The Elephant Observatory
Privacy Policy
Effective: March 2026 · Version 1.0
Plain English. No dark patterns. This is exactly what we collect, why we collect it, and what we promise never to do with it.
Who We Are
The Elephant Observatory (TEO) is an independent project operated by a sole proprietor based in Austria. The data controller responsible for your personal data is:
See the Impressum for full legal name and address.
Contact: [YOUR EMAIL ADDRESS]
What We Collect and Why
We collect only what is necessary to provide the service. Here is every category of data we process, who handles it, and why:
Account data
Supabase
Your email address and hashed password are stored to authenticate you and provide your personal Observatory: Grimoire, saved nodes, tier access, and preferences.
Legal basis: Contract performance — Art. 6(1)(b) GDPR
Authentication session
Supabase (first-party)
A session token is stored in your browser to keep you signed in. This is a strictly necessary, first-party token — not a tracking cookie.
Legal basis: Strictly necessary — exempt from consent under ePrivacy rules
Subscription & payment data
Lemon Squeezy
Lemon Squeezy is our Merchant of Record. They handle all payment processing. TEO receives only confirmation of your subscription tier — never your card details.
Legal basis: Contract performance (Art. 6(1)(b)) + Legal obligation for tax records (Art. 6(1)(c))
Analytics
Vercel Web Analytics
We use Vercel's built-in analytics to understand how the platform is used (page views, visitor counts). It is privacy-focused by design: no cookies, anonymised visitor data, no cross-site tracking.
Legal basis: Legitimate interest — Art. 6(1)(f) GDPR
Email communications
Resend
Transactional emails (account alerts, subscription notices) are sent via Resend. Newsletter and Daily Illumination emails are sent only if you explicitly opt in on your profile page.
Legal basis: Contract performance for transactional email (Art. 6(1)(b)); Consent for newsletters (Art. 6(1)(a))
What We Do Not Do
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Full stop.
We do not use tracking cookies. We do not build advertising profiles. We do not participate in data broking. We do not integrate any third-party advertising or behavioural tracking scripts.
We despise surveillance capitalism. TEO will never be built on it.
International Transfers
The third-party services we use — Supabase, Vercel, Resend, and Lemon Squeezy — are based in the United States. Your data may therefore be processed outside the European Economic Area (EEA).
Each of these providers operates under Standard Contractual Clauses (SCCs) or equivalent data transfer mechanisms approved by the European Commission, ensuring your data receives an adequate level of protection.
Data Retention
We keep your account data for as long as your account remains active. If you delete your account, your personal data is removed from our systems within 30 days. Anonymised, aggregated analytics data may be retained indefinitely.
Payment and subscription records are retained for as long as required by Austrian and EU tax law (currently 7 years).
Your Rights
Under GDPR, you have the following rights regarding your personal data:
- AccessRequest a copy of the personal data we hold about you.
- RectificationAsk us to correct inaccurate data.
- ErasureRequest that we delete your data (the right to be forgotten).
- PortabilityReceive your data in a structured, machine-readable format.
- RestrictionAsk us to restrict how we process your data.
- ObjectionObject to processing based on legitimate interest.
To exercise any of these rights, contact us through Hermes. We will respond within 30 days.
You also have the right to lodge a complaint with the Austrian data protection authority: Datenschutzbehörde (dsb.gv.at).
Third-Party Embeds
Some knowledge nodes include an embedded YouTube video. These embeds are loaded via YouTube's privacy-enhanced mode (youtube-nocookie.com), which does not set cookies until you actively play the video.
If you choose to play an embedded video, YouTube's own privacy policy applies to that interaction. We have no control over what YouTube collects once you engage with their player.
Changes to This Policy
If we make material changes to this policy, we will update the effective date at the top of this page. We will not retroactively weaken privacy protections without explicit notice.