landing.nav.privacy

Privacy Policy

Last updated: 2 June 2026

1. Data Controller

Data controller within the meaning of the GDPR (Art. 13(1)(a)): Jacob Wieser, Widumacker 16, 39050 Jenesien (BZ), Italy. Contact: info@climactra.com. Further details in the Legal Notice. A Data Protection Officer has not been appointed as the conditions under Art. 37 GDPR are not met.

2. Data Collected

We collect and process the following personal data:

  • Account data: First name, last name, email address (legal basis: Art. 6(1)(b) GDPR — performance of a contract)
  • Authentication: Password hash (bcrypt with cost factor 12), hashed one-time code for email verification (OTP, max. 5 attempts, automatic invalidation on expiry), optional TOTP secret (AES-256-GCM encrypted) and hashed recovery codes for two-factor authentication, as well as reset token hashes for password recovery. Legal basis: Art. 6(1)(b) and (f) GDPR — performance of a contract and account security.
  • Security logs: IP address, user agent on login attempts (legal basis: Art. 6(1)(f) GDPR — legitimate interest: protection against brute-force attacks)
  • Hotel data: Hotel name, address, star classification, number of rooms/beds, full-time equivalents, seasonality and operational metrics, consumption data, primary contact email. For Italian hotels additionally (if provided by the customer): Partita IVA, Codice Fiscale, PEC email address, ATECO code. For DACH hotels possibly VAT ID. Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
  • Consent record: IP address and timestamp when accepting the Terms/Privacy Policy (legal basis: Art. 6(1)(c) GDPR — obligation to demonstrate consent under Art. 7(1) GDPR)
  • Billing data: Stripe customer ID (per user; a single paying customer record) and Stripe subscription IDs (per hotel — each hotel has its own subscription) as well as billing-period data (legal basis: Art. 6(1)(b) GDPR — performance of a contract). Credit card details, bank details and billing history are stored exclusively by Stripe, not in our system. When an account is deleted, the associated Stripe customer record is automatically deleted as well (GDPR Art. 17).
  • Documents: Uploaded documents (invoices, delivery notes) as evidence for consumption data (legal basis: Art. 6(1)(b) GDPR — performance of a contract)
  • Invitations: Email addresses of invited team members (legal basis: Art. 6(1)(f) GDPR — legitimate interest: team functionality). The email address is entered by the inviting Owner (data source per Art. 14(2)(f) GDPR). The invited person is informed about the processing via the invitation email and may at any time decline the invitation or object to the processing by emailing info@climactra.com. Unaccepted invitations are automatically deleted after 7 days.
  • Waitlist sign-ups (AT/DE/CH): When signing up for the waitlist for markets outside Italy we store: email address, hotel name, selected country, language, IP address and truncated user agent. Purpose: notification when we launch in that market. Legal basis: Art. 6(1)(a) GDPR (consent through actively submitting the form). IP address and user agent are used exclusively for spam detection and not for profiling. Consent may be withdrawn at any time with effect for the future by emailing info@climactra.com (Art. 7(3) GDPR); the lawfulness of processing carried out prior to withdrawal remains unaffected.
  • Contact form: When the contact form at /kontakt is submitted, we process your name, email address, optionally the hotel name and your message. This information is sent by email to info@climactra.com. In addition we process your IP address temporarily and exclusively server-side for a rate limit (max. 3 requests per hour, spam protection). The IP address is not included in the email and is automatically deleted after the time window (60 minutes) expires. Legal basis for the email transmission: Art. 6(1)(a) GDPR (consent through actively ticking the privacy checkbox); supplementary Art. 6(1)(b) GDPR where the inquiry initiates a contractual relationship. Legal basis for the rate-limit processing of the IP: Art. 6(1)(f) GDPR — legitimate interest in protection against spam and automated requests. Consent may be withdrawn at any time with effect for the future by emailing info@climactra.com (Art. 7(3) GDPR); the lawfulness of processing carried out prior to withdrawal remains unaffected.
  • Change history (audit trail): Every change to consumption, emission or master data is logged with timestamp and attribution to the triggering user account. Legal basis: Art. 6(1)(b) and (c) GDPR — performance of a contract and obligation to ensure the reproducibility of historical calculations and reports. Important for staff accounts (Membership): the OWNER as controller is obliged to inform their staff about this tracking pursuant to Art. 13 GDPR.

