Skip to content

Privacy Policy.

Last updated: April 2026

1. Data Controller (Art. 13(1)(a) GDPR)

Frederic M. Wahl
Seestr. 55
74080 Heilbronn, Germany
Email: hello@apextell.net

2. Data We Collect (Art. 13(1)(d) GDPR)

  • Account data: Email address, hashed password (bcrypt, never stored in plaintext), optional name, referral source
  • Usage data: IP address (stored in audit and login attempt logs for security), timestamps of actions
  • License data: Generated license/beta key, activation status, machine identifier (SHA-256 hash of device info)
  • Payment data: Order records (amount, plan, status, Stripe session/payment IDs). Payment card details are processed directly by Stripe and never stored on our servers
  • Feedback data: Voluntarily provided name, email, message text, and optional screenshot attachments submitted via the feedback form

We do not collect poker hand histories, gameplay data, or any data from the ApexTell desktop application through this website. The desktop application operates locally on your machine.

3. Purpose & Legal Basis (Art. 6 GDPR)

  • Contract performance (Art. 6(1)(b)): Processing account data, license keys, and payment data to provide our Service and fulfill purchase contracts
  • Legitimate interest (Art. 6(1)(f)): Security logging (IP addresses, login attempts) to protect against unauthorized access and abuse; fraud prevention
  • Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by German tax law (GoBD, § 147 AO — 10-year retention for commercial records)
  • Consent (Art. 6(1)(a)): Optional analytics cookies, if and when implemented (only activated with explicit consent via the cookie banner)

4. Data Processors & Third-Party Services (Art. 13(1)(e)/(f) GDPR)

We use the following third-party processors, with whom we have entered into Data Processing Agreements (Art. 28 GDPR) where required:

  • Stripe, Inc.(USA) — Payment processing. Stripe processes your payment card details directly and is PCI DSS Level 1 certified. Data transfers to the US are covered by Stripe's EU-US Data Privacy Framework certification. Stripe Privacy Policy
  • Resend, Inc. (USA) — Transactional email delivery. Your email address is shared with Resend for sending verification, password reset, license key, and order confirmation emails. Resend Privacy Policy
  • Vercel, Inc.(USA) — Website hosting and edge network. Standard server logs including IP addresses are processed. Data transfers are covered by Vercel's Standard Contractual Clauses. Vercel Privacy Policy

5. International Data Transfers (Art. 13(1)(f) GDPR)

Some of our processors are based in the United States. Data transfers to countries outside the EEA are safeguarded by the EU-US Data Privacy Framework (where applicable), Standard Contractual Clauses (SCCs) approved by the European Commission, and/or additional technical measures (encryption in transit and at rest).

6. Cookies

We use essential cookies onlyby default (session authentication via NextAuth.js). These are strictly necessary for the functioning of the Service and do not require consent under § 25 TDDDG / Art. 5(3) ePrivacy Directive.

No analytics, tracking, or advertising cookies are currently in use. If we introduce optional analytics in the future, they will only be activated with your explicit consent via the cookie banner.

7. Data Retention (Art. 13(2)(a) GDPR)

  • Account data: Retained until you delete your account
  • Audit logs (IP addresses, actions): Retained for 90 days, then automatically purged
  • Login attempt logs: Retained for 30 days
  • Verification tokens: Deleted after use or expiry (max 24 hours)
  • Payment/order records: Retained for 10 years as required by German tax law (§ 147 AO)
  • Feedback submissions: Retained in email form; no database storage

8. Your Rights (Art. 15–22 GDPR)

You have the following rights under the GDPR:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Correct inaccurate data (via Account Settings or by contacting us)
  • Right to erasure (Art. 17): Delete your account and all personal data via Account Settings. Note: order records subject to legal retention obligations may be retained in anonymized form
  • Right to restriction of processing (Art. 18): Request temporary restriction of processing
  • Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON export available upon request)
  • Right to object (Art. 21): Object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)): Withdraw cookie or other consent at any time, without affecting the lawfulness of prior processing
  • Right to lodge a complaint (Art. 77): File a complaint with your local data protection authority. For Baden-Württemberg: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

9. Data Requests

To exercise any of your rights, contact us at hello@apextell.net. We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with prior notification per Art. 12(3) GDPR). Requests are free of charge unless manifestly unfounded or excessive.

10. Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures to protect your personal data:

  • Passwords are hashed using bcrypt with a cost factor of 12
  • All data is transmitted over HTTPS (TLS 1.2+)
  • Database access is restricted and encrypted
  • Refresh tokens are SHA-256 hashed before storage
  • Rate limiting and brute-force protection on authentication endpoints
  • Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are enforced

11. Data Breach Notification (Art. 33/34 GDPR)

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected individuals without undue delay where the breach is likely to result in a high risk.

12. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a prominent notice on the website. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically.

This website uses cookies

We use essential cookies for site functionality. Optional analytics cookies help us improve the experience. See our Privacy Policy for details.