Privacy policy

Last updated: 2026-05-24

This policy explains what personal data is processed when you use pollr, why, on what legal basis, and for how long. The aim is to collect the absolute minimum needed to run the service.

Controller

§ 01

The controller responsible for data processing on this service is:

Tobias König
Wiesenau 11
24238 Selent, Germany
Email: pollr@movb.de

A data protection officer is not required for this service under Art. 37 GDPR and is therefore not appointed.

What data we process

§ 02

IP addresses

When you visit pollr or cast a vote, your IP address is transmitted by your browser as a technical necessity. IP addresses are not stored by the application and are not written to long-term application logs. They appear only transiently in the hosting provider's standard request logs.

Poll content

When you create a poll, the poll title, description, questions, options, and configuration you provide are stored. When you cast a vote, your selections are stored, linked to the poll but not to your identity. Do not enter personal data into poll titles, questions, or options if you don't want it stored.

Legal basis: Art. 6 (1) (b) GDPR — performance of the (free-of-charge) contract to run a poll on your behalf. Poll creators are themselves controllers for any personal data they choose to collect via their poll.

Retention: Poll data is retained while the poll is active and for 90 days after closing, after which it is automatically deleted. Creators can also delete their poll at any time from the admin view.

Admin credentials

When you create a poll, an admin token and an admin password are generated. The password is stored in the database only as a salted Argon2 hash. After you log in, a random session token (not the password) is set as a cookie to keep you signed in; the session lasts up to 30 days, after which you have to log in again. Admin tokens, session entries, and the password hash are deleted together with the poll.

Legal basis: Art. 6 (1) (b) GDPR.

Cookies and similar technologies

pollr sets only strictly necessary cookies, which do not require consent under § 25 (2) TTDSG:

pollr_lang — stores your selected interface language (EN/DE). Lifetime: 365 days.
pollr_theme — stores your selected color scheme (light/dark). Lifetime: 365 days.
pollr_admin_<admin token> — set only after you log in as a poll admin. Contains an opaque session token (not your password). HTTP-only, SameSite=Strict, scoped to the admin URL of that specific poll. Lifetime: 30 days.

pollr does not use analytics cookies, advertising cookies, tracking pixels, or third-party embeds.

Recipients and processors

§ 03

The hosting provider processes data on the controller's behalf under a data processing agreement (Art. 28 GDPR):

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — server hosting and traffic delivery. The Falkenstein (Germany) data center is used.

Your data is not sold, rented, or shared with anyone else, and it is not used for advertising or profiling.

International transfers

§ 04

All processing takes place within the European Union. No data is transferred to third countries.

Your rights

§ 05

Under the GDPR you have the following rights regarding your personal data:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure / "right to be forgotten" (Art. 17)
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20)
Right to object to processing based on legitimate interest (Art. 21)
Right to withdraw consent at any time, where processing is based on consent (Art. 7 (3))

To exercise any of these rights, contact pollr@movb.de.

Because votes are not linked to an identifiable person, it may not be possible to identify you in the records (Art. 11 GDPR). In that case, you can still exercise your rights by providing additional information enabling identification (e.g. an admin token).

Right to lodge a complaint

§ 06

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your residence, workplace, or the place of the alleged infringement (Art. 77 GDPR). The competent authority is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
www.datenschutzzentrum.de

Automated decision-making

§ 07

Your data is not used for automated decision-making or profiling within the meaning of Art. 22 GDPR.

Changes to this policy

§ 08

This policy may be updated to reflect changes to the service or legal requirements. The current version is always available at this URL. Material changes will be highlighted on the homepage.