1. Who is responsible
MeshHold is a personal open-source project, operated as a private project by Iurii Iakovlev, a natural person resident in Novi Sad, Serbia. There is no corporate entity behind this site at the time of writing.
Under GDPR Article 4(7), the data controller is therefore the individual operator listed above. Contact for all data-protection matters: meshhold@gmail.com. No formal Data Protection Officer is appointed — our processing scale does not require one under Article 37 GDPR, and the contact email routes directly to the operator.
2. What data we process
When you visit the public site
- Your IP address (kept in webserver access logs).
- Your browser's User-Agent string.
- The URL you requested, the timestamp, and the HTTP status returned.
- Your language preference (set via the language switcher) — stored in a cookie so the site remembers it.
- If you consent to analytics: a Google Analytics client identifier (a random id in the
_gacookie) plus standard analytics events — pages viewed, approximate location derived from your IP, device and browser type. This loads only after you click "Accept" in the cookie banner, never before.
When you register an account on the forum
- Your email address — required for account verification and password reset.
- Your chosen username — displayed publicly with your posts.
- A salted hash of your password — we never see the plain password.
- The date you accepted the Privacy Policy and Terms of Service, and the version you accepted (audit log of consent).
- Optionally: a short bio and an avatar URL, if you choose to add them.
When you use the forum
- The content you post (threads, replies, edits).
- Likes you give or receive.
- Notifications addressed to you (replies, mentions).
- Your trust level, post count, last-seen timestamp — derived from your activity.
- If you upload files as attachments: the file content and filename.
What we explicitly do NOT collect
- No analytics at all unless you opt in — Google Analytics loads only after you accept it in the cookie banner, and you can withdraw at any time.
- No advertising trackers. We do not run ads, and analytics is never used for advertising (Google Signals / ad personalisation are off).
- No Facebook Pixel, Hotjar, or session-recording tools.
- No fingerprinting beyond standard server logs. The cookies we use are listed on the Cookies page.
3. Why we process it (legal bases)
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Providing the forum service to you | 6(1)(b) — performance of a contract you entered into by registering |
| Sending account-related email (verification, password reset, reply notifications) | 6(1)(b) — performance of a contract |
| Keeping webserver access logs for security and abuse investigation | 6(1)(f) — legitimate interest in service integrity |
| Storing your consent decisions (audit log) | 6(1)(c) — compliance with our own GDPR obligation to demonstrate consent |
| Optional bio / avatar fields you choose to fill in | 6(1)(a) — your consent (you can blank them at any time) |
| Loading Google Analytics and setting its cookies | 6(1)(a) — your consent, given via the cookie banner and withdrawable at any time |
4. How long we keep it
| Data | Retention |
|---|---|
| Account profile + posts | For the lifetime of your account. You can request deletion at any time (see your rights below). |
| Webserver access logs | 30 days, then rotated and discarded. |
| Consent records | For the lifetime of your account (the IP and User-Agent on the record are scrubbed after 90 days; the consent decision itself remains for legal-proof purposes). |
| Account marked for deletion | Soft-deleted immediately; hard-deleted 30 days later. During the grace period you can log back in to cancel the deletion. |
| Database backups | Encrypted, rotated weekly, kept for 28 days, then destroyed. A deleted account disappears from backups within the rotation window. |
5. Who else sees it (processors)
We use the following third-party processors. Each is bound by a data-processing agreement (DPA) under GDPR Article 28.
- netcup GmbH — Emmy-Noether-Str. 10, 76131 Karlsruhe, Germany. Hosting infrastructure (server, storage, network) located within the European Union. They do not access your data; they provide the hardware. Data Processing Agreement signed under GDPR Article 28.
- Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), with onward processing by Google LLC (USA) — Google Analytics. Engaged only for visitors who consent to analytics. Google acts as our processor under its Google Ads Data Processing Terms (GDPR Article 28). See "International transfers" below for the US-transfer safeguards.
We do NOT sell your data or share it with advertisers. Apart from the analytics processor above — which runs only with your consent — we do not share your data with third parties for marketing. If we ever add another processor (e.g., a transactional-email service), we will update this list before doing so.
6. International transfers
Core processing — hosting, the forum database, and server logs — takes place inside the European Union on netcup GmbH infrastructure in Germany. The data controller (the operator) is resident in Serbia; under GDPR this is treated as processing within the EU/EEA framework via the adequacy decisions and Standard Contractual Clauses where applicable.
If you consent to analytics, Google Analytics data may be transferred to Google LLC in the United States. Google relies on the EU–US Data Privacy Framework (under which it self-certifies) and, as a fallback, the European Commission's Standard Contractual Clauses (GDPR Art. 46(2)(c)). You can avoid this transfer entirely by not accepting analytics. If core processing ever moves to a third country without an adequacy decision, we will rely on Standard Contractual Clauses and update this policy.
7. Your rights
As a data subject under GDPR, you have the following rights:
- Access (Art. 15) — see what data we hold on you. The Your data page in your account shows it directly.
- Portability (Art. 20) — download a machine-readable export of your data. Available at Export your data.
- Rectification (Art. 16) — correct inaccurate data. Edit your profile from the forum settings; for data you cannot edit yourself, email us.
- Erasure (Art. 17) — delete your account and associated data. Use Delete your account or email us.
- Restriction (Art. 18) — ask us to suspend processing of your data while a dispute is resolved.
- Objection (Art. 21) — object to processing based on legitimate interest (item 6(1)(f) in the table above).
- Withdraw consent (Art. 7(3)) — for processing based on consent (item 6(1)(a)), without affecting prior processing's lawfulness.
For any of these requests, email meshhold@gmail.com. We respond within 30 days (extendable by 60 days for complex requests, with notice).
8. Cookies and similar
We use strictly-necessary cookies (session, CSRF, language preference) and — only if you consent — Google Analytics cookies. No advertising or social-media cookies. Full list and how to withdraw: Cookie Policy.
9. Security
Technical and organisational measures (TOMs) in place:
- HTTPS-only (HSTS, modern TLS).
- Passwords stored as PBKDF2 hashes (Django default), never plaintext.
- CSRF tokens on every state-changing form.
- Database backups encrypted at rest.
- Access to production infrastructure restricted to operators with multi-factor authentication.
- Security updates applied promptly; we follow CVE feeds for Django and Python.
If you discover a security issue, please email meshhold@gmail.com before disclosing publicly. We commit to acknowledge within 72 hours.
10. Changes to this policy
The current version is 2026-06-11. When we change anything material, we bump the version, update the effective date at the top, and notify registered users by email. The next time you log in, you will be asked to acknowledge the new version before continuing.
11. Complaints
You always have the right to lodge a complaint with a supervisory authority (GDPR Art. 77). Our lead supervisory authority is Commissioner for Information of Public Importance and Personal Data Protection (Poverenik). EU residents may also file a complaint with their local data-protection authority.
Plain-language summary: We collect what we need to run a forum (email, username, password hash, your posts). We don't share it with advertisers. We use Google Analytics only if you click "Accept" in the cookie banner — reject it and no analytics runs. You can see, export, or delete your data at any time from your account page, or by emailing meshhold@gmail.com.
Questions about this document? Email meshhold@gmail.com.