legal
Privacy
This statement explains, pursuant to Art. 13 GDPR, how personal data is processed when you visit codehamr.com and when you use the HamrPass service. We process as little data as possible.
1. Controller
Malte Zuch, Babendiekstraße 58c, 22587 Hamburg, Germany · [email protected]. Full provider details: see imprint.
2. What we do not do
No tracking, no analytics, no advertising or third-party cookies, no profiling, no newsletters, no social-media plug-ins. Therefore no cookie banner.
2a. Early-bird list (HamrPass launch)
On the home page you can voluntarily leave an email address to receive a one-off notification when HamrPass launches. We store: the submitted email address, the timestamp, a technical source identifier ("landing"/"hamrpass-card"), an optional self-reported hardware preference (Apple Silicon, GPU, or cloud), a hashed IP value, and a truncated user agent for abuse prevention (no plain-text IP). Legal basis: Art. 6(1)(a) GDPR (consent given by submitting the form). Purpose: a single launch notification and rough hardware statistics for model selection; no newsletter, no marketing, no disclosure to third parties. Retention: until the launch notification is sent or until you withdraw consent (whichever is earlier), then deletion. Withdrawal: informally by email to [email protected].
3. Server logs (hosting)
The website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. A data-processing agreement under Art. 28 GDPR is in place; the servers are located in the EU.
When the website is loaded, technical data is processed automatically: IP address, date/time, requested URL, HTTP status, referrer, and user agent. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operation, security, and abuse prevention). Retention: 14 days at most, then automated deletion or anonymisation.
4. HamrPass service (LLM proxy)
When you use a HamrPass we forward the requests (prompts) submitted by the CLI to the external model aggregator OpenRouter, Inc. (2261 Market Street #4382, San Francisco, CA 94114, USA) and return its response. Prompt and response content is not stored persistently on our side. The only data we keep persistently is: the hashed pass key, the pseudonymous Polar order ID (for blocking or refund cases), the number of tokens consumed, the model identifier, and timestamps. This data is used solely to account for the remaining balance. Legal basis: Art. 6(1)(b) GDPR (performance of contract).
OpenRouter and the selected third-party model process the submitted content under their own privacy terms (openrouter.ai/privacy). Because OpenRouter is based in the United States, a transfer to a third country takes place. This transfer is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) or, where the recipient is certified under the EU-U.S. Data Privacy Framework, on that basis (adequacy decision under Art. 45 GDPR). Please note that the level of data protection in the United States does not match that of the EU and that US authorities may obtain access to data processed there under certain conditions. You should therefore not include particularly sensitive, confidential, or criminally relevant personal data in prompts.
5. Payment processing (Polar)
HamrPass purchases are handled by the payment service provider Polar Software, Inc. (USA). From Polar we receive only a pseudonymous order ID needed to issue the pass key. No name, address, email, or payment data of the buyer is transmitted to or stored by us. Polar acts as an independent controller within the meaning of the GDPR for the payment process; its data processing is governed by Polar's privacy policy (polar.sh/legal/privacy).
6. Email contact
If you contact us by email, we process the information you submit solely to handle your request. Legal basis: Art. 6(1)(b) or (f) GDPR. Retention: until your request has been resolved and any subsequent statutory retention period has expired.
7. Cookies
No cookies are set on the public pages, except a small ch_lang preference cookie (only set when you explicitly use the language toggle on the legal pages; one year; no personal data). The internal admin area (/admin) sets a strictly necessary authentication cookie; that area is intended only for the operator.
8. Recipients
Hetzner Online GmbH (hosting, EU) — processor under Art. 28 GDPR. OpenRouter, Inc. (LLM inference, USA) — recipient for model inference triggered on behalf of the customer. Polar Software, Inc. (payment processing, USA) — independent controller; only a pseudonymous order ID is transmitted to us. Third-country transfers are based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) or, where the recipient is certified under the EU-U.S. Data Privacy Framework, on that basis (Art. 45 GDPR).
9. Your rights
You have the right at any time to request access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object (Art. 21 GDPR). Please send requests to [email protected]. Because we do not store buyer identity data, a pass key or the Polar order ID is required to identify the request.
10. Right to lodge a complaint
You have the right to lodge a complaint with a data-protection supervisory authority. The competent authority includes the Hamburg Commissioner for Data Protection and Freedom of Information (datenschutz-hamburg.de).
11. No automated decisions
No solely automated decision-making with legal or similarly significant effect under Art. 22 GDPR takes place. There is no profiling. Language-model outputs are tool suggestions intended for the user's own evaluation and do not constitute automated individual decisions about data subjects.
12. Status
This statement may be updated when processing changes. Last updated: May 2026.