1. Who is responsible
MeshHold is a personal open-source project, operated as a private project by Iurii Iakovlev, a natural person resident in Novi Sad, Serbia. There is no corporate entity behind this site at the time of writing.
Under GDPR Article 4(7), the data controller is therefore the individual operator listed above. Contact for all data-protection matters: info@meshhold.com. No formal Data Protection Officer is appointed β our processing scale does not require one under Article 37 GDPR, and the contact email routes directly to the operator.
2. What data we process
When you visit the public site
- Your IP address (kept in webserver access logs).
- Your browser's User-Agent string.
- The URL you requested, the timestamp, and the HTTP status returned.
- Your language preference (set via the language switcher) β stored in a cookie so the site remembers it.
When you register an account on the forum
- Your email address β required for account verification and password reset.
- Your chosen username β displayed publicly with your posts.
- A salted hash of your password β we never see the plain password.
- The date you accepted the Privacy Policy and Terms of Service, and the version you accepted (audit log of consent).
- Optionally: a short bio and an avatar URL, if you choose to add them.
When you use the forum
- The content you post (threads, replies, edits).
- Likes you give or receive.
- Notifications addressed to you (replies, mentions).
- Your trust level, post count, last-seen timestamp β derived from your activity.
- If you upload files as attachments: the file content and filename.
What we explicitly do NOT collect
- No third-party analytics (no Google Analytics, no Facebook Pixel, no Hotjar, etc.).
- No advertising trackers. We do not run ads.
- No fingerprinting beyond standard server logs.
- No tracking cookies. The cookies we do use are listed on the Cookies page.
3. Why we process it (legal bases)
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Providing the forum service to you | 6(1)(b) β performance of a contract you entered into by registering |
| Sending account-related email (verification, password reset, reply notifications) | 6(1)(b) β performance of a contract |
| Keeping webserver access logs for security and abuse investigation | 6(1)(f) β legitimate interest in service integrity |
| Storing your consent decisions (audit log) | 6(1)(c) β compliance with our own GDPR obligation to demonstrate consent |
| Optional bio / avatar fields you choose to fill in | 6(1)(a) β your consent (you can blank them at any time) |
4. How long we keep it
| Data | Retention |
|---|---|
| Account profile + posts | For the lifetime of your account. You can request deletion at any time (see your rights below). |
| Webserver access logs | 30 days, then rotated and discarded. |
| Consent records | For the lifetime of your account (the IP and User-Agent on the record are scrubbed after 90 days; the consent decision itself remains for legal-proof purposes). |
| Account marked for deletion | Soft-deleted immediately; hard-deleted 30 days later. During the grace period you can log back in to cancel the deletion. |
| Database backups | Encrypted, rotated weekly, kept for 28 days, then destroyed. A deleted account disappears from backups within the rotation window. |
5. Who else sees it (processors)
We use the following third-party processors. Each is bound by a data-processing agreement (DPA) under GDPR Article 28.
- netcup GmbH β Emmy-Noether-Str. 10, 76131 Karlsruhe, Germany. Hosting infrastructure (server, storage, network) located within the European Union. They do not access your data; they provide the hardware. Data Processing Agreement signed under GDPR Article 28.
We do NOT share your data with advertisers, analytics providers, or any third party for marketing. If we ever add a processor (e.g., a transactional-email service), we will update this list before doing so.
6. International transfers
All processing currently takes place inside the European Union β specifically, on netcup GmbH infrastructure in Germany. The data controller (the operator) is resident in Serbia; under GDPR this is treated as processing within the EU/EEA framework via the adequacy decisions and Standard Contractual Clauses where applicable. If processing ever moves to a third country without an adequacy decision, we will rely on Article 46(2)(c) GDPR Standard Contractual Clauses and update this policy.
7. Your rights
As a data subject under GDPR, you have the following rights:
- Access (Art. 15) β see what data we hold on you. The Your data page in your account shows it directly.
- Portability (Art. 20) β download a machine-readable export of your data. Available at Export your data.
- Rectification (Art. 16) β correct inaccurate data. Edit your profile from the forum settings; for data you cannot edit yourself, email us.
- Erasure (Art. 17) β delete your account and associated data. Use Delete your account or email us.
- Restriction (Art. 18) β ask us to suspend processing of your data while a dispute is resolved.
- Objection (Art. 21) β object to processing based on legitimate interest (item 6(1)(f) in the table above).
- Withdraw consent (Art. 7(3)) β for processing based on consent (item 6(1)(a)), without affecting prior processing's lawfulness.
For any of these requests, email info@meshhold.com. We respond within 30 days (extendable by 60 days for complex requests, with notice).
8. Cookies and similar
We use only strictly-necessary cookies (session, CSRF, language preference). No analytics, no advertising, no third-party cookies. Full list: Cookie Policy.
9. Security
Technical and organisational measures (TOMs) in place:
- HTTPS-only (HSTS, modern TLS).
- Passwords stored as PBKDF2 hashes (Django default), never plaintext.
- CSRF tokens on every state-changing form.
- Database backups encrypted at rest.
- Access to production infrastructure restricted to operators with multi-factor authentication.
- Security updates applied promptly; we follow CVE feeds for Django and Python.
If you discover a security issue, please email info@meshhold.com before disclosing publicly. We commit to acknowledge within 72 hours.
10. Changes to this policy
The current version is 2026-05-24. When we change anything material, we bump the version, update the effective date at the top, and notify registered users by email. The next time you log in, you will be asked to acknowledge the new version before continuing.
11. Complaints
You always have the right to lodge a complaint with a supervisory authority (GDPR Art. 77). Our lead supervisory authority is Commissioner for Information of Public Importance and Personal Data Protection (Poverenik). EU residents may also file a complaint with their local data-protection authority.
Plain-language summary: We collect what we need to run a forum (email, username, password hash, your posts). We don't share it with advertisers. We don't use analytics trackers. You can see, export, or delete your data at any time from your account page, or by emailing info@meshhold.com.
Questions about this document? Email info@meshhold.com.