Privacy Policy
Last updated: 27 May 2026
1. Data Controller
Show name operates HIMS (Home Inventory Management System, https://hinv.eu) as a personal project.
Contact: Show email
2. Data We Collect
When you create an account, we store:
- Email address — used for login and account identification
- Password — stored as an Argon2 hash (we never store plaintext passwords)
- Nickname — derived from your email, editable in settings
- Account timestamps — creation date, last login, last modification
When you use the service, we store:
- Inventory items — titles, descriptions, hierarchy, and categorization you create
- Attachments — files you upload (images, receipts, documents)
- QR/barcode values — codes you scan or assign to items
- Profile connections — associations with other users you explicitly consent to
3. Lawful Basis for Processing
- Consent (GDPR Art. 6(1)(a)) — you consent to data processing when you register an account and agree to the Terms and Conditions.
- Legitimate interest (GDPR Art. 6(1)(f)) — we process session data and CSRF tokens to protect against unauthorized access and cross-site attacks.
4. Cookies
We use only strictly necessary cookies that are exempt from consent requirements under the ePrivacy Directive (Art. 5(3)):
| Cookie | Purpose | Duration |
|---|---|---|
sessionCookie |
Authenticates your session. HttpOnly, Secure, SameSite=Lax. | 7 days |
fastapi-csrf-token |
Prevents cross-site request forgery attacks. HttpOnly, Secure, SameSite=Lax. | Session |
We do not use any analytics, tracking, advertising, or third-party cookies. All resources (CSS, JavaScript, fonts) are served from our own server — no external CDNs or services are loaded.
5. Data Sharing
We do not share, sell, or transfer your personal data to any third parties. Your data stays on our server.
6. Data Storage & Security
- Server located in Norway (EEA) — no international data transfers
- Passwords hashed with Argon2
- All connections encrypted via HTTPS/TLS
- Session cookies are HttpOnly, Secure, and SameSite=Lax
- CSRF protection on all state-changing operations
7. Data Retention
Your data is retained until you choose to delete your account. We do not keep backups of deleted accounts. Server access logs (which may contain IP addresses) are retained for a maximum of 30 days for security purposes, then permanently deleted.
8. Your Rights (GDPR)
You have the following rights regarding your personal data:
- Right of access (Art. 15) — view your data in your profile
- Right to rectification (Art. 16) — edit your profile in account settings
- Right to erasure (Art. 17) — permanently delete your account and all associated data via account settings
- Right to data portability (Art. 20) — export all your data in machine-readable JSON format via account settings
- Right to withdraw consent — delete your account at any time; no reason required
- Right to lodge a complaint — you may file a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no
All self-service rights are accessible from your Account Settings page once logged in.
9. Children
This service is not directed at children under 16. We do not knowingly collect data from children under 16.
10. Changes to This Policy
We may update this policy. The "last updated" date at the top reflects the latest revision. Continued use of the service after changes constitutes acceptance.