Privacy Policy
Updated: 4 мая 2026 / May 4, 2026
This policy describes how Kweri ("we", "us") processes personal data of users
of the service kw.dniser.de.
Compliant with GDPR (EU Regulation 2016/679) and BDSG (German Federal Data Protection Act).
1. Data Controller
Contact for personal data processing matters:
[NAME]
[ADDRESS]
Email: [EMAIL]
2. What data we collect
2.1. Upon registration
- Email address — for authentication, verification, and password recovery
- Password — stored as bcrypt hash, we never see the original
- Nickname (optional) — public identifier
- Registration & last login dates — for security and statistics
2.2. Technical data
- IP address — recorded in nginx web server logs (retention: 30 days)
- User-Agent (browser type) — same logs
- Session cookie — authentication token, HttpOnly + Secure (until browser closes)
2.3. User content
- Keywords — added by you for analysis
- Project names, clusters, notes
- Site domain you are analyzing
- XMLRiver API keys — entered by you (stored in project files)
- Colleague emails — if you share a project
3. Purposes and legal bases
| Purpose |
Legal basis (GDPR) |
| Service delivery (contract performance) |
Art. 6(1)(b) |
| Email verification, password recovery |
Art. 6(1)(b) |
| Abuse protection (rate-limit, fraud) |
Art. 6(1)(f) — legitimate interest |
| Marketing emails |
Art. 6(1)(a) — consent (if you opted in) |
4. With whom we share data
We use the following data processors:
-
OVH SAS (France) — server hosting. Data stored in Europe.
DPA agreement signed per Art. 28 GDPR.
-
XMLRiver — SERP API provider. When you run position collection,
your keywords are sent to them to retrieve Google/Yandex SERP data.
More info: xmlriver.com.
-
Gmail/SMTP — sending verification and system emails.
-
Google Fonts — fonts loaded from CDN.
On first page load your IP is transmitted to Google.
(planned migration to self-hosted fonts)
We do not sell or share your personal data with third parties
for advertising or marketing purposes.
5. Retention periods
- Account: until you delete it
- Web server logs: 30 days
- Keyword position history: while project exists
- Sent emails (via our SMTP): 90 days
6. Your rights (GDPR)
Under Articles 15-22 GDPR, you have the right to:
- Art. 15 — access: request a copy of your data
- Art. 16 — rectification: correct inaccurate data (via profile)
- Art. 17 — erasure ("right to be forgotten"): delete account and all data
- Art. 18 — restrict processing
- Art. 20 — data portability: export in machine-readable format (CSV/JSON)
- Art. 21 — object to processing
- Art. 77 — file complaint with supervisory authority (for DE: BfDI)
To exercise these rights, contact us at [EMAIL].
You can also delete your account directly via profile settings.
7. Cookies
We only use necessary (functional) cookies:
kweri_session — authentication token, HttpOnly + Secure, until browser closes
Per Art. 6(1)(f) GDPR, consent for functional cookies is not required.
See Cookies page for details.
8. Security
- HTTPS-only (TLS 1.2+) for all traffic
- Passwords hashed with bcrypt
- Cookies HttpOnly + Secure + SameSite=Lax
- Regular data backups
- Rate-limiting for brute-force protection
9. Policy changes
We may update this policy. You will be notified of material changes via email
or in-app banner. The last update date is at the top.
10. Contact
Privacy questions: [EMAIL]