Privacy Policy
Last updated: 17 July 2026
Scope
This policy applies to kltr.fyi and the city pages hosted on that domain, including the Hamburg newsletter signup. KLTR runs a separate mailing list for each city. The Berlin site at kltr.berlin has its own privacy policy.
Controller
Y2Pray Industries, Michael Bracklo
Linienstraße 147
10115 Berlin
Germany
Email: hey@kltr.berlin
Website Delivery and Security
When you visit the site, our hosting provider processes the information needed to deliver the requested page and keep the service secure. This may include your IP address, the requested URL, date and time, browser and device information, referrer, response status, and request identifiers.
Our signup endpoint also creates limited diagnostic logs for accepted and rejected requests. Depending on the event, these logs may include the hostname, origin, browser user agent, requested city, verification result, and IP address. Email addresses are not intentionally written to application logs.
We process this information under Article 6(1)(f) GDPR. Our legitimate interests are providing a reliable website, preventing abuse, diagnosing failures, and protecting the signup service.
Newsletter Signups
When you join a city newsletter, we process:
- Your email address
- The city mailing list you selected
- Signup time, domain, and source
- Consent, delivery, unsubscribe, and preference information
- Technical verification data used to prevent automated signups
We use this data to send the newsletter you selected, manage city-level preferences, handle bounces and unsubscribes, and document your request. The legal basis for sending newsletters is your consent under Article 6(1)(a) GDPR. You can withdraw that consent at any time through the unsubscribe or preference link in an email, or by contacting us. Withdrawal does not affect processing that took place before it.
An email address and city selection are required to join a newsletter. If you do not provide them, we cannot add you to the list. A contact may join more than one city list, and leaving one city list does not automatically remove them from another.
Cloudflare Turnstile
The signup form uses Cloudflare Turnstile to distinguish people from automated traffic. Turnstile evaluates technical signals such as your IP address, TLS fingerprint, browser user agent, sitekey, and the page origin. Our server sends the resulting token and your IP address to Cloudflare for validation.
We use Turnstile under Article 6(1)(f) GDPR based on our legitimate interest in preventing spam and protecting the signup service. Cloudflare acts as our processor when it provides the verification service and also processes limited signals under its own responsibility to improve bot detection. See Cloudflare's Turnstile Privacy Addendum.
Website Analytics
We use Plausible Analytics to understand aggregate website usage. Plausible does not use cookies or persistent identifiers and does not track visitors across sites or days. It records the requested page, referrer, campaign parameters, browser, operating system, device type, and approximate location. The full IP address and browser user agent are used briefly to create a daily measurement and are not stored.
We process these statistics under Article 6(1)(f) GDPR. Our legitimate interest is understanding which pages and city information are useful so we can maintain and improve the service. Plausible processes and stores visitor analytics within the European Union. See Plausible's data policy.
Contacting Us
If you contact us, we process your contact details, message, and any information you choose to provide so we can respond. The legal basis is Article 6(1)(b) GDPR when your message concerns a contract or steps before entering one, and otherwise Article 6(1)(f) GDPR based on our legitimate interest in answering enquiries.
Service Providers and Recipients
We share data only where needed to operate KLTR or where the law requires it. Our main service providers are:
- Loops / Astrodon Corporation: stores email addresses, city mailing-list membership, message delivery, and preference information; sends the newsletters on our behalf
- Cloudflare, Inc.: provides Turnstile signup verification and bot protection
- Plausible Insights OÜ: provides aggregate, cookie-free website analytics
- Vercel, Inc.: hosts the website and signup endpoint and processes request and runtime logs
These providers may use subprocessors under their own data-processing terms. We do not sell or rent personal data.
International Transfers
Loops, Cloudflare, and Vercel are based in the United States and may process data there or in other countries outside the European Economic Area. Where required, transfers are covered by an adequacy decision such as the EU-US Data Privacy Framework, the European Commission's Standard Contractual Clauses, or another lawful safeguard. Where a provider processes personal data on our behalf, its applicable data-processing terms apply.
Plausible states that website visitor analytics are processed and stored in the European Union and do not leave the EU.
Retention
- Active subscriptions: We keep your contact and city membership while you remain subscribed.
- After unsubscribing: We may keep the minimum suppression, preference, and consent record needed to respect your opt-out and demonstrate compliance for up to three years after the last relevant event. We then delete or anonymize it unless a longer period is legally required. If you remain subscribed to another city, the shared contact record stays active for that list.
- Technical and security logs: Under the hosting provider's standard plan settings, runtime logs are retained for a plan-dependent period of no longer than 30 days. A specific record may be kept longer where needed to investigate an incident or establish, exercise, or defend a legal claim.
- Analytics: Plausible does not store raw IP addresses or full user agents. Aggregate analytics remain in our account until they are deleted or no longer needed.
- Messages: We normally retain enquiries for up to three years after they are resolved, unless a shorter or longer period is appropriate for the request or a legal obligation.
Provider backups and legally required records may take additional time to expire under the provider's documented retention process.
Your Rights
Subject to the conditions in data-protection law, you may ask us to:
- Give you access to your personal data (Article 15 GDPR)
- Correct inaccurate data (Article 16 GDPR)
- Delete your data (Article 17 GDPR)
- Restrict processing (Article 18 GDPR)
- Provide data you supplied in a portable format (Article 20 GDPR)
- Stop processing based on legitimate interests (Article 21 GDPR)
You may withdraw consent at any time and may lodge a complaint with a data-protection authority. Contact hey@kltr.berlin to exercise your rights. We may need to confirm your identity before responding.
Automated Checks
Turnstile automatically assesses whether a signup appears to come from a person or a bot. A failed check can block the signup request. We do not use automated decision-making that produces legal or similarly significant effects under Article 22 GDPR.
Security
We use appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure. No online service can guarantee absolute security.
Children
KLTR is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has subscribed, contact us so we can remove the information.
Changes to This Policy
We may update this policy when our services, providers, or legal obligations change. We will publish the revised version here and update the date above. If a change materially affects newsletter subscribers, we will also provide notice by email where appropriate.
Questions and Complaints
For privacy questions or requests, contact hey@kltr.berlin.
You may also complain to the supervisory authority responsible for us:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61
10555 Berlin
Germany
Email: mailbox@datenschutz-berlin.de
Complaint information and form
You may instead contact a supervisory authority in the EU country where you live or work, or where you believe a data-protection infringement occurred.