Skip to content
Skip to main content

Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

2. Data Collection on This Website

Who is responsible for data collection on this website?

The party responsible for data processing on this website is Fabian Fuchs, Kampenwandstraße 18, 83104 Ostermünchen, Germany. Further details can be found in the imprint of this website.

How is your data collected?

Your data is collected when you provide it to the provider. This may include, for example, your email address that you enter in a registration form.

Other data is automatically collected by IT systems when you visit the website. This is primarily technical data (e.g., internet browser, operating system, or time of page access).

3. Local Data Storage

Without a user account, grafcet.io stores your created GRAFCET diagrams only locally in your browser (LocalStorage). In that case the data is not transmitted to the provider, and you can remove it at any time by clearing your browser cache. As soon as you are logged in, your diagrams are stored in the cloud (see section 5).

4. User Accounts and Authentication

You can create a free user account with your email address and password. An account enables cloud storage and synchronization of your GRAFCET diagrams as well as, optionally, the Pro features. Authentication is handled via Supabase Auth.

Supabase is hosted on EU servers (Frankfurt, Germany).

Data stored: email address, hashed password, profile data, and license status.

You can delete your account at any time by contacting the provider at hi@grafcet.io.

Optionally you can sign in with Google (OAuth 2.0). Your email address and Google account ID are transferred to Google Ireland Ltd.; processing takes place partly in the USA under the EU-US Data Privacy Framework and Standard Contractual Clauses. Legal basis: Art. 6(1)(b) GDPR (contract performance).

5. Cloud Storage

As soon as you are logged in, your GRAFCET diagrams are automatically saved to Supabase on EU servers (free accounts: up to 3 diagrams; Pro: unlimited). The name and content (nodes and connections) of your diagrams are stored.

Your stored diagrams are in principle only accessible to you as an authenticated user. However, if you actively create a share link for a diagram, anyone who has that link can open a copy of that diagram without logging in. As long as you do not create a share link, the diagram remains private.

After your license expires, cloud data is retained for 90 days and then automatically deleted.

You can delete your cloud data at any time.

6. Payment Processing

Payments are processed by Lemon Squeezy (Lemon Squeezy, LLC) acting as Merchant of Record.

The provider only receives from Lemon Squeezy: email address, transaction ID, and payment status.

Credit card data or other payment information is neither received nor stored by the provider.

Lemon Squeezy privacy policy: https://www.lemonsqueezy.com/privacy

When you activate a licence key in the account panel the provider additionally stores the moment of your express consent (eu_consent_at) and the consent text version (eu_consent_text_version). These fields are the evidence trail for the early lapse of the right of withdrawal under § 356 (5) German Civil Code. Legal basis: Art. 6 (1) (b) GDPR (performance of contract).

7. Email Communication and Contact Form

Transactional and authentication emails (e.g., license key delivery, account notifications, password reset) are sent via Resend (Plus Five Five, Inc., USA). The transfer to the USA is safeguarded by the EU-US Data Privacy Framework and standard contractual clauses.

Only your email address is shared with Resend.

Marketing emails are only sent with your explicit consent.

The contact form on the "Contact" page and the feedback form in the editor are provided by Tally (Tally B.V., Belgium, EU) and loaded as an embedded form. The data you enter there (e.g., email address and message) is processed by Tally in order to respond to your request. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in handling enquiries).

8. Cookies and Local Storage

In basic operation this website uses only technically necessary cookies (e.g. authentication session). Any further cookies are set only with your consent.

LocalStorage is used to save GRAFCET diagrams and editor settings.

Without your consent, no third-party tracking or marketing cookies are used.

For usage analytics the provider uses PostHog (PostHog Inc., EU region eu.i.posthog.com). The analysis is two-tiered: (1) Without your consent, only an anonymous, cookieless reach measurement is performed. No cookies are set and no access to your device takes place (no cookie or local-storage access). Only page views are counted; recurring visitors are estimated via a server-side, daily-rotating hash value (derived from, among other things, IP address and browser identifier) that is deleted at the end of the day and does not allow you to be identified. The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest in a data-minimizing, anonymous reach measurement). (2) Only with your explicit consent are additional individual events, persistent identifiers, session recordings (session replays) and error reports captured, with all input fields (e.g., passwords and email addresses) masked. The legal basis for this is Art. 6(1)(a) GDPR (consent) in conjunction with Section 25(1) TDDDG. The consent banner is provided by Cookiebot (Cybot A/S, Denmark). You can withdraw your consent at any time via the "Cookie settings" link in the footer. See the Cookie Policy for details.

