Effective date: July 1, 2026
This Privacy Policy explains how Made on Sol("MadeOnSol", "we", "us") collects, uses, and protects your personal data when you use madeonsol.com and our paid API (together, "the Service"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Belgian data-protection law.
Data Controller
The controller responsible for your personal data is:
- MadeOnSol — sole proprietorship (eenmanszaak) of Stijn Poortmans
- Mgr. Raeymaekersstraat 37, 2235 Hulshout, Belgium
- Enterprise number (KBO/BCE): 1039.535.538
- Email: [email protected]
Data We Collect
We collect the minimum data needed to provide the Service:
- Analytics: We use Umami, self-hosted on our own infrastructure, for privacy-friendly analytics. It does not use tracking cookies and does not share data with third parties.
- Email: If you subscribe to our newsletter, we store your email address.
- Reviews: If you submit a review, we store the review content and optional display name.
- Authentication: If you create an account, we store your email and authentication data via Supabase Auth, which sets an essential session cookie to keep you logged in.
- Affiliate click tracking: When you click a partner link via
/go/[tool] we log the click for attribution: the tool slug, source page, country (from Cloudflare), user-agent, and the UTM parameters present. For this affiliate tracking your IP address is never stored in raw form — we keep only an HMAC-SHA256 hash of IP + daily salt, which rotates every 24 hours so the hash can't be linked back to you across days. No tracking cookies, no PII. - Server & security logs: To operate the Service securely and prevent abuse and fraud, our servers log technical request data — including your IP address and user-agent — for paid-API requests and for messages sent through the contact form. These security logs are kept for a limited period (around 90 days) and are not used to track or profile you.
- API & subscription data: If you use the paid API or buy a subscription, we store API keys (as hashed values), request logs (endpoint, timestamp, tier), webhook endpoint URLs, WebSocket session tokens, on-chain payment transaction signatures and wallet addresses, card-payment records via our payment processor, subscription records, invoicing details, and affiliate referral codes. This data is used to operate and authenticate the Service and to meet our legal accounting obligations.
How We Use Data & Legal Bases
Under the GDPR we rely on the following legal bases (Art. 6):
- Performance of a contract (Art. 6(1)(b)): to create and manage your account, operate and authenticate the API, process subscriptions, and provide support.
- Consent (Art. 6(1)(a)): to send the newsletter (only if you opt in). You can withdraw consent at any time.
- Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse and fraud, moderate user submissions, and understand aggregate usage to improve the Service.
- Legal obligation (Art. 6(1)(c)): to keep invoices and accounting records as required by Belgian law.
How Long We Keep Data
- Account & API data: for as long as your account is active, then deleted or anonymised within a reasonable period after closure.
- Newsletter email: until you unsubscribe.
- Invoices & accounting records: 7 years, as required by Belgian law.
- Server & security logs (raw IP, user-agent): around 90 days.
- Affiliate click hashes & analytics: retained in aggregate; the daily IP hash salt rotates every 24 hours.
Third-Party Processors
- Supabase: Database and authentication, self-hosted by us on Hetzner hardware in the EU.
- Umami: Privacy-friendly web analytics, self-hosted by us (no cookies).
- Resend: Transactional email delivery (account and confirmation emails).
- Brevo: Bulk/newsletter email delivery.
- Stripe: Card payment processing for subscriptions.
- Cloudflare: CDN, DDoS protection, and Turnstile anti-abuse — processes IP addresses and request metadata as traffic passes through their network.
- Hetzner: Infrastructure hosting — our server data is physically hosted on Hetzner hardware in EU data centers.
International Transfers
Our infrastructure and databases are hosted in the EU. Some processors (Resend, Stripe, Cloudflare) are established in the United States and may process limited personal data outside the European Economic Area. Where this happens, transfers are protected by appropriate safeguards under the GDPR, such as the European Commission's Standard Contractual Clauses.
Cookies
We do not use advertising or cross-site tracking cookies, and our Umami analytics is cookieless. We use only:
- Essential cookies needed for the Service to function — a session cookie for logged-in accounts (Supabase Auth), security cookies from Cloudflare/Turnstile, and cookies set by Stripe during checkout.
- One functional referral cookie (
mso_ref): set only if you arrive via a referral link (a ?ref=URL you yourself clicked). It is first-party, stores only the referrer's username for up to 30 days so we can credit them if you sign up, and is not used for advertising or to track your browsing across other sites.
Your Rights
Under the GDPR you have the following rights regarding your personal data:
- Right to access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data.
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Right to data portability: Request your data in a portable, machine-readable format.
- Right to object: Object to processing based on our legitimate interests.
- Right to withdraw consent: Withdraw any consent you have given, at any time, without affecting prior lawful processing.
To exercise any of these rights, contact us at [email protected]. You can unsubscribe from emails at any time using the link in any email we send.
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Drukpersstraat 35, 1000 Brussels, Belgium — [email protected] — www.gegevensbeschermingsautoriteit.be.
Changes to This Policy
We may update this Privacy Policy from time to time. The effective date above reflects the latest version.