Skip to content
Legal

Privacy Policy

Last updated: April 24, 2026

1. Overview

This privacy policy describes how StepLinq handles personal data. StepLinq is committed to transparency and data minimisation. The StepLinq desktop application collects no personal data. This website collects only the minimum necessary to operate. No third-party cookies are set.

2. Data controller

The data controller responsible for processing: Luka Marušić, Berduxstraße 50, 81245 Munich, Germany. Email: support@steplinq.com. Full address and mandatory details are in the Impressum.

3. The StepLinq desktop application

StepLinq is offline-first software. When you use the desktop application, no usage data, telemetry, or personal information is transmitted to StepLinq or any third party. Your work instructions, photos, part numbers, and all other data remain entirely on your machine. Licence validation is performed locally using an HMAC-SHA256 signature — no network request is made. The sole exception: the auto-update mechanism contacts GitHub servers (see § 12).

4. Website hosting (Vercel)

The steplinq.com website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you visit, Vercel automatically processes technical request metadata (IP address, browser, OS, referrer, timestamp) to deliver the page and prevent abuse. Legal basis: Art. 6(1)(f) GDPR. Retention: up to 30 days for access logs. US transfer: Vercel Inc. is EU-US DPF-certified.

5. Vercel Analytics

This website uses cookieless usage statistics via Vercel Analytics (Vercel Inc., address as § 4). Only aggregated page-view counts are collected. No cookies are set, no personal identifiers are stored, and no cross-site tracking is performed. Legal basis: Art. 6(1)(f) GDPR.

6. AI chatbot

NOTICE PURSUANT TO ART. 52 EU AI ACT: You are interacting with an AI system, not a human being. Service provider: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA. When you use the chatbot, the content of your messages and an anonymous session ID are sent to Anthropic's API via our server. Your IP address and contact details are not shared with Anthropic. Legal basis: Art. 6(1)(f) GDPR. US transfer: EU Standard Contractual Clauses (SCC). Chat history is stored in your browser's sessionStorage and deleted when you close the tab.

7. Waitlist sign-up

When you submit your email via the waitlist form, your email address is sent server-side to Sendinblue GmbH (Brevo), Rosenthaler Str. 13, 10119 Berlin, Germany. Purpose: pre-contractual communication about the product launch. Legal basis: Art. 6(1)(b) GDPR. Retention: until you unsubscribe or maximum 3 years after sign-up. Processing is server-side only — no client-side Brevo SDK, no cookies.

8. Chatbot email hand-off

If you request email contact via the chatbot, your email address and enquiry are forwarded to support@steplinq.com via the SMTP service of Sendinblue GmbH (Brevo), address as § 7. Legal basis: Art. 6(1)(b) GDPR. Retention: 3 years after last contact.

9. Support email

When you contact us at support@steplinq.com, your email address and message are stored for the purpose of responding and future reference. Legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR. Retention: 3 years after last contact.

10. Paddle payments

Purchases of a StepLinq licence are processed by Paddle.com Market Ltd, Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom, as our Merchant of Record. Paddle collects the data required for payment processing and tax compliance. StepLinq receives only the order confirmation and your email for licence delivery. Paddle's own privacy policy applies to the checkout. UK: EU adequacy decision.

11. Cloudflare (licence validation)

Licence validation for the desktop application runs via Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA. The validation request transmits a licence key hash and timestamp. Legal basis: Art. 6(1)(b) GDPR. US transfer: Cloudflare is DPF-certified.

12. GitHub (auto-update distribution)

Software updates are distributed via GitHub Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA (Microsoft subsidiary). When fetching an update, the application transmits technical metadata (IP address, current version). Legal basis: Art. 6(1)(b) GDPR. US transfer: GitHub is DPF-certified via Microsoft.

13. Cookies and local storage

This website sets no third-party cookies. No cookie banner is shown because no consent-dependent technologies are in use. First-party cookies: none. The chatbot uses your browser's sessionStorage (not a cookie under § 25 TTDSG, no consent required, deleted when tab closes).

14. International data transfers

Vercel Inc. (USA): DPF-certified. Anthropic PBC (USA): SCC. Sendinblue GmbH/Brevo (Germany): no transfer outside EU. Cloudflare Inc. (USA): DPF-certified. GitHub Inc. (USA): DPF-certified (Microsoft). Paddle.com Market Ltd (UK): adequacy decision. SCC documentation for Anthropic available on request at support@steplinq.com.

15. Your rights (Art. 15–21 GDPR)

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object (Art. 21 — see § 16). To exercise any of these rights: support@steplinq.com

16. Right to object (Art. 21 GDPR)

IMPORTANT NOTICE: Where we process your data on the basis of a legitimate interest (Art. 6(1)(f) GDPR) — in particular website hosting, Vercel Analytics, and the AI chatbot — you have the right to object to this processing at any time. If you object, we will cease processing for that purpose unless we can demonstrate compelling legitimate grounds that override your interests. To object: support@steplinq.com

17. Right to complain to the supervisory authority

You have the right to lodge a complaint with the supervisory authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach, Germany, www.lda.bayern.de

18. Contact

Questions about this policy: support@steplinq.com

Questions? Ask here