Privacy Policy
Effective: April 4, 2026
1. Overview
goodgoodbad.com ("we", "us", "the Site") takes your privacy seriously. This Privacy Policy explains what data we collect, how we process it, and your rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
Andreas Zettl
Chausseestraße 41c
10115 Berlin
Germany
Email: hello@goodgoodbad.com
3. Data We Collect
3.1 Review Submissions
When you submit a review, we collect the review text (two positive points and one negative point). Reviews are anonymous — we do not require an account, email address, or name.
3.2 IP Address (Hashed)
To prevent abuse and enforce rate limits (one review per tool per 48 hours), we store a one-way cryptographic hash (SHA-256) of your IP address combined with a secret salt. This means:
- Your raw IP address is never stored in our database.
- The hash cannot be reversed to recover your IP address.
- The hash is used solely for rate-limiting purposes.
3.3 Tool Suggestions
When you suggest a tool, we collect the tool name, website URL, and selected categories. This data is sent via email notification only and is not stored in a database.
3.4 Analytics (Plausible)
We use Plausible Analytics to understand how visitors use the Site. Plausible is a privacy-friendly analytics service that:
- Does not use cookies or set any persistent identifiers.
- Does not collect or store personal data such as IP addresses or device fingerprints.
- Collects only aggregate, anonymous data: page views, referrer URLs, browser/OS type, and country-level location derived from a transient IP lookup that is never stored.
- Is fully GDPR compliant and does not require a cookie consent banner.
- Is incorporated in the EU and processes data in accordance with GDPR.
You can review Plausible's data policy at plausible.io/data-policy.
3.5 Server Logs
Our web server may automatically collect standard access logs including your IP address, browser user agent, referring URL, and the pages you visit. These logs are used for security monitoring and debugging and are retained for a maximum of 30 days before automatic deletion.
4. Data We Do NOT Collect
- We do not use cookies for tracking or analytics.
- We do not use invasive analytics (no Google Analytics, no Meta Pixel, etc.) — we use Plausible, which collects only anonymous aggregate data (see §3.4).
- We do not require user accounts or collect email addresses (except via voluntary tool suggestions).
- We do not serve personalized advertisements.
- We do not use fingerprinting techniques.
5. Local Storage
We use your browser's localStorage to remember which tools you have recently reviewed or skipped. This data:
- Stays entirely on your device and is never transmitted to our servers.
- Expires automatically after 48 hours.
- Can be cleared at any time through your browser settings.
6. Legal Basis for Processing (GDPR Art. 6)
| Data | Legal Basis |
|---|---|
| Review text | Legitimate interest (Art. 6(1)(f)) — operating the review platform |
| Hashed IP | Legitimate interest (Art. 6(1)(f)) — abuse prevention and rate limiting |
| Plausible analytics | Legitimate interest (Art. 6(1)(f)) — anonymous aggregate usage statistics; no personal data processed |
| Server logs | Legitimate interest (Art. 6(1)(f)) — security and infrastructure stability |
| Tool suggestions | Consent (Art. 6(1)(a)) — voluntarily submitted by the user |
7. Data Sharing
We do not sell, rent, or share your personal data with third parties. Data may only be disclosed if required by law or to protect the rights and safety of the Site and its users.
8. Data Retention
- Reviews and hashed IPs: Retained indefinitely as part of the public review archive. The hashed IP cannot identify you.
- Plausible analytics: Aggregate, anonymised statistics retained per Plausible's own 5-year rolling retention policy. No personal data is stored by Plausible.
- Server logs: Automatically deleted after 30 days.
- localStorage data: Auto-expires after 48 hours on your device.
9. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access — Request information about what data we hold about you.
- Rectification — Request correction of inaccurate data.
- Erasure — Request deletion of your data ("right to be forgotten").
- Restriction — Request that we restrict processing of your data.
- Data portability — Request your data in a structured, machine-readable format.
- Objection — Object to processing based on legitimate interest.
Since reviews are anonymous and we do not store raw IP addresses, we may be unable to identify which data belongs to you. If you can provide verification (e.g., the exact text and time of your review), we will do our best to assist.
To exercise your rights, contact us at hello@goodgoodbad.com.
10. Third-Party Services
The Site loads the jQuery JavaScript library from our own server (no external CDN).
We use Plausible Analytics for anonymous, cookie-free usage statistics. The Plausible script is loaded from plausible.io. No other third-party scripts, fonts, or tracking pixels are embedded.
11. Children's Privacy
The Site is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted data through our Site, please contact us and we will take steps to delete it.
12. International Transfers
Our servers are located in Germany. If you access the Site from outside this region, your data may be transferred across borders. We ensure that any transfer complies with applicable data protection laws.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the Site constitutes acceptance of the revised policy.
14. Contact
For privacy-related inquiries, contact us at hello@goodgoodbad.com.