wierk

Privacy policy of wierk

This policy explains how wierk handles personal data when you use our websites and services or otherwise interact with us. It outlines what information we collect, why we collect it, how long we retain it, and the rights you have under applicable data protection laws.

1. Controller

wierk S.à r.l.
8, Beforterstrooss
L-9365 Eppeldorf
Luxembourg

Email: contact@wierk.lu
Website: https://wierk.lu

RCS Luxembourg: B244365
EU VAT: LU32140425

wierk S.à r.l. (“wierk”, “we”, “us”, or “our”) is the Controller within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) for the processing of personal data described in this Privacy Policy, unless otherwise stated.

If you have any questions regarding this Privacy Policy or the processing of your personal data, you may contact us using the details above.

2. Scope

This Privacy Policy applies to personal data processed by wierk in its capacity as a Data Controller in connection with:

  • Our company website (wierk.lu);
  • Our products and services, including but not limited to dmarced, cryptii, and ciphereditor;
  • Customer, contractual, and billing relationships;
  • Communications with us (including email and support requests);
  • Website usage and security monitoring.

This Privacy Policy explains how and why we process personal data where we determine the purposes and means of such processing.

Where customers use our SaaS products to process personal data on their behalf, wierk acts as a Data Processor. In those cases, we process personal data solely on behalf of the respective customer and in accordance with the applicable Data Processing Agreement (“DPA”) and the customer’s documented instructions.

Such processing is not governed by this Privacy Policy but by the relevant DPA.

3. Categories of personal data we process

We process personal data depending on the context in which you interact with us. This may include the following categories of personal data:

Account and identification data

  • Name or display name
  • Email address
  • Account identifiers
  • Authentication data (e.g., login credentials in encrypted form)
  • Account preferences and settings

Contractual and billing data

  • Billing contact details
  • Company name and address
  • VAT number (where applicable)
  • Subscription details
  • Payment status information

We do not store full payment card details. Payment processing is handled by specialized payment service providers.

Communication data

  • Information contained in emails, support requests, or other correspondence
  • Records of communication relating to contractual or support matters

Usage and technical data

  • IP address
  • Session cookies used to maintain authenticated user sessions
  • Browser type and version
  • Operating system and device information
  • Referrer information
  • Date and time of access
  • Pages accessed

We use strictly necessary HTTP-only session cookies to maintain secure login sessions. These cookies are essential for the operation of authenticated services and therefore do not require user consent.

Security and Log Data

  • Server and application logs
  • Error and diagnostic metadata
  • Security-related event logs
  • Abuse-prevention logs (e.g., in case of suspicious or malicious activity)

Such data is processed for the purpose of ensuring the security, integrity, and reliability of our services.

4. Purposes and legal bases of processing

We process personal data only where a valid legal basis under the GDPR applies. Depending on the context, processing may be based on one or more of the following legal grounds.

Performance of a contract - Art. 6(1)(b) GDPR

We process personal data where necessary to:

  • Create and manage user accounts;
  • Provide access to our products and services;
  • Administer subscriptions and billing;
  • Respond to support requests;
  • Fulfil contractual obligations.

Without such processing, we would not be able to provide the requested services.

Where personal data is required to enter into or perform a contract, failure to provide such data may result in our inability to provide the requested services.

Compliance with legal obligations - Art. 6(1)(c) GDPR

We process personal data where necessary to comply with legal obligations, including:

  • Commercial and tax law retention obligations;
  • Accounting requirements;
  • Regulatory obligations;
  • Lawful requests from public authorities.

Legitimate interests - Art. 6(1)(f) GDPR

We process personal data where necessary for our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. This includes:

  • Ensuring the security and integrity of our systems;
  • Preventing fraud, abuse, and unauthorized access;
  • Maintaining and improving our services;
  • Operating privacy-friendly website analytics;
  • Investigating technical errors and performance issues;
  • Responding to inquiries submitted via publicly accessible tools;
  • Defending legal claims.

We carefully balance our legitimate interests against your rights and implement appropriate safeguards.

