Terraform state data (europe-west3). TLS for all external connections.
Access control: Firestore and Storage Rules with default-deny. Admin access exclusively via server-side Cloud Functions (Admin SDK). SSH access via IAP tunnel. OS Login enabled. Shielded VMs with vTPM and integrity monitoring.
Key management: sensitive credentials in GCP Secret Manager (replication europe-west4). AES-256 encryption for registration auth tokens.
Network security: custom VPC with private subnets and NAT gateway. VPC Flow Logs enabled. No public IP for compute workers.
Logging: admin read access in dedicated audit collection (actor, timestamp, action, purpose). Erasure audit events logged separately with automatic secret sanitization. Details at Admin Read Audit.
Security incidents: standardized response process under Art. 33/34 GDPR. Details at Incident & Breach Process.

15. Retention and Deletion

Personal data is retained only as long as necessary for the respective purpose or as required by statutory retention obligations.

Account data: until account deletion by the user. After deletion, data passes through the erasure workflow with six deletion targets: Firestore core data, auth identity, Typesense index, storage objects, Stripe linkage, newsletter subscription.
Erasure jobs: 90 days (TTL-enforced in Firestore).
Audit events: 180 days TTL.
Dead letters: 180 days TTL.
Tombstones: 365 days TTL.
Firestore backups: 14 weeks (no individual record deletion; removal via backup rotation).
Temporary uploads (GCS): 14-day lifecycle rule.
Accounting records: per statutory retention obligations (up to 10 years per HGB/AO), with pseudonymized key where necessary.
Cloud Logging: per log sink configuration.
Error telemetry (Bugsnag): per provider retention settings.

16. Your Rights as a Data Subject

Under the GDPR, you have the following rights. To exercise them, please contact us via email at the address stated in section 1.

Right of access (Art. 15 GDPR): you may request information about the personal data we process about you.
Right to rectification (Art. 16 GDPR): you may request correction of inaccurate or completion of incomplete data.
Right to erasure (Art. 17 GDPR): you may request deletion of your data, provided no statutory retention obligation applies. The platform offers a self-service account deletion function with OTP confirmation and automated erasure workflow.
Right to restriction of processing (Art. 18 GDPR): you may request restriction of processing, e.g. if you contest the accuracy of data.
Right to data portability (Art. 20 GDPR): you may request that we provide your data in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR): you may object at any time to processing based on Art. 6(1)(f) GDPR for reasons arising from your particular situation.
Right to withdraw consent (Art. 7(3) GDPR): consent given (e.g. for analytics cookies or newsletter) may be withdrawn at any time with effect for the future via the cookie banner or the newsletter unsubscribe function.
Right to lodge a complaint (Art. 77 GDPR): you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement.

17. Processors and Subprocessors

We engage processors who process personal data on our behalf. Each processor is contractually bound in accordance with Art. 28 GDPR.

A complete and current list of all processors engaged, including purpose, region, data categories, and DPA/SCC/TIA status, can be found in the Subprocessors documentation.

Framework conditions for data processing and international transfers are described in the DPA / SCC / TIA documentation.

18. Security Incidents

In the event of a personal data breach, we act in accordance with Art. 33/34 GDPR. The process is documented at Incident & Breach Process.

19. Security Headers and Privacy-by-Default

The platform employs privacy-friendly HTTP headers:

Referrer-Policy: origin-when-cross-origin — limits referrer URL disclosure to third parties.
Permissions-Policy: all sensitive browser APIs (geolocation, camera, microphone, payment, etc.) are disabled.
HSTS (Strict-Transport-Security): enforces HTTPS connections (including subdomains, preload).
Content-Security-Policy (CSP): strict allowlist for script, style, and connection sources.

20. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed, e.g. in response to changes in processing activities, legal requirements, or services used. The current version is available on this page at all times.

Last updated: February 17, 2026.

Back to legal overview