Last updated: 2026-03-25.
This policy describes what data abrenunt.io collects, why, and how long it is kept. The data controller is the site operator, reachable via the contact form on the About page.
Every HTTP request to the abrenunt.io website is recorded in a server access log. Each entry contains: your IP address, the requested URL, the date and time, your browser or client name (user-agent), and the HTTP response code.
Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR) — these logs are necessary for security monitoring, diagnosing errors, and enforcing rate limits that protect the service from abuse.
Retention: 30 days, then automatically deleted.
When your AI assistant uses the MCP tools (searching, reading documents, listing the catalog), a log entry is written recording which tool was called, which document or filters were requested, and the timestamp. Search query text is not logged. IP addresses are not recorded in MCP logs; they appear only in the separate web server access logs (see above), which are subject to the same 30-day deletion schedule.
Lawful basis: Legitimate interest — operational monitoring and debugging.
Retention: 14 days, then automatically deleted.
In addition to the log file, each tool call is sent as an anonymised event to the self-hosted analytics system (described under Analytics below). This records the tool name, any document or filter requested, and the approximate geographic region derived from your IP address. The IP address itself is not stored — the analytics system derives the same daily anonymised hash described in the Analytics section. This additional tracking uses the same lawful basis (legitimate interest) and the same data-minimisation principles as the log file.
This site uses a self-hosted, open-source analytics tool. It collects page views, referrer URLs, and browser information (language, screen size, user-agent). It does not use cookies, does not track you across sites, and does not store your raw IP address — it derives a daily anonymised session hash that cannot be reversed to identify you.
Lawful basis: Legitimate interest — understanding how the site is used in order to improve it. Because no cookies are set and no persistent identifier is stored, this processing does not require consent under the ePrivacy Directive.
All analytics data stays on our server and is never shared with third parties. MCP tool calls are also tracked as events in this system (see MCP server usage logs above).
The contact form on the About page is powered by Formspree (Formspree, Inc., USA). When you submit the form, your message and any email address you provide are transmitted to Formspree's servers and forwarded to us by email.
Lawful basis: Your explicit consent, given by choosing to submit the form. You are free not to provide an email address — the message field is the only required input.
Formspree acts as a data processor on our behalf under a Data Processing Agreement. Their privacy policy is available at formspree.io/legal/privacy-policy. As a US-based service, Formspree participates in the EU–US Data Privacy Framework.
We retain your message for as long as needed to respond and for a reasonable period thereafter; we will delete it on request.
We do not sell, share, or disclose personal data to any third party except Formspree (for contact form submissions, as described above) and as required by law.
Under GDPR you have the right to:
To exercise any of these rights, contact us via the form on the About page. We will respond within 30 days.
Note: server access logs and MCP usage logs are not linked to any identity and are automatically deleted on the schedule above. If you wish to exercise erasure rights over these logs, please include the approximate date and time of your use so we can locate the relevant entries before they are automatically purged.