Consent - Art. 6(1)(a) GDPR

Where required, we process personal data based on your consent. This may include:

  • Sending newsletters or marketing communications;
  • Any optional features where consent is explicitly requested.

You may withdraw your consent at any time with effect for the future.

5. Service-specific processing

Different services operated by wierk involve different types of processing. The following describes service-specific processing related to the nature of each service.

dmarced

dmarced is a SaaS platform that provides domain security and email authentication monitoring.

When users create an account, we process account, contractual, and billing data as described in this Privacy Policy.

Public diagnostic tools (for example, DMARC check) may process and temporarily log user-submitted input (e.g., domain names) for the purpose of providing results, ensuring system integrity, preventing abuse, and maintaining service reliability.

Where customers use dmarced to process data on their behalf, wierk acts as a Processor. Such processing is governed by the applicable Data Processing Agreement.

cryptii & ciphereditor

cryptii and ciphereditor are client-side cryptographic and encoding tools. They are delivered as static content and do not require user accounts.

User input entered into cryptii and ciphereditor is processed locally in the user’s browser and is not transmitted to or stored by wierk, except for standard server access logs required for technical operation and security.

cryptii and ciphereditor may display contextual advertisements provided by third-party advertising partners. These advertisements are delivered without the use of tracking cookies or cross-site profiling. In this context, limited technical data (such as IP address and browser information) may be processed to deliver relevant contextual advertisements.

6. Service providers and recipients

To operate our services, we engage selected service providers who process personal data on our behalf or, where applicable, act as independent Controllers.

Infrastructure and hosting

We use cloud and content delivery providers to host and deliver our websites and services, including:

  • statichost.eu, Variable Object Assignment Oy, Sweden (Hosting)
  • Scaleway, Scaleway SAS, France (Hosting)
  • AWS, Amazon Web Services EMEA S.à r.l., Luxembourg (Hosting)
  • Vercel, Vercel, Inc., USA (Hosting, CDN)
  • bunny.net, BunnyWay d.o.o., Slovenia (CDN)

These providers process technical data such as IP address and request metadata for the purpose of secure and reliable service delivery.

Monitoring and error reporting

To monitor system performance, detect errors, and ensure service reliability, we use:

  • PostHog, PostHog, Inc., USA (product analytics and operational metrics)
  • Sentry, Functional Software, Inc., USA (error tracking and diagnostics)

These services are primarily used in connection with the server-side operation of our services. In the case of cryptii and ciphereditor, Sentry may also be used within the client-side application to detect runtime errors and maintain service stability.

In this context, technical and diagnostic data such as system events, performance metrics, error messages, and limited identifiers necessary for debugging may be processed. We configure these services to avoid the intentional collection of user input data and to limit processing to what is necessary for operational monitoring.

For both PostHog and Sentry, we use their EU data residency offerings, under which data is primarily stored and processed within the EU.

These services are used solely for internal operational, security, and service improvement purposes.

Analytics

We use analytics providers for aggregated usage statistics, including:

  • Fathom Analytics, Conva Ventures Inc., Canada

Email infrastructure

For receiving and sending emails, we use:

  • Proton Business Suite, Proton AG, Switzerland (Inbox provider)
  • Scaleway TEM, Scaleway SAS, France (Transactional email)
  • Amazon SES, Amazon Web Services EMEA S.à r.l., Luxembourg (Inbound and transactional outbound email)

These providers process email addresses, message metadata, and message content for communication and transactional email delivery.

Automated access protection

Where CAPTCHA mechanisms are used, they are provided by:

  • Friendly Captcha, Friendly Captcha GmbH, Germany

This provider processes technical data such as IP address and device-related information for automated access protection.

Billing and payment processing

For subscription billing and payment processing, we use:

  • Stripe, Inc., USA
  • Stripe Payments Europe, Ltd., Ireland

When you complete a payment, you are redirected to a Stripe-hosted page. Stripe processes payment data as an independent Controller in accordance with its own privacy policy. We may also use Stripe services for subscription management, invoicing, and tax calculation.

