Legal Information

Privacy Policy

Last updated: March 15, 2026 · GDPR compliant

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is the operator of this WipeMe instance. For any data protection enquiries, please contact the operator. The operator's contact details can be found in the Legal Notice of this instance.

A data protection officer is not required under Art. 37 GDPR, as no large-scale systematic processing of personal data takes place.

2. Overview of Data Processing

WipeMe is a privacy-first zero-knowledge tool. This means:

  • There is no database and no server-side data storage.
  • No user accounts are created.
  • All user data is stored exclusively in your browser (localStorage).
  • The server processes personal data only transiently in RAM — never persistently.

The following sections describe each processing activity in detail.

3. Hosting

This instance is operated by its operator on a hosting platform of their choosing. When you access the website, the hosting provider automatically processes the following data in server access logs as a data processor in connection with operating the infrastructure:

  • IP address of the requesting device
  • Date and time of the request (timestamp)
  • Requested URL and HTTP method
  • HTTP status code
  • User agent (browser and operating system identifier)
  • Volume of data transferred

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). The legitimate interest lies in providing a secure and stable service and in detecting and preventing misuse.

Retention period: The retention period for server access logs depends on the hosting provider's configuration. Typically, this data is automatically deleted after 7–14 days.

Operators of this instance: please add the details of your specific hosting provider here (name, registered address, privacy policy, any third-country transfer if applicable) as well as the specific retention period for server access logs.

4. Local Data Storage (localStorage)

WipeMe uses the browser's localStorage to store the following data locally on your device:

  • AES-256-GCM encrypted email credentials (IMAP/SMTP)
  • UI language preference (DE/EN)
  • Services found during the inbox scan (metadata only: sender, subject, date)
  • Status of sent deletion requests

Legal basis: The storage is technically necessary to provide the service. No cookie consent banner is required because no cookies are used.

Deletion: You can remove all locally stored data at any time through the application settings or by clearing your browser data. The data only leaves your device as described in Section 5.

No third-party disclosure: Data stored in localStorage is not transferred to any third party and is accessible only to the browser you are using.

5. Processing of Email Credentials

To use WipeMe you enter your email address and an app password (IMAP/SMTP). These credentials are processed as follows:

1

Client-side encryption

Your credentials are encrypted in the browser using AES-256-GCM. The encryption key is generated automatically and stored locally in the browser. The encrypted payload is saved in localStorage.

2

Transmission to the server

For the IMAP scan and SMTP sending, the credentials are decrypted client-side and transmitted to the WipeMe server over an HTTPS/TLS-encrypted connection.

3

Server-side processing

The server processes your credentials exclusively in RAM. They are never written to disk, a database, or log files. Once the operation (scan or email sending) completes, the credentials are discarded immediately.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures — the processing is technically necessary to provide the service), or, where no contractual relationship exists, Art. 6(1)(a) GDPR (consent through active use of the service).

6. Processing of Email Content

WipeMe accesses your inbox via IMAP to identify registration confirmation emails. The following rules apply:

  • Only email metadata is processed: sender address, subject line, and date.
  • Email bodies are never read, transmitted, or processed.
  • Metadata is returned by the server to your browser and stored there in localStorage. The server retains no email data.
  • Metadata only leaves your browser when you actively trigger a deletion request.

Legal basis: Art. 6(1)(b) GDPR (technically necessary for the performance of the service).

7. GDPR Deletion Requests (Art. 17 GDPR)

Deletion requests are sent directly from your own SMTP mail server via your own email account. WipeMe acts solely as a technical intermediary.

  • WipeMe does not retain copies of sent deletion requests.
  • Send status is stored locally in your browser.
  • You are solely responsible for the content and accuracy of sent requests.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

8. No External Services or Third Parties

WipeMe deliberately integrates no external services:

  • No Google Fonts — all typefaces are self-hosted; no connection to Google servers is made.
  • No tracking or analytics — no web analytics services (e.g. Google Analytics, Matomo, Plausible) are used.
  • No cookies — no cookies of any kind are set, neither technically necessary nor optional.
  • No social media plugins — no integration with Facebook, X, LinkedIn, or similar services.
  • No advertising — no ad networks, no remarketing pixels.
  • No third-party CDN sources for JavaScript or CSS — all assets are served from the instance's own server.

9. Your Rights as a Data Subject

You have the following rights under the GDPR. Because WipeMe stores no personal data server-side, many of these rights are already guaranteed by the technical architecture of the application.

Art. 15

Right of access

You have the right to obtain information about the personal data stored about you. Because no server-side storage takes place, you can view all stored data directly in your browser.

Art. 16

Right to rectification

You have the right to request the correction of inaccurate data.

Art. 17

Right to erasure

You can delete all locally stored data at any time via the app or through your browser settings. No server-side data exists.

Art. 18

Right to restriction of processing

You have the right to request a restriction on the processing of your data.

Art. 20

Right to data portability

You have the right to receive your data in a structured, commonly used, and machine-readable format. Since WipeMe stores all data exclusively in your browser's localStorage, you can view and export it at any time using your browser's developer tools.

Art. 21

Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data.

Art. 7(3)

Right to withdraw consent

Where processing is based on consent, you have the right to withdraw it at any time without giving reasons. The lawfulness of processing carried out before the withdrawal is not affected.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR):

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is generally that of your habitual residence, place of work, or the place of the alleged infringement.

To exercise your rights, please contact the operator of this instance. The operator's contact details can be found in the Legal Notice. Requests will be answered within one month (Art. 12(3) GDPR).

10. SSL/TLS Encryption

This website and all API endpoints use HTTPS/TLS encryption for security and to protect the transmission of confidential content. You can identify an encrypted connection by the padlock icon in your browser's address bar. When SSL/TLS encryption is active, any data you transmit to WipeMe cannot be read by third parties.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to keep it in line with current legal requirements or to reflect changes to our services. The current version in effect at the time of your visit will apply. The date of the most recent update can be found at the top of this page.

Last updated: March 15, 2026

Back to home