Anmelden Registrieren

Privacy Policy

Last updated: 2026-06-03

This Privacy Policy explains what personal data ShareCode (sharecode.online) collects, why, on what legal basis, how long it is kept, and the rights you have under the EU General Data Protection Regulation (GDPR) and applicable Czech law.

Operator (data controller)

The service sharecode.online is operated by Jakub Šaroun, business ID (IČO) 03858685, with place of business at Malý Šenov 6, 407 77 Velký Šenov, Czechia ("we", "us"), who acts as the controller of your personal data.

Contact for privacy matters: info@sharecode.online.

Data we collect

  • Account data: e‑mail address, display name, and a password hash (Argon2id — we never store your plaintext password). If you sign in with Google, we receive your basic profile and verified e‑mail.
  • Two‑factor data (optional): an encrypted TOTP secret and recovery codes, if you enable 2FA.
  • Content you create: shares, files, annotations, image attachments, titles, descriptions and related metadata.
  • Session records: a session token (stored only as a hash), its expiry and the device user‑agent — shown in your settings so you can review and sign out active sessions.
  • Access logs: view and download counts, plus a hashed (pseudonymized) IP address and hashed user‑agent, kept for abuse prevention.
  • Preferences and consent: your theme and language choices and your cookie‑consent record.
  • Communications: messages you send us, including abuse reports (with the reporter e‑mail you choose to provide and a hashed IP).

How we use your data

  • Provide the service: create, store and serve your shares, files and annotations.
  • Accounts and security: authentication, sessions, 2FA, rate‑limiting and abuse prevention.
  • Transactional e‑mail: address verification and password reset.
  • Analytics and advertising (consent‑based): with your consent we use Google Analytics 4 to understand aggregate usage and improve the service, and we may use Google AdSense to display and measure advertising. These run only after you grant the matching cookie consent and can be withdrawn at any time via Cookie settings.
  • Legal compliance and handling of abuse reports.

Legal bases (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)) — to provide the service you sign up for.
  • Legitimate interests (Art. 6(1)(f)) — security, abuse prevention and basic service operation.
  • Consent (Art. 6(1)(a)) — any optional analytics or marketing cookies, should we introduce them; you can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — where we must retain or disclose data by law.

Cookies

We use strictly necessary cookies (session, security/CSRF, consent) and, with your consent, preference and analytics cookies. See the Cookie Policy for details and to manage your choices.

Sharing and processors

We do not sell your personal data. We share data only with processors that help us run the service, under appropriate data‑processing terms:

  • Hosting/infrastructure provider (server and database hosting).
  • E‑mail delivery (SMTP) provider for transactional messages.
  • Google, if you choose to sign in with Google (OAuth).
  • Google Ireland Limited / Google LLC — analytics (Google Analytics 4) and, where enabled, advertising (Google AdSense), only with your consent. For analytics Google acts as our processor; for advertising Google may act as an independent controller for its own ad and fraud‑prevention purposes.
  • Authorities, where disclosure is required by law.

International transfers

We aim to keep data within the EU/EEA. Where a processor transfers data outside the EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. Where you consent to Google Analytics or Google AdSense, your data may be processed by Google in the United States under those Clauses and, where applicable, Google’s certification under the EU–US Data Privacy Framework.

Retention

  • Account data: kept while your account exists. Deleting your account scrambles your e‑mail and display name and removes your password, sessions, 2FA secret, linked Google account, audit logs and consent records, while anonymizing any shares left public.
  • Anonymous shares: deleted automatically after they expire.
  • Access logs: pseudonymized and removed on a schedule (currently up to 365 days).
  • Abuse reports and support communications: kept while we handle the matter and for a reasonable period afterwards, then deleted.
  • Backups: rotated; residual copies are purged in the ordinary backup cycle.

Security

We apply industry measures including Argon2id password hashing, hashing of tokens, peppered HMAC hashing of IP/e‑mail values, AES‑256‑GCM encryption of 2FA secrets, TLS in transit, CSRF protection and rate limiting. No method is 100% secure, but we work to protect your data.

Your rights

  • Access, rectification and erasure of your personal data.
  • Restriction of, and objection to, processing.
  • Data portability — you can export your data as JSON from your account settings.
  • Withdraw consent at any time (for consent‑based processing).
  • Lodge a complaint with a supervisory authority — in the Czech Republic, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.gov.cz).
  • Opt out of analytics and advertising: refuse or withdraw consent at any time via Cookie settings; you may also install the Google Analytics opt‑out add‑on (tools.google.com/dlpage/gaoptout) and manage ad personalization at adssettings.google.com.

Children

The service is not directed to children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

Changes to this policy

We may update this policy; we will revise the “last updated” date and, for material changes, provide notice within the service.

Contact

For any privacy request, contact info@sharecode.online.