Advertising

cryptii and ciphereditor may display contextual advertisements provided by:

  • EthicalAds, Read the Docs, Inc., USA

In this context, limited technical data such as IP address and browser information may be processed for the purpose of delivering advertisements.

Professional advisors

We may share personal data with professional advisors, including tax advisors, accountants, auditors, and legal counsel, where necessary for compliance with legal obligations, accounting requirements, or the establishment, exercise, or defense of legal claims.

Such recipients process personal data in accordance with applicable professional and legal confidentiality obligations.

Public authorities

We share data with public authorities to comply with legal obligations (including those imposed by virtue of applicable commercial, tax and anti-money laundering laws) as well as any regulatory obligations and to respond to requests.

7. International data transfers

Personal data is primarily processed within the European Economic Area (EEA).

Some of the service providers listed above are headquartered outside the EEA, including in the United States and Canada. In such cases, personal data may be transferred to or accessed from countries outside the EEA.

Where personal data is transferred to countries that benefit from an adequacy decision of the European Commission (such as Switzerland or Canada), such transfers are based on that adequacy decision.

Where personal data is transferred to service providers located in countries without an adequacy decision, we ensure that appropriate safeguards are implemented in accordance with applicable data protection laws. Such safeguards may include the use of Standard Contractual Clauses approved by the European Commission and, where appropriate, supplementary technical and organizational measures.

8. Data retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy and in accordance with applicable legal requirements.

Account and contract data

If you create an account or enter into a contractual relationship with us, we retain your account and contractual data for the duration of the contractual relationship.

After termination, such data may be retained for a limited period to:

  • Comply with legal retention obligations (such as commercial and tax law);
  • Resolve disputes and enforce agreements;
  • Maintain appropriate business records.

System logs and monitoring data

When you access our websites or services, certain technical information is automatically generated and recorded in system logs and monitoring systems. This may include IP address, request metadata, timestamps, user agent information, system events, error descriptions, and operational metrics necessary to ensure secure and reliable operation.

Such data is processed for the purposes of maintaining system integrity, detecting errors, ensuring performance and stability, and protecting our services against misuse.

System logs and monitoring data containing personal data are generally retained for no longer than ninety (90) days, unless extended retention is required for the investigation of a security incident or to comply with legal obligations.

Aggregated and anonymized monitoring data that no longer relates to an identifiable individual may be retained for longer periods for statistical, operational, and service improvement purposes.

Marketing communications

If you subscribe to marketing communications, we retain your contact information until you withdraw your consent or unsubscribe.

9. Data subject rights

If we process your personal data as a Controller, you have the following rights under applicable data protection laws:

  • Right of access – You may request confirmation as to whether we process your personal data and obtain a copy of such data.
  • Right to rectification – You may request correction of inaccurate or incomplete personal data.
  • Right to erasure – You may request deletion of your personal data in certain circumstances, including where processing is no longer necessary or where you withdraw consent, subject to legal retention obligations.
  • Right to restriction of processing – You may request restriction of processing in certain circumstances.
  • Right to data portability – Where processing is based on consent or contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object – You may object to processing based on legitimate interests where your particular situation warrants it.
  • Right to withdraw consent – Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

We do not carry out automated decision-making or profiling that produces legal effects concerning you.

To exercise your rights, please contact us using the contact details provided above.

You have the right to lodge a complaint with a supervisory authority, including the Luxembourg Commission nationale pour la protection des données (CNPD).

10. Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

Such measures include safeguards appropriate to the nature, scope, and context of the processing and the risks to individuals’ rights and freedoms. Access to personal data is restricted to authorized persons who require such access for legitimate business purposes and are subject to confidentiality obligations. We regularly review and update our security practices to maintain the integrity and reliability of our services.

While we take reasonable steps to protect personal data, no method of transmission over the Internet or method of electronic storage is entirely secure. Accordingly, we cannot guarantee absolute security.

11. Changes

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or data processing practices.

The current version will always be available on our website and will indicate the date of the latest update. Where required by applicable law, we will provide additional notice of material changes.

This privacy policy was last updated on 10 March 2026.