What we collect and why.

2. What data we collect

• Account & profile. Email (mandatory, used as your login identifier), handle, optional bio, avatar image, and the platform handles you publicly attach to your profile.
• Content you publish. Posts (title, body, optional external URL, optional image), each cryptographically signed with a key pair that lives on our server.
• Authentication tokens. Short-lived magic-link tokens stored in our database, plus a signed HMAC session cookie in your browser once you sign in.
• Google OAuth identifier. If you sign in with Google we receive your Google account email and a stable subject identifier. We do not store passwords because we do not use them.
• Payment metadata. If you subscribe, our payment processor (see §5) returns a customer and subscription identifier and the status of your subscription. We never see your full card number, CVC or bank credentials.
• Anti-abuse signals. Your IP address and request timestamps are temporarily held in a rate-limit cache to block spam and brute-force attempts. The cache expires automatically.
• Server logs. Standard web-server access logs (IP, user-agent, path, status code) are kept on the server for operational debugging. They are not shared with third parties.

We do not collect special-category data (Article 9 GDPR). We do not ask for your real name, government ID, phone number or financial credentials.

3. Why we collect it (legal bases)

• Contract (Art. 6(1)(b)). To create your account, run the verification flow, sign your posts, process your subscription and provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)). To detect abuse, prevent fraud and keep the platform online. Examples: rate-limit cache, anti-spam middleware, server logs.
• Legal obligation (Art. 6(1)(c)). To retain records required by tax or accounting law if a transaction occurred between us.
• Consent (Art. 6(1)(a)). For any non-essential storage in your browser (Functional / Analytics / Marketing categories — see §7). Necessary cookies do not rely on consent.

4. How long we keep it

• Account & posts: until you delete your account or ask us to. Deleting your account removes your profile, posts, platform links and verification records.
• Magic-link tokens: expire within minutes of issue and are deleted from the database on use.
• Session cookies: up to 30 days from sign-in, or until you log out.
• Anti-abuse cache: entries expire automatically within 24 hours.
• Server & cron logs: rotated weekly, kept for at most 4 weeks.
• Database backups: kept for 30 days for disaster recovery, then permanently destroyed.
• Payment records: retained for as long as required by German tax law (currently up to 10 years) after the transaction.

5. Who else processes your data

We share the minimum amount of data needed with the following processors:

• Resend (USA, via EU Standard Contractual Clauses) — sends transactional emails (magic link, verification updates). Receives your email address and the contents of the email.
• Google LLC (USA, EU SCC) — only if you sign in with Google. Provides your account email and a stable subject identifier to us.
• Stripe(USA, EU SCC) — handles payments. Receives your billing details directly from you; we receive only the customer ID, subscription ID and status. Stripe's own privacy notice applies to the data you submit to them.
• Our hosting provider — a virtual private server located in Germany. They store the encrypted disk image of the server.

We do not sell, rent or trade your personal data. We do not use advertising trackers.

6. Your rights

Under GDPR you have the right to:

• • Access the personal data we hold about you (Art. 15).
• • Have inaccurate data corrected (Art. 16).
• • Have your data erased (Art. 17).
• • Restrict or object to processing (Art. 18 & 21).
• • Receive your data in a portable format (Art. 20).
• • Withdraw consent at any time (Art. 7).
• • Lodge a complaint with your local supervisory authority. In Germany the competent authority is the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI).

7. How to exercise your rights (DSAR procedure)

Send an email to hello@realwall.live with the subject line starting with DSAR: followed by the type of request (for example DSAR: access, DSAR: deletion, or DSAR: export). Send the email from the address registered to your account so we can verify identity. If you are not logged in or do not have an account, include enough information for us to locate the data you are asking about.

We will acknowledge your request within 7 days and complete it within 30 days (Art. 12(3) GDPR). Complex requests can be extended by up to 60 additional days; we will tell you if that applies. The procedure is free; we may charge a reasonable fee only for clearly unfounded or excessive repeat requests.

8. Cookies and local storage

We do not use third-party advertising trackers. The items below are everything we read or write in your browser. You can change your consent at any time using the Manage cookie preferences link.

9. International transfers

Our servers and database are located in Germany. Some processors listed in §5 (Resend, Google, Stripe) are based in the United States. Transfers to those processors are covered by the European Commission's Standard Contractual Clauses (SCCs) plus any additional safeguards required by Schrems II.

10. Children

RealWall.live is not directed at children. You must be at least 18 years old to create a creator account. The adult-content section requires explicit confirmation that you are 18 or older.

11. Changes to this policy

If we make material changes we will notify registered users by email and update the “Last updated” date at the top of this page. Continued use of the service after the change indicates acceptance of the new policy. The full previous version remains available on request.

Related: Terms of Use · Content Policy