Privacy Notice
How FarangDrive handles account, practice, payment, and refund data.
This notice explains how farangDrive collects, uses, retains, and shares personal data in connection with the farangDrive website and learning product. It is written for an English-speaking audience and follows the disclosure expectations of the EU General Data Protection Regulation (GDPR).
Controller
farangDrive is operated by Marcel Christophel, trading as farangDrive, Am Wandrahm 27, 28195 Bremen, Germany.
For privacy questions, write to marcel@christophel.io.
We have not appointed a Data Protection Officer. The controller can be contacted directly at the address above.
Categories of personal data we process
- Account identifier: a deterministic SHA-256 hash of your email address. The plaintext address is used transiently for magic-link delivery, payment-related messages, and refund correspondence.
- Authentication metadata: anonymous-session identifiers, signed user-session identifiers, magic-link tokens, CSRF secrets, IP-address hash, user-agent hash, and sign-in timestamps.
- Practice and study data: answer attempts, mistake-queue entries, mock-test results, readiness snapshots, topic progress, and practice-session state.
- Billing data: Stripe Checkout session ID, payment-intent ID, entitlement records, payment status, refund status, and related finance ledger records. farangDrive does not receive or store card numbers.
- Refund data: the refund request, slip date, user notes, proof image such as a DLT result slip, proof hash, file metadata, and an admin decision audit trail.
- Operational telemetry: event names, timestamps, and a small metadata payload per recorded event, such as `landing_view`, `checkout_start`, `mock_completion`, or scheduled-job status.
- Admin data: admin sign-in/session data, admin actions, refund decisions, curation uploads, and audit logs.
- Device storage and cookies: see the Cookies and device storage section below.
We do not sell personal data, run third-party advertising pixels, or use third-party marketing analytics. We do not intentionally collect special-category data under Art. 9 GDPR.
Purposes and legal bases
- Account creation and magic-link sign-in: performance of contract (Art. 6 (1) (b) GDPR).
- Operating the practice, mock, cheat-sheet, and paid-access surfaces: performance of contract.
- Processing payments and granting entitlements: performance of contract and legal obligations for accounting and tax records.
- Reviewing and resolving refund requests: performance of contract, legal obligation for transactional records, and legitimate interest in fraud prevention and chargeback defence.
- Security, CSRF protection, abuse prevention, and rate limiting: legitimate interest (Art. 6 (1) (f) GDPR).
- Operational observability and admin metrics: legitimate interest in understanding product usage, service reliability, and business health.
- Audit logging of administrative actions: legal obligation where records must be retained and legitimate interest in security and accountability.
- Error monitoring: legitimate interest in detecting and fixing technical failures.
Where a browser-storage access requires consent under the Telecommunications Digital Services Data Protection Act (TDDDG), farangDrive handles that consent separately from the GDPR legal basis.
Sub-processors
We use the following service providers under written data-processing agreements where required:
- Stripe Payments Europe, Ltd. - payment processing, checkout, tax calculation where enabled, receipts, disputes, and refunds.
- Resend, Inc. - transactional email delivery for magic links and account, payment, or refund messages.
- Neon, Inc. - managed Postgres database hosting for account, study, billing, refund, observability, and admin records.
- Fly.io, Inc. - application hosting and production runtime infrastructure.
- Tigris Data, Inc. - S3-compatible object storage for generated/media uploads and encrypted database backups where configured.
- Upstash, Inc. - Redis-compatible infrastructure for rate limiting and operational state where configured.
- Functional Software, Inc. d/b/a Sentry - error monitoring and diagnostics where enabled.
We keep this list current. Material changes will be reflected in the document version above.
International data transfers
Some providers are based outside the European Economic Area or may process data outside the EEA. Where this happens, transfers are protected through the EU Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, and supplementary technical and organisational measures such as TLS in transit, access controls, and restricted operator access.
Cookies and device storage
farangDrive uses cookies and device storage for sign-in, security, paid-access state, admin operation, and product metrics.
