Skip to main content
Sovereign Workspace Try the demo

Privacy

Last updated: [TODO — set on first deploy]

This page documents the personal data this website collects and why. It is intentionally short — the site sets no cookies, uses no third-party trackers, and does not embed content from surveillance-economy platforms.

Who we are

The data controller for this website is the organisation listed on the Impressum page.

What data we collect on this website

Server access logs. Our web server (nginx) records each request in a log line containing IP address, timestamp, HTTP method, URL path, response status, byte count, user agent, and referer. Logs are stored on the same server the site runs on and are automatically deleted after seven days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a secure public website and protecting it from abuse).

Analytics. We use Plausible, a cookieless, EU-hosted analytics service. Plausible does not set cookies, does not track individuals across sites, and does not collect personal data as defined by the GDPR. Metrics are aggregated — page views, referrer, browser, country at country-level resolution. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding aggregate site usage).

Email contact. If you email hello@sovereignworkspace.org, we receive your email address and the content of your message. We retain correspondence only as long as needed to handle your request and any follow-up. Legal basis: Art. 6(1)(b) GDPR (pre-contractual communication) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

What this website does NOT do

  • The site sets no cookies, so you won't see a cookie banner.
  • We don't embed Google Analytics, Facebook Pixel, Hotjar, HubSpot, or Intercom.
  • There are no YouTube, Twitter, or LinkedIn embeds — those load tracking scripts even when you don't interact with them.
  • Fonts are self-served through Bunny Fonts (EU) rather than Google Fonts.
  • We don't fingerprint visitors, store device identifiers, or correlate behaviour across sites.

Your rights under the GDPR

You have the right to request access, rectification, erasure, restriction of processing, and portability of any personal data we hold about you. You also have the right to object to processing based on legitimate interest, and the right to lodge a complaint with your national data protection authority.

Requests go to hello@sovereignworkspace.org. We reply in plain language within 30 days.

Third-party services we rely on

  • Hetzner Online GmbH — hosting in Germany. Data processing agreement in place.
  • Bunny.net (BunnyWay d.o.o.) — EU-hosted font CDN. Serves the Fraunces and IBM Plex Sans typefaces. Data processing agreement available from Bunny.
  • Plausible Analytics B.V. — EU-hosted, cookieless analytics. Data processing agreement in place.

Product vs. website — a note

This policy covers only the marketing website at sovereignworkspace.org. The Sovereign Workspace product handles user data under a separate model that depends on which deployment mode you pick:

  • Self-hostedyou are the data controller and the processor. We don't see your data, don't have access to it, and don't receive telemetry from your deployment.
  • Sovereign Cloud (managed, EU-only data residency, planned 2026) — you remain the data controller; we act as your data processor under a standard DPA.

See the Security page for the full model.