Privacy Policy

The controller responsible for processing your personal data is:

David Plank
Fiedelau 8, 4203 Altenberg bei Linz, Austria
Email: contact@targetvault.org

Full provider details are in the Imprint. We have not appointed a Data Protection Officer because we are not required to under Art. 37 GDPR.

TargetVault is a website for adults who lawfully practise with firearms. It is not directed at children. The service itself requires you to be at least 18 (see the Terms of Use). For purely digital consent under § 4 Abs 4 DSG the minimum age would be 14, but because of the firearms context we accept no accounts from minors.

• Account credentials: email address and password. The password is handled by our authentication processor; we never see the plain‑text password — only a salted hash is stored on our behalf.
• Profile: a row in our profiles table containing your user id, email and creation timestamp.
• Roles: a row in our user_roles table (default role: user) used for access control.
• Download history: rows in our downloads table (user id, target id, timestamp). Used to show your personal library and to compute per‑target download counters.
• Cookie / consent choice: kept in your browser's local storage. It does not leave your device.
• Server and access logs at the hosting layer: IP address, request timestamp, user agent, requested URL, response status. Used to keep the service running and to prevent abuse.
• Aggregated analytics (only with your consent): page views, referrer, anonymised IP and user agent, processed by Lovable Analytics (built into the hosting platform).
• Email correspondence: anything you send us by email.

We do not use advertising trackers, we do not build cross‑site profiles, we make no automated decisions in the sense of Art. 22 GDPR, and we do not sell your data.

• Account, profile, roles and download history: Art. 6(1)(b) GDPR — performance of the user contract.
• Server logs, abuse prevention and security: Art. 6(1)(f) GDPR — legitimate interest in a working, secure service.
• Analytics: Art. 6(1)(a) GDPR (your explicit consent via the cookie banner), and § 165 Abs 3 TKG 2021 for the storage of and access to the related data on your device.
• Strictly necessary cookies / local storage entries (auth session, consent choice): § 165 Abs 3 Z 2 TKG 2021 — no consent required because the site cannot work without them.
• Optional contact by email: Art. 6(1)(a) GDPR (your consent) and/or 6(1)(b) GDPR if your message concerns the contract.

The site, database, authentication and file storage run on infrastructure provided by Lovable (Lovable GmbH) and its subprocessor Supabase, Inc. (managed Postgres, auth and storage; EU region). Both act as our processors under Art. 28 GDPR; data processing agreements are in place.

Preview images are served through a public proxy endpoint that streams files from a private storage bucket. The proxy does not transmit personal data.

We do not transfer personal data outside the EU/EEA without an Art. 46 GDPR safeguard (e.g. EU Standard Contractual Clauses).

We distinguish two categories:

• Strictly necessary — your Supabase authentication session token (in local storage) and the entry that remembers your cookie choice. Legal basis: § 165 Abs 3 Z 2 TKG 2021 + Art. 6(1)(f) GDPR. No consent required.
• Analytics (optional) — aggregated page‑view statistics, only active if you accept analytics in the banner. Legal basis: § 165 Abs 3 TKG 2021 + Art. 6(1)(a) GDPR. Default: off.

No advertising cookies, no third‑party trackers, no cross‑site profiling.

• Account, profile, role and download‑history rows: kept until you delete your account.
• Server / access logs: held by the hosting provider for up to 30 days, then deleted or anonymised.
• Aggregated analytics: up to 12 months.
• Email correspondence: as long as needed to handle your matter; in any case no longer than the general civil limitation period (3 years, § 1486 ABGB) where relevant.
• Cookie / consent choice: stored on your device until you clear it or change your selection.

Under the GDPR you have the right to:

• access your data (Art. 15)
• have inaccurate data corrected (Art. 16)
• have your data erased (Art. 17)
• restrict processing (Art. 18)
• data portability (Art. 20)
• object to processing based on legitimate interest (Art. 21)
• withdraw consent at any time, without affecting the lawfulness of processing before the withdrawal (Art. 7(3))

To exercise any of these rights, contact us at contact@targetvault.org.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, Barichgasse 40‑42, 1030 Wien, dsb.gv.at).

You can delete your account yourself in Account Settings. Deletion removes your profile row, your role assignment and your download history, and revokes the authentication user with our auth processor. The cookie / consent choice in your browser's local storage stays on your device until you clear it.

The service is not intended for users under 18 (lawful firearms handling is a prerequisite). If a child has nevertheless created an account, please contact us and we will delete it.

We use TLS for all traffic, our auth processor stores only salted password hashes, user‑data tables are protected by row‑level security policies, and administrative actions go through audited server functions using a service‑role key that is never exposed to the browser.

We may update this policy as the service evolves. The current version is always published on this page and dated above.

You can change or withdraw your analytics consent at any time. Opening the cookie settings is as easy as giving consent in the first place.