Providing account data is a contractual prerequisite for using the service. Without this data, no account can be created. Security logs are collected automatically and are technically required for operation. Signing up to the waitlist and using the contact form are voluntary and based exclusively on the consent given.

3. Password Security Check

During registration and password changes, we check your password against a database of known compromised passwords (HaveIBeenPwned). Your password is not transmitted — only the first 5 characters of a SHA-1 hash value are sent (k-anonymity method). The service is operated by Troy Hunt (Australia/USA).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: protection of your account). The transfer is encrypted (HTTPS). Based on the k-anonymity model, identifying your password is technically impossible.

4. Retention Periods

  • Login logs (IP, user agent): 90 days, then automatically deleted
  • Active sessions: 30 days of inactivity, then automatically deleted
  • Security audit logs: 365 days, then automatically deleted
  • Account data: Until the account is deleted by the user
  • Hotel and consumption data: Consumption data, reports, and hotel master data remain stored until the OWNER deletes the hotel or the associated account is deleted.
  • Documents/attachments: 10 years from upload date, in line with the bookkeeping retention obligation under Art. 2220 of the Italian Civil Code (applicable as the controller is established in Italy). Upon prior account or hotel deletion the file is soft-deleted — it remains encrypted in storage until the retention period expires and is then automatically and permanently deleted.
  • Invitations: 7 days after creation, then automatically deleted
  • Waitlist sign-ups: At most 24 months from sign-up (for sending the launch notification in the respective country), after which automatic deletion. Immediate deletion upon withdrawal of consent.
  • Contact-form messages: (email in the controller's mailbox): until your inquiry has been finally processed, at the latest deletion after 6 months — unless statutory retention obligations apply. Immediate deletion upon withdrawal of consent.
  • Email logs: (recipient, subject, type, delivery status): 90 days, then automatically deleted
  • Rate limit entries: (IP-based, also covers the contact form): A few hours, automatically deleted upon expiry
  • System logs: (error logs): 180 days, then automatically deleted
  • Consumption data change history: 7 years (statutory retention obligation under Art. 2220 of the Italian Civil Code)
  • Emission factor change history: 10 years (reproducibility of historical reports)

5. Your Rights (GDPR)

You have the following rights regarding your personal data:

  • Access (Art. 15): Export all your data as JSON in account settings
  • Rectification (Art. 16): Profile data (name, email, password) can be changed at any time in the account settings
  • Erasure (Art. 17): Complete account deletion including all associated data in account settings
  • Restriction of processing (Art. 18): Contact us by email at info@climactra.com
  • Data portability (Art. 20): Machine-readable JSON export
  • Objection (Art. 21): Contact us by email at info@climactra.com
  • Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. For Italy: Garante per la protezione dei dati personali, www.garanteprivacy.it. For Austria: Österreichische Datenschutzbehörde, www.dsb.gv.at. For Germany: the data protection authority of your federal state.

6. Cookies and Local Storage

We use exclusively strictly necessary cookies and use the browser's local storage for convenience preferences. All set operations occur either automatically as part of authentication or after an active user action — no automatic tracking, no marketing or advertising cookies.

Cookies used

  • Session cookie (next-auth, JWT, 30 days, HttpOnly, Secure, SameSite=Lax) — set after login, required for authentication.
  • CSRF token cookie (next-auth, session duration, HttpOnly) — protection against cross-site request forgery, required for secure form posting.
  • Language preference cookie (NEXT_LOCALE, 1 year) — set when you switch languages or first visit the site.
  • Language switch marker (locale_decided, 1 year) — prevents repeated automatic language redirects.

LocalStorage (not a cookie)

  • Theme preference (theme = light | dark) — set when you toggle dark mode in the dashboard. Remains only in your browser, is not transmitted to our servers.

