Privacy Policy

As of: March 2026 · Applies to startiq.app

This privacy policy applies to the use of startiq.app and is governed by the Swiss Federal Act on Data Protection (FADP, in force since 1 September 2023) and, supplementarily, by the EU General Data Protection Regulation (GDPR).

1. Responsible Person

The person responsible for data processing on this website is:

Elias Felder
Reichensteinerstrasse 15
4153 Reinach BL
Switzerland
E-Mail: eliasfelder07@gmail.com

2. Data We Collect

2.1 During Registration

When creating an account, we collect the following data:

Display name (freely chosen)
E-mail address
Password (stored exclusively as a bcrypt hash, never in plain text)

2.2 When Signing in via Google (OAuth)

When you sign in with your Google account or link it afterwards, we receive from Google:

Google account ID (internal identifier)
Name and e-mail address of your Google account
Profile picture URL (optional)
OAuth access token and refresh token (for Google Calendar)

2.3 Security and Authentication Data

To secure your account, we additionally store:

Email verification codes (as SHA-256 hash, temporary)
Two-factor authentication (2FA): Either temporary email codes (SHA-256 hash) or a TOTP secret (Base32-encoded) for authenticator apps
Login log: IP address, browser/device (user agent) and time of each login (max. 50 entries per user)
Remember-me token (as SHA-256 hash) for persistent login
Rate-limiting data (IP address/email and attempt counter, temporary)

2.4 Content Created by You

As part of using the start page, we store:

Saved links and categories
Notes
Personal settings (theme, activated widgets, timezone, etc.)

2.5 Technical Data

When accessing our website, technical data is automatically stored in the server log: IP address, date and time of access, page accessed, HTTP status code and browser used (user agent). This data is used exclusively for security and error diagnosis and is deleted after a maximum of 7 days.

3. Purpose of Data Processing

We process your data exclusively for the following purposes:

Provision and operation of the personalised start page
Authentication and account management (incl. email verification, password reset, 2FA)
Sending transactional emails (verification codes, security notifications, calendar reminders)
Retrieval of your Google Calendar events and optional email reminders (only if activated)
Login logging for security overview
Technical security and error diagnosis

We do not sell your data or pass it on to third parties for advertising purposes.

4. Legal Basis

4.1 Under Swiss FADP

Data processing is carried out in accordance with the Swiss Federal Act on Data Protection (FADP). Where consent is required (e.g. for linking with Google and accessing Google Calendar), it is explicitly obtained.

4.2 Under EU GDPR

Where the GDPR is applicable, we base data processing on the following legal grounds:

Performance of a contract (Art. 6(1)(b) GDPR): Creation and management of your account, authentication, provision of the personalised start page, sending transactional emails.
Consent (Art. 6(1)(a) GDPR): Linking with Google OAuth, accessing Google Calendar, use of the weather widget (IP geolocation).
Legitimate interest (Art. 6(1)(f) GDPR): Login logging, rate limiting, server logs, and technical security measures to protect our service and users.

5. Disclosure to Third Parties

5.1 Google LLC

If you sign in with Google or use Google Calendar, data is transmitted to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The Google Privacy Policy applies to this data transfer. Google processes data in the USA, among other places; Google is certified under the EU-US and Swiss-US Data Privacy Framework.

5.2 Resend (Email Delivery)

For sending transactional emails (verification codes, security notifications, calendar reminders), we use the service Resend (Resend, Inc., USA). Your email address and email content are transmitted to Resend's servers. No marketing emails are sent. For more information, see the Resend Privacy Policy.

5.3 Google Fonts

This website loads fonts from Google Fonts (Google LLC). Your IP address is transmitted to Google in the process. For more information, see the Google Privacy Policy.

5.4 jsDelivr CDN

For displaying QR codes (during authenticator app setup), a JavaScript library is loaded via the Content Delivery Network jsDelivr (Prospect One, Poland). Your IP address is transmitted to jsDelivr. For more information, see the jsDelivr Privacy Policy.

5.5 Weather Widget (IP Geolocation & Open-Meteo)

IP geolocation only occurs when you actively use the weather widget. Only in this case is your IP address transmitted to the following services to determine latitude, longitude, and city name:

ip-api.com: Free geolocation service. No personal data beyond the IP address is stored.
ipapi.co: Alternative geolocation service.
geolocation-db.com: Alternative geolocation service.

The determined coordinates (without the IP address) are then sent to Open-Meteo.com (weather database by Open-Meteo GmbH, Germany) to retrieve the current weather data. No personal data is transmitted to Open-Meteo.

5.6 Hosting

The website is hosted by MC-HOST24 (Germany). The hosting provider processes technical access data (IP address, timestamp, page accessed, HTTP status code, user agent) in server logs as part of operations. This data is used exclusively to ensure operations and for error diagnosis.

5.7 Data Processing Agreements

Where required, we have concluded data processing agreements (DPAs) with our external service providers (in particular the hosting provider and Resend) or rely on their standard data protection agreements to ensure the protection of your data.

5.8 Browser Extension

Our browser extension "StartIQ – Smart Browser Companion" communicates with the same servers and processes the same data as the web app. The extension only stores user preferences locally (e.g. whether the new tab redirect is active, notification and right-click menu preferences). Page titles and URLs are only saved when the user actively triggers it (e.g. by clicking "Save page" or using the right-click menu). The extension does not read browsing data, history, or perform any tracking.

6. Cookies and Sessions

This website uses only technically necessary cookies:

Session cookie: Maintains your login session. Deleted when the browser is closed.
Remember-me cookie: Only set if you activate "Stay logged in" during login. Contains a random token (stored as SHA-256 hash in the database) and expires after 30 days.
Language cookie (lang): Stores your selected language. Contains no personal data.

No tracking or advertising cookies are used.

7. Data Security

We implement technical and organisational security measures to protect your data:

Transmission exclusively via HTTPS (TLS encryption)
Passwords are hashed with bcrypt and never stored in plain text
Verification codes and tokens are stored as SHA-256 hashes
Optional two-factor authentication (via email code or authenticator app/TOTP)
Rate limiting to protect against brute-force attacks
Session cookies with HttpOnly flag (no JavaScript access)
OAuth flows secured with CSRF state token
Strict data isolation: each user can only access their own data

8. Retention Period

Your data is stored as long as your account is active. After deletion of your account, all personal data (account, links, notes, settings, OAuth tokens) is immediately and completely deleted. Server logs are deleted after a maximum of 7 days.

9. Your Rights

Under FADP and GDPR, you have the following rights:

Access: You can request information about the data stored about you at any time.
Rectification: You can request the correction of incorrect data.
Erasure: You can request the deletion of your data.
Restriction: You can request the restriction of processing.
Data portability: You can receive your data in a structured format.
Withdrawal: You can withdraw a given consent at any time (e.g. unlink Google).
Complaint: You have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

To exercise your rights, please contact us by e-mail: eliasfelder07@gmail.com

10. Minimum Age

Our service is not specifically directed at persons under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete it without delay.

11. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy as necessary. The current version is available on this page. In the event of significant changes, registered users will be informed.