Hosting & CDN: The site runs on Vercel Inc. (USA). Vercel processes connection and server log data (including IP address, user agent, request URL) for delivery and abuse prevention. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation). Transfer to a third country: EU-US Data Privacy Framework and Standard Contractual Clauses.

Amazon Associates (affiliate links): On the "Recommendations" page, links to amazon.de are marked as advertising. Only when you actively click such a link will you reach Amazon — until then no cookies are set and no data is transmitted to Amazon (no preconnect, no embedded script). Once you click an affiliate link, Amazon's privacy notice applies (Amazon Europe Core S.à r.l., Luxembourg): https://www.amazon.de/gp/help/customer/display.html?nodeId=GVP69FUJ48X9DK8X.

Bot and spam protection (Cloudflare Turnstile): To protect the login, registration and password-reset forms against automated misuse, Cloudflare Turnstile (Cloudflare, Inc., USA) is used. It processes technical data such as IP address, browser identifier and interaction signals; Turnstile works without tracking cookies. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in defending against bots and spam). Transfer to a third country: EU-US Data Privacy Framework and standard contractual clauses. Privacy policy: https://www.cloudflare.com/turnstile-privacy-policy/.

9. Subprocessors (overview)

The following providers process personal data on behalf of grafcet.io (subprocessors under Art. 28 GDPR) or are recipients within the meaning of Art. 13 GDPR. Transfers to the USA are safeguarded by the EU-US Data Privacy Framework and/or standard contractual clauses.

  • Supabase Inc. — authentication, database, cloud storage. Location: EU (Frankfurt). Data: email, password hash, profile, licences, stored GRAFCETs. No third-country transfer.
  • Vercel Inc. — hosting, CDN, cron jobs. Location: USA. Data: server/request logs, IP address (short-term), user agent. Safeguard: DPF + standard contractual clauses.
  • Cloudflare, Inc. — bot/spam protection in the auth flow (Turnstile). Location: USA. Data: IP address, browser identifier, interaction signals. Safeguard: DPF + standard contractual clauses.
  • Lemon Squeezy, LLC — payment processing (Merchant of Record). Location: USA. Data: email, transaction ID, payment status (no cardholder data). Safeguard: DPF + standard contractual clauses.
  • Resend (Plus Five Five, Inc.) — transactional and authentication emails. Location: USA. Data: email address. Safeguard: DPF + standard contractual clauses.
  • PostHog Inc. — reach measurement and (consent-gated) usage analytics. Location: EU hosting (Frankfurt); provider USA. Data: without consent an anonymous daily hash and page views; with consent session ID, events, URLs, session replays (passwords masked). Safeguard: EU data residency, additionally standard contractual clauses.
  • Cybot A/S (Cookiebot) — consent management. Location: EU (Denmark). Data: consent choices, cookie ID. No third-country transfer.
  • Google Ireland Ltd. — optional OAuth login and embedded YouTube videos (click-to-load). Location: EU/USA. Data: email and Google account ID (login); for YouTube additional usage data after a click. Safeguard: DPF + standard contractual clauses.
  • Tally B.V. — contact and feedback form. Location: EU (Belgium). Data: email address, message content. No third-country transfer.

On request the provider will provide a data processing agreement (DPA): hi@grafcet.io. Logged-in Pro customers may object to the use of new subprocessors within 30 days.

10. Your Rights

Under the GDPR, you have the following rights:

  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to deletion (Art. 17 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to withdraw consent with effect for the future (Art. 7(3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) — the competent authority is the Bavarian State Office for Data Protection Supervision (BayLDA)

Contact: hi@grafcet.io

11. Last Updated

This privacy policy is currently valid as of 31 May 2026.

Privacy Policy | grafcet.io