Privacy

Privacy policy for last30days.xyz

This policy describes what data is processed when you use last30days.xyz and for which purposes. Last updated: June 2026.

Controller

Name
Marcel Heinz
Address
Magdalenenstraße 6, 04129 Leipzig, Germany
Privacy requests
mrcl@mrclhnz.com

What data we process

last30days.xyz is an always-on research service: you choose tech topics, and we email you recurring, cited “last 30 days” briefs about them on a chosen cadence. When you use it, we process in particular the following data:

  • The topic and email address you submit to request a brief, including without an account (so we can generate the brief and send it to your inbox)
  • Account data when you create an account or sign in (email address, plan status). You can sign in with an email and password or with Google or GitHub; passwords are handled and stored securely by our authentication provider (Supabase), never by us directly
  • The topics you track and the briefs we generate for you, together with the public sources cited in them
  • Payment and billing data when you purchase a paid subscription (processed by Stripe; we do not store full payment details)
  • Technical connection data and necessary server logs

To produce a brief, we collect publicly available posts and articles (e.g. from Reddit, Hacker News, X, YouTube, TikTok, Perplexity, and more) relating to your topic and use an AI service provider to synthesize them into the brief.

Purposes of processing

  • Generating and delivering the research briefs you request, by email
  • Providing your account, your tracked topics, and your dashboard
  • Handling paid subscriptions and billing
  • Technical provision, stability, and security of the application
  • Handling contact requests and communicating with users

Legal bases

  • Art. 6(1)(b) GDPR, insofar as processing is necessary to perform the user agreement (account, tracked topics, brief generation and delivery, subscription) or to take pre-contractual steps (e.g. your first free brief)
  • Art. 6(1)(f) GDPR for the secure and efficient operation of the website and its technical provision
  • Art. 6(1)(a) GDPR, insofar as you have given consent (e.g. optional analytics)
  • Art. 6(1)(c) GDPR, insofar as legal obligations must be fulfilled (in particular commercial and tax retention duties)

Recipients and service providers

  • Vercel for hosting and technical delivery, and — only with your consent — Vercel Web Analytics
  • Supabase for authentication and database (accounts, topics, briefs)
  • Railway for the background worker that runs the research and assembles your briefs
  • Anthropic for AI-assisted synthesis of the briefs
  • Resend for sending the brief and account emails
  • Stripe for payment processing and subscription management

These service providers process data only to the extent necessary to provide and perform the respective functions.

Cookies and technically necessary technologies

We do not use marketing cookies.

Technically necessary cookies and comparable storage are used where required for operation, security, login, dashboard features, or sessions you explicitly request (e.g. the session cookie after signing in). No consent is required for these.

Optional analytics via Vercel Web Analytics are only loaded after you consent. You can change or withdraw your consent at any time via the cookie settings in the footer.

Retention

Account data, tracked topics, and generated briefs are stored for as long as your account exists and are removed when the account is deleted.

Where you request a brief without an account, the email address and topic are processed to generate and deliver that brief and to let you continue with the service.

Technical log data may be processed for a short period where necessary to ensure security, error analysis, and operation. Where statutory retention obligations exist (for example for invoice data), storage is limited to the extent required.

Third-country transfers

When Vercel, Supabase, Railway, Anthropic, Resend, and Stripe are used, processing in the USA cannot be ruled out. Such transfers only take place on the basis of suitable safeguards, in particular standard contractual clauses and supplementary protective measures where required.

Your rights

  • Right of access to the personal data processed about you
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure pursuant to Art. 17 GDPR
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent you have given, with effect for the future
  • Right not to be subject to a decision based solely on automated processing, where the legal requirements are met

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

Contact for privacy requests

For access, erasure, or any other privacy request, you can write to us directly at any time: mrcl@mrclhnz.com.