solicus
Back to main site

Privacy Policy

Information pursuant to Art. 12 et seq. GDPR (EU) and applicable German data protection rules.

1. Controller

solicus
Soner Boztas, M.Sc. Aerospace Engineering
Norderkirchenweg 62A
21129 Hamburg
Germany

Contact: support@solicus.io
Phone: +49 (0) 152 52756309 (not intended for support inquiries)

2. Data Protection Officer

No data protection officer has been appointed, unless there is a statutory obligation to do so.

3. Purposes and legal bases of processing

We process personal data only to the extent necessary to provide this license portal, to perform contracts, and to ensure secure operation.

  • Art. 6(1)(b) GDPR (contract / pre-contractual measures): user account, login, license provisioning
  • Art. 6(1)(f) GDPR (legitimate interests): IT security, abuse prevention, troubleshooting
  • Art. 6(1)(c) GDPR (legal obligation): where statutory retention obligations apply

4. Which data we process (overview)

This portal processes in particular the following categories of data:

  • Email address (for account administration and delivery of license and system emails)
  • Password hash (no storage of plaintext passwords)
  • License data (license keys, validity periods, product/edition assignment)
  • One-time tokens for activation and password reset (time-limited, single use)
  • Technical security data (e.g., IP address for rate limiting; server/error logs)
  • Webhook/synchronization data related to payments (Paddle), including event data (JSON)

5. User account, login, and account administration

To use the portal, a user account is used. We process your email address and a password hash (passwords are not stored in plaintext).

Legal basis: Art. 6(1)(b) GDPR.

6. Activation, password reset, and security tokens

For account activation and password reset we use one-time links that contain a random token. The token is stored server-side only in a hashed/verifier form, is time-limited and is marked as used when redeemed.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (security).

7. License management

To perform the contract, we process license keys, their assignment to your user account, and the respective validity periods.

Legal basis: Art. 6(1)(b) GDPR.

8. Payment processing via Paddle / webhooks

We use Paddle for payment processing. After a purchase, we receive technical events (webhooks). Event data is stored to process payments reliably (e.g., for idempotency and troubleshooting).

In certain cases, the customer's email address is retrieved via the Paddle API using a customer ID, in order to match the user account and deliver licenses.

Legal basis: Art. 6(1)(b) GDPR.

Recipients: Paddle (payment service provider). Please also refer to Paddle's privacy information.

Note: Whether and to what extent Paddle transfers data to third countries (e.g. the USA) depends on Paddle's contractual terms and privacy information.

9. Email delivery

We send transactional emails (e.g., activation link, password reset, license information) to the email address provided by you and/or provided via Paddle.

Legal basis: Art. 6(1)(b) GDPR.

10. Cookies and sessions

This portal uses a technically necessary session cookie to maintain login and the session as well as to enable CSRF protection. No marketing or tracking cookies are set by this application.

Legal basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (security).

11. Server logs, error logs, and rate limiting

To ensure security and stability, we process technical data, in particular IP addresses (e.g., for rate limiting against abuse) and server/error logs. Depending on the situation, logs may also contain identifiers such as event IDs, customer IDs, or email addresses.

Legal basis: Art. 6(1)(f) GDPR.

12. Storage period

We store personal data only as long as necessary for the purposes stated above. In particular:

  • Account and license data: for the duration of the contractual relationship and/or until deletion, plus statutory retention periods where applicable
  • Activation/reset tokens: until used or expired, then deleted as part of regular cleanup
  • Rate-limiting data / IP-based counters: only short-term for security purposes
  • Webhook/event data: as required for traceability and troubleshooting, then deletion/archiving in accordance with the deletion concept

13. Recipients / processors

Where necessary, we share personal data with the following categories of recipients:

  • Hosting/server provider (processor, where applicable)
  • Email service/server provider (processor, where applicable)
  • Paddle as payment service provider (typically an independent controller for payment data)

14. Your rights

You have the following rights in particular, subject to the statutory requirements:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

15. Automated decision-making / profiling

Automated decision-making, including profiling, does not take place.

16. Data security

We implement appropriate technical and organizational measures to protect your data (including password hashing, time-limited tokens, CSRF protection, and webhook signature verification).

Last updated: 2025-12-27