- fd_anon - signed anonymous-session identifier; HttpOnly; used for anonymous practice state, CSRF binding, and account-progress import.
- fd_user - signed authenticated-user identifier; HttpOnly; used to keep you signed in.
- fd_csrf - CSRF double-submit token for the public/user surface; readable by the client so write requests can attach the token.
- fd_paid - paid-access companion marker; readable by the client to render entitlement state without an extra round-trip.
- fd_progress_saved - short-lived practice-only flag used once after sign-in to show that progress was saved.
- fd_admin - signed admin-session identifier; HttpOnly; admin surface only.
- fd_admin_csrf - CSRF double-submit token for the admin surface; readable by the client so admin write requests can attach the token.
- fd_admin_nav - admin sidebar preference; admin surface only.
- fd_landing_visitor - optional first-party visitor identifier for landing-page and funnel metrics. It is set only after analytics consent and is not used for advertising, retargeting, or third-party tracking. If analytics consent is declined or withdrawn, farangDrive clears this cookie and skips visitor attribution for admin stats.
- fd_last_sign_in_email - localStorage marker on your device that helps recognise a returning sign-in surface. It may store the last email address used on that device and whether the user explicitly signed out.
- Practice draft storage - localStorage or sessionStorage entries may temporarily keep in-progress mock, topic, or mistake-drill state so the practice surface can recover from reloads.
farangDrive does not set third-party advertising cookies or third-party retargeting pixels. You can change analytics consent in the Cookie settings section on this Privacy page. If optional advertising, A/B-testing, or embedded third-party media are added later, they must not load before the required consent has been collected.
Retention
- Account record: kept while the account is active. On a verified deletion request, local study data is removed and the account link is removed from retained billing or refund records where full deletion is not legally possible. Billing or refund records are retained only where legal, tax, accounting, dispute, or fraud-prevention obligations require it. German bookkeeping records are commonly retained for up to 10 years under §147 AO.
- Magic-link tokens: expire automatically after the configured validity window and are discarded or marked consumed once used.
- Anonymous sessions: removed when stale according to the session-cleanup job.
- Practice and mock data: removed or anonymised on account deletion unless a legal retention reason applies.
- Refund proof images: retained for refund review, dispute handling, and chargeback defence, then deleted when no longer needed under the configured refund-proof deletion workflow.
- Operational telemetry: retained for operational dashboards and reliability analysis. Retention may be shortened as the product matures.
- Admin audit logs: retained while needed for security, accountability, legal defence, and operational review.
Account deletion
Signed-in users can request account deletion from the Privacy page. The in-app deletion flow removes local study data and will, where full deletion is not legally possible, remove the account link from retained billing or refund records.
Some payment, refund, accounting, and dispute records may remain where legal, tax, fraud-prevention, chargeback, or legal-defence obligations require retention.
Deletion is not available while an active refund request still needs to be resolved, because farangDrive must keep enough information to complete the refund review.
Your rights
You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21 GDPR). You may also withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
For rights requests, write to marcel@christophel.io.
You also have the right to lodge a complaint with a supervisory authority. For the operator's registered location, the competent authority is the Die Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen. You may also contact the supervisory authority for your habitual residence, workplace, or the place of the alleged infringement.
Automated decision-making
farangDrive does not make decisions that produce legal effects on the user solely by automated means. Refund decisions are reviewed manually.
Changes to this notice
We will update the version and lastVerifiedAt fields above whenever this notice changes. Material changes will be flagged in-app where appropriate.
Contact
Privacy contact: marcel@christophel.io.
Cookie settings
Essential cookies are always active. Analytics consent controls the first-party landing-page visitor cookie used for admin funnel stats.
Current choice: not set
Account data
Delete your account data
We delete your account and FarangDrive study data. Payment and refund records needed for accounting, tax, refund, or dispute handling may be retained without an active account link.
Done reading
Ready to practise?