Privacy Policy
Last updated: April 2026
Translation for convenience. The legally binding version is the German Datenschutzerklärung.
1. Controller
Controller for the processing of personal data within the meaning of the GDPR:
Tobias Bulla, Franz‑Joseph‑Str. 11, 80801 Munich, Germany
Email: support@topolis.de
2. What AppSync is
AppSync is a self‑hosted authentication and synchronisation service for a small number of personal applications. It is not a public service. Registration is only possible after manual approval per application.
3. Data we process
When you visit the site
When you access the site, technical connection data is processed:
- IP address
- Browser type and version (User‑Agent)
- Date and time of access
- Page accessed
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing and securing the service). This data is not aggregated into profiles or shared with third parties.
When you register and sign in
For an account I process:
- Username
- Email address
- Password (only as a bcrypt hash)
- Language preference
- Email confirmation status
- Optionally: TOTP secret (encrypted) and recovery codes (hashed) for two‑factor authentication
- Timestamps of creation and modification
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract — providing the service at your request).
Security log
To protect against abuse the following are stored for a limited time:
- Failed sign‑in attempts per IP address (max. 24 hours)
- Security events (e.g., sign‑in, 2FA activation, password reset) with timestamp, IP address, User‑Agent, and event type (default retention: 90 days, max. 365 days)
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in service security).
Cookies
Only strictly necessary cookies are set:
appsync_sso: session cookie after successful sign‑in (HttpOnly, SameSite=Lax, max. 7 days)._csrf: cross‑site request forgery protection.lang: stores the chosen language (max. 1 year).
No tracking, analytics, or advertising cookies are used. Consent under § 25 TTDSG is therefore not required.
4. Recipients and processors
Personal data is not shared with third parties. The service runs on a server operated by me. Emails are sent via the server's local mail system. No data is transferred to third countries.
5. Retention
| Data | Retention |
|---|---|
| Account data (username, email, password hash, 2FA) | until account deletion |
| Sessions | max. 7 days |
| Email tokens (confirmation, password reset) | max. 24 hours |
| Refresh tokens | max. 30 days |
| Failed sign‑in attempts | max. 24 hours |
| Security events | 90 days (configurable up to 365) |
6. Your rights
Under the GDPR you have the right to:
- Access (Art. 15) — available in your profile as a data export (JSON).
- Rectification (Art. 16) — editable in your profile.
- Erasure (Art. 17) — available in your profile as "Delete account"; permanently removes all personal data.
- Restriction of processing (Art. 18)
- Object to processing (Art. 21)
- Data portability (Art. 20) — see data export above.
- Lodge a complaint with a supervisory authority (Art. 77) — competent authority is the Bavarian State Office for Data Protection Supervision (BayLDA), https://www.lda.bayern.de.
Requests: support@topolis.de
7. Minimum age
Use of the service is restricted to persons aged 16 or older (Art. 8 GDPR, § 8 BDSG).
8. Changes
This policy may be updated when the scope of the service changes. The current version is always available on this page.