Audience measurement

Where enabled, we use exclusively a self-hosted, cookieless audience measurement (Umami). No cookies are set, no user IDs are assigned and no cross-site tracking is performed. Instead the browser generates an anonymised, daily-rotating hash from IP address and user agent which is used solely to distinguish sessions on a single day. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in audience measurement). Because no storage or access operation within the meaning of Art. 5(3) of the ePrivacy Directive takes place, no consent is required.

We currently do not collect separate cookie consent (Art. 5(3) ePrivacy Directive — all cookies set are strictly necessary for the service explicitly requested by the user).

7. Security Measures (Art. 32 GDPR)

  • Passwords: bcrypt with cost factor 12
  • TOTP secrets: AES-256-GCM encryption
  • Tokens: SHA-256 hash + timing-safe comparison
  • Transport: HTTPS with HSTS (1 year, preload)
  • Brute-force protection: persistent rate limiting + account lockout
  • Breach detection: automatic detection of suspicious login patterns
  • CSRF protection: origin validation + content-type enforcement
  • Content Security Policy: restrictive CSP headers without unsafe-eval

8. Third-Party Services and Data Transfers

For clearly delimited purposes we use the following external services. Three of them are located in the USA, on the legal bases stated below in each case:

  • Hetzner Online GmbH (Gunzenhausen, Germany): Hosting (VPS) and encrypted backup storage of all hotel master and consumption data. EU servers only (data centres in Germany and Finland), no third-country transfer. Legal basis: Art. 6(1)(b) and (f) GDPR. Data processing agreement in place.
  • HaveIBeenPwned API: Checking for compromised passwords during registration/changes (see section 3). Transfer: USA, based on k-anonymity — no personal data is transferred.
  • Stripe Payments Europe Ltd. (Ireland): Payment processing (credit card) and invoicing. Stripe receives payment data and the master data required for invoicing: company name (legal entity), VAT ID/Partita IVA, billing address, PEC and Codice Fiscale. No emission/consumption data and no login/account credentials are shared with Stripe. The contracting party is Stripe Payments Europe Ltd. (Dublin, Ireland); for parts of its infrastructure Stripe uses sub-processors in the USA (Stripe Inc.) under the EU-US Data Privacy Framework and the Standard Contractual Clauses.
  • Sentry (Functional Software Inc., USA): Error tracking and performance monitoring. Sentry receives technical error data (stack traces, browser type, URL). IP addresses are anonymised server-side; no personal data is intentionally transmitted. Transfer: USA, based on Standard Contractual Clauses (SCCs).
  • Brevo SAS (Paris, France): Delivery of transactional emails and waitlist notifications (verification codes, security warnings, billing notifications, market-launch notifications). Brevo processes only the recipient email address, subject and message content. Headquartered and primarily processing within the EU (France); Brevo uses sub-processors including some located in the USA (Amazon Web Services) for its mailing infrastructure on the basis of Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement with Brevo in place.
  • IONOS SE (Montabaur, Germany): Domain registrar, DNS resolution, and email mailbox for info@climactra.com (receipt of business correspondence). EU servers, no third-country transfer. Data processing agreement in place.

No personal data is shared with third parties for advertising or marketing purposes.

9. Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place. CO₂ calculations are purely mathematical operations based on consumption data entered by the user and publicly available emission factors.

10. Role in Data Processing

Depending on the data category, Climactra acts in different roles under data protection law:

  • Controller (Art. 4(7) GDPR): For all processing operations described in this Privacy Policy — i.e. marketing-website visits, account and authentication data, Stripe payment data, waitlist sign-ups, security logs and all other data referred to in sections 2 to 8. Provider and controller: Jacob Wieser (address in the Legal Notice).
  • Processor (Art. 4(8) GDPR): For the personal data that you as a customer (hotel) upload to or process within the platform during contract performance — in particular employee and occupancy data. In this case you (the hotel) are the controller and Climactra is the processor. The rights and obligations of both parties are governed by the Data Processing Agreement (DPA), which is Appendix 1 and an integral part of the Terms of Service, concluded at contract formation.

11. Changes to This Privacy Policy

We reserve the right to update this privacy policy when the service changes or new legal requirements arise. The current version is always available at /datenschutz. Registered customers will be notified by email of material changes.