Privacy Policy
Last updated: April 2026
This is a courtesy translation. The German version is legally binding.
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Joël Marth IT Services
Senftenauerstraße 3
80689 Munich, Germany
Email: [email protected]
Website: https://pathsweeper.com
A data protection officer is not legally required. For data protection inquiries, please contact the email address above.
2. Overview of Data Processing
PathSweeper is a browser-based application for swept path analysis. The following overview summarises the types of data processed and their purposes:
- Account data – email address, display name (upon registration)
- Usage data – project data, uploaded files (CAD, background images), feedback messages
- Communication data – email address (newsletter, password reset)
- Technical data – IP address (hashed for DWG conversion), browser type, operating system, referrer, timestamps
- Analytics data – usage interaction events (self-hosted web analytics)
3. Legal Bases
We process personal data on the following legal bases under the GDPR:
- Consent (Art. 6(1)(a) GDPR) – newsletter subscription
- Performance of contract (Art. 6(1)(b) GDPR) – registration, provision of the application, project data, transactional emails (password reset, account confirmation)
- Legitimate interest (Art. 6(1)(f) GDPR) – server log files, IT security, self-hosted web analytics for product improvement, feedback processing, abuse prevention (rate limiting)
4. Security Measures
We implement technical and organisational measures to ensure an appropriate level of protection, including:
- TLS/HTTPS encryption for all connections
- Password hashing (no plaintext storage)
- Row-level security: users can only access their own project data
- IP addresses in the public DWG converter are stored only as a daily rotating hash (SHA-256)
- Isolated microservice architecture: CAD processing runs in containers with no internet access
5. Hosting and Server Log Files
Hosting
This website is hosted on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner operates certified data centres exclusively in Germany and Finland (EU).
We have concluded a data processing agreement (DPA) with Hetzner pursuant to Art. 28 GDPR.
Server Log Files
Each time our website is accessed, the server automatically collects the following data:
- IP address of the requesting device
- Date and time of the request
- Requested URL / file name
- HTTP status code
- Amount of data transferred
- Referrer URL
- Browser type and version, operating system
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security and operational stability).
Retention period: Log files are automatically deleted after 14 days.
6. Content Delivery Network (Cloudflare)
We use the CDN and DNS services of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.
When you visit our website, your request is routed through Cloudflare servers. The following data may be processed: IP address, HTTP headers, requested URL, and timestamps.
Cloudflare may set technically necessary cookies (e.g. __cf_bm for bot detection), which serve exclusively for security purposes.
Legal basis: Art. 6(1)(f) GDPR. For cookies: § 25(2) No. 2 TDDDG (technically necessary).
Third-country transfer: Cloudflare is certified under the EU-US Data Privacy Framework. Standard contractual clauses (SCCs) have additionally been agreed.
7. Registration and User Account
Regular Account
During registration we collect:
- Email address
- Password (stored only as a hash)
- Display name
- Optional: consent to receive email notifications (newsletter opt-in)
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Retention: Until account deletion.
Guest Access
PathSweeper can be used without registration as a guest. In this case, auto-generated credentials are created (random email and password) that cannot be traced back to a real person. These are stored only in your browser's localStorage.
8. Project Data
When you create and save projects, we process: project name, project data (swept paths, calibration, vehicle settings, measurements), a thumbnail image, and any uploaded background image.
All project data is protected by row-level security — each user can only access their own projects.
Legal basis: Art. 6(1)(b) GDPR. Retention: Until deletion by the user.
9. CAD File Processing
Registered users can upload CAD files (DXF, DWG, 12d XML, PDF) for geometry extraction. Processing takes place exclusively on our own servers in an isolated container. No CAD files are shared with third parties. Files are automatically deleted after processing.
10. DWG-to-DXF Conversion (Public Tool)
We offer a public tool for converting DWG files to DXF format. No account is required.
- Uploaded file: Temporarily stored and automatically deleted after one hour.
- IP address: Not stored in plaintext. A SHA-256 hash with a daily rotating salt is used solely for rate limiting (max. 5 conversions per hour). The hash cannot be used for identification.
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.
11. Feedback
Our feedback function allows you to report bugs, request features, or send general feedback — even without registration. We process: feedback type, your message (max. 5,000 characters), email (optional), page URL, user agent, locale, and user ID (if logged in).
Legal basis: Art. 6(1)(f) GDPR. Retention: Until processed and deleted.
12. Newsletter
You can subscribe to our newsletter by providing your email address. Emails are sent via Resend (see section 13).
Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time via the unsubscribe link in each email or by contacting [email protected].
13. Email Delivery (Resend)
We use Resend, Inc., San Francisco, USA, for sending transactional emails (password reset, account confirmation) and newsletters. Your email address is transmitted to Resend.
Third-country transfer: Standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
14. Google Maps Static API
PathSweeper allows loading satellite images as project backgrounds using the Google Maps Static API from Google Ireland Limited.
The API call is made exclusively server-side. No direct connection is established between your browser and Google servers. Only coordinates (latitude/longitude) and zoom level are transmitted — no personal data.
15. Web Analytics (OpenPanel – Self-Hosted)
We use the open-source analytics software OpenPanel, which runs entirely on our own servers at Hetzner in Germany. No data is shared with third parties.
Data collected includes usage events, session data, device information, and language preferences. No IP addresses are stored.
Legal basis: Art. 6(1)(f) GDPR.
16. Local Storage (localStorage / sessionStorage)
We use your browser's local storage for technically necessary purposes (authentication tokens, guest credentials, theme preference) and functional purposes (export counter, feedback status). This data remains exclusively in your browser and is not transmitted to our servers or third parties.
17. Cookies
PathSweeper does not set any cookies of its own. Authentication uses localStorage, not cookies. Cloudflare may set technically necessary cookies (e.g. __cf_bm for bot detection), which contain no personal data.
18. Data Processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, database, file storage | Germany |
| Cloudflare, Inc. | CDN, DNS, DDoS protection | USA (EU-US DPF, SCCs) |
| Resend, Inc. | Transactional emails, newsletter delivery | USA (SCCs) |
| Google Ireland Limited | Google Maps Static API (server-side) | Ireland (EU) |
Data processing agreements pursuant to Art. 28 GDPR have been concluded with all processors.
19. Data Transfers to Third Countries
Data may be transferred to the USA in connection with Cloudflare and Resend. These transfers are safeguarded by the EU-US Data Privacy Framework (adequacy decision of the EU Commission, Art. 45 GDPR) and/or standard contractual clauses (Art. 46(2)(c) GDPR).
20. Retention Periods
| Data Category | Retention Period |
|---|---|
| User account | Until deletion by the user |
| Project data | Until deletion by the user |
| Server log files | 14 days |
| DWG conversion files | 1 hour (automatic deletion) |
| Temporary CAD uploads | Automatically after processing |
| Feedback | Until processed and deleted |
| Newsletter data | Until consent is withdrawn |
| Analytics data (OpenPanel) | 90 days |
21. Your Rights
Under the GDPR you have the following rights. To exercise them, please contact [email protected]:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR) – your project data can be exported as JSON at any time
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
22. Right to Lodge a Complaint
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de
23. No Automated Decision-Making
We do not use automated decision-making including profiling pursuant to Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.
24. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in the law or our services. The current version is always available on this page. Registered users will be notified of material changes by email.