Privacy Policy
Draft v0.9 — last updated ⟨date⟩
What Kontakt does
Kontakt lets object owners create QR codes so that anyone can contact them without either side revealing personal contact details. To provide this, we relay messages between visitors and owners.
- Visitors don't need an account. We don't store your raw IP address.
- Messages are encrypted in transit and at rest and are automatically deleted (default: 90 days).
- We only store a visitor's contact details if the visitor types them in.
- Kontakt is a relay, not end-to-end encrypted — our systems process message content to deliver it and to filter spam.
- We host in AWS Frankfurt (Germany, eu-central-1) and sell no data to anyone.
If you are a visitor (you scanned a tag)
| Data | Purpose | Retention |
|---|---|---|
| Message text you send | Delivering your message to the tag owner | Until owner deletes, max. retention set by owner (default 90 days) |
| Contact details you optionally enter | Letting the owner contact you back | Same as the message; you choose whether to provide it at all |
| Rate-limit signal: salted, daily-rotating hash of your IP | Abuse and spam prevention | Hash rotates daily; never stored as raw IP |
We do not set advertising/analytics cookies, fingerprint your device, store your raw IP address, or require any identity from you.
If you are an owner
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account and message notifications | Life of account |
| Tag configuration, incl. any contact values you choose to disclose | Providing your contact page — anything set to "disclose" is public to anyone who scans that tag | Life of tag |
| Received messages | The service itself | Per your retention setting |
What "anonymous" means here — and its limits
We shield both sides' contact details in relay mode. Relay content is encrypted at rest; our systems can technically decrypt it to deliver notifications and filter spam. Kontakt is not end-to-end encrypted. We may be legally required to disclose stored data to authorities upon valid legal order — because we minimize what we store, what can be disclosed is correspondingly minimal.
Where data is stored
All service data is stored with Amazon Web Services in the eu-central-1 (Frankfurt, Germany) region, encrypted at rest and in transit.
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting, storage, email delivery | EU (Frankfurt) |
Current list always at this page; updated as sub-processors (e.g. a bot-protection or payments provider) are added in later phases.
Your rights (GDPR Art. 15–21, 77)
Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent — contact privacy@kontakt.zxcv32.com. You may lodge a complaint with a supervisory authority.
Children
The service is not directed at children under 16.