Processing Activities Registry

Purpose (Art. 30.1.b)

Provision of web service, routing, page rendering

Legal Basis

Art. 6.1.f

Data Subjects (Art. 30.1.c)

Website visitors

Data Categories (Art. 30.1.c)

Navigation data (anonymized IP, user agent, URL)

Recipients (Art. 30.1.d)

Vercel Inc. (hosting), Supabase Inc. (database)

Extra-EU Transfers (Art. 30.1.e)

USA (Vercel) with SCCs; EU (Supabase eu-central-1)

Retention (Art. 30.1.f)

Duration of session

Art. 32 Measures (Art. 30.1.g)

HTTPS/TLS, CSP, HSTS, X-Frame-Options DENY, anonymized IP

Purpose (Art. 30.1.b)

Collection and recording of consent for GDPR accountability

Legal Basis

Art. 6.1.c

Data Subjects (Art. 30.1.c)

Website visitors

Data Categories (Art. 30.1.c)

Anonymous session ID, IP hash (SHA-256 + rotating salt), cookie preferences, policy version, user agent

Recipients (Art. 30.1.d)

Supabase Inc. (database, EU region)

Extra-EU Transfers (Art. 30.1.e)

EU (Supabase eu-central-1)

Retention (Art. 30.1.f)

5 years (GDPR Art. 5.2 accountability obligations)

Art. 32 Measures (Art. 30.1.g)

Supabase RLS, SHA-256 anonymized IP, CSRF protection, rate limiting

Purpose (Art. 30.1.b)

Responding to user requests sent through the contact form

Legal Basis

Art. 6.1.b

Data Subjects (Art. 30.1.c)

Users who fill out the contact form

Data Categories (Art. 30.1.c)

Name, email, subject, message, IP hash, language

Recipients (Art. 30.1.d)

Supabase Inc. (database, EU region)

Extra-EU Transfers (Art. 30.1.e)

EU (Supabase eu-central-1)

Retention (Art. 30.1.f)

12 months from request

Art. 32 Measures (Art. 30.1.g)

Supabase RLS, anti-bot honeypot, CSRF, rate limiting (3 req/10 min), anonymized IP

Purpose (Art. 30.1.b)

Anonymous statistical traffic analysis to improve the service

Legal Basis

Art. 6.1.a

Data Subjects (Art. 30.1.c)

Visitors who consent to analytics cookies

Data Categories (Art. 30.1.c)

Aggregated navigation data, IP anonymized by Google, _ga cookie

Recipients (Art. 30.1.d)

Google LLC

Extra-EU Transfers (Art. 30.1.e)

USA (Google) with EU-US Data Privacy Framework

Retention (Art. 30.1.f)

26 months (GA4 setting)

Art. 32 Measures (Art. 30.1.g)

Activated ONLY after explicit consent, anonymize_ip: true, SameSite=Lax;Secure cookies

Purpose (Art. 30.1.b)

Storing language and theme preferences (light/dark)

Legal Basis

Art. 6.1.f

Data Subjects (Art. 30.1.c)

All visitors

Data Categories (Art. 30.1.c)

Language code (NEXT_LOCALE), theme (localStorage 'theme')

Recipients (Art. 30.1.d)

None (local data only)

Extra-EU Transfers (Art. 30.1.e)

None

Retention (Art. 30.1.f)

NEXT_LOCALE: 12 months; theme: until manual deletion

Art. 32 Measures (Art. 30.1.g)

Non-personal technical data, no transfer

Purpose (Art. 30.1.b)

Registration, login, and user session management via Supabase Auth

Legal Basis

Art. 6.1.b

Data Subjects (Art. 30.1.c)

Registered users

Data Categories (Art. 30.1.c)

Email, password (hash), name, avatar URL, role, preferred locale, creation date

Recipients (Art. 30.1.d)

Supabase (sub-processor, EU/EEA infrastructure)

Extra-EU Transfers (Art. 30.1.e)

Supabase: EU servers (aws-eu-central-1). Standard Contractual Clauses (SCCs) in place.

Retention (Art. 30.1.f)

Until account deletion (ON DELETE CASCADE on all user data)

Art. 32 Measures (Art. 30.1.g)

Password hashed (bcrypt), HttpOnly/Secure/SameSite=Lax cookies, PKCE flow, RLS on all tables, session refresh via proxy

Purpose (Art. 30.1.b)

Saving bookmarks, search history, and personalized preferences for authenticated users

Legal Basis

Art. 6.1.b

Data Subjects (Art. 30.1.c)

Registered users

Data Categories (Art. 30.1.c)

Saved resource URIs, type (occupation/skill/qualification), title, search timestamps, theme/language preferences

Recipients (Art. 30.1.d)

Supabase (sub-processor, EU/EEA infrastructure)

Extra-EU Transfers (Art. 30.1.e)

Supabase: EU servers (aws-eu-central-1)

Retention (Art. 30.1.f)

Until account deletion (ON DELETE CASCADE). Bookmarks and history can be individually deleted by user.

Art. 32 Measures (Art. 30.1.g)

RLS: each user can only access their own data. Admin: read-only. Role escalation prevention via RLS.

Purpose (Art. 30.1.b)

Detection and diagnosis of application errors to ensure service stability. Session Replay (session recording) activated only after analytics consent.

Legal Basis

Art. 6.1.f / Art. 6.1.a

Data Subjects (Art. 30.1.c)

Website visitors and registered users

Data Categories (Art. 30.1.c)

Error stack traces, URL, user agent, browser. With analytics consent: IP, cookies, HTTP headers, interaction recordings (Session Replay)

Recipients (Art. 30.1.d)

Functional Software Inc. (Sentry), San Francisco, CA, USA

Extra-EU Transfers (Art. 30.1.e)

USA (Sentry) with Standard Contractual Clauses (SCCs)

Retention (Art. 30.1.f)

90 days (Sentry default setting)

Art. 32 Measures (Art. 30.1.g)

Basic mode without PII (legitimate interest). PII and Session Replay activated ONLY after explicit analytics consent. Tunnel route /monitoring for ad-blocker bypass. Source maps hidden from client.

Purpose (Art. 30.1.b)

Automated anti-bot verification on contact, registration and login forms to prevent abuse and spam

Legal Basis

Art. 6.1.f

Data Subjects (Art. 30.1.c)

Users who interact with protected forms (contact, registration, login, email change)

Data Categories (Art. 30.1.c)

IP address, browser fingerprint, widget interaction data, verification token

Recipients (Art. 30.1.d)

Cloudflare Inc., San Francisco, CA, USA

Extra-EU Transfers (Art. 30.1.e)

USA (Cloudflare) with Standard Contractual Clauses (SCCs)

Retention (Art. 30.1.f)

Duration of verification (data is not retained after token validation)

Art. 32 Measures (Art. 30.1.g)

No tracking cookies. Non-invasive widget ('managed' mode). No consent required — legitimate interest for service security.