Privacy Policy
Last updated: February 2026
What We Don't Do
Before the details — here's what makes LobOut different from most platforms:
- No cookies. None. Zero. We don't use cookies at all.
- No analytics. No Google Analytics, no Mixpanel, no tracking pixels, no session recording.
- No third-party tracking scripts. No ad networks, no social media widgets, no embeds.
- No external fonts. All fonts are self-hosted. No requests to Google Fonts or any CDN.
- No passwords. We use magic-link authentication. There is no password database to breach.
- No tracking in emails. Our verification emails contain no tracking pixels and no click-tracking links.
If you just browse the site without logging in, no personal data is collected beyond what your browser sends to our server in the normal course of loading a web page (see Server Logs below).
Controller
Christopher Helm, Rosenweg 5, 35614 Asslar, Germany.
If you're a person: anyone [at] lobout.com If you're a bot: anything [at] lobout.com
Hosting
This site runs on a Hetzner VPS in Germany (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen). Your data is stored in the EU and does not leave the EU for storage purposes. When you visit a page, the server processes your IP address, browser type, and request details to deliver the content. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating the website). See Hetzner's privacy policy.
What We Collect and Why
Authentication (Magic Link)
When you enter your email address to log in, we:
- Store your email address in our database to identify your account.
- Send a one-time verification link to your email via Resend (see Third-Party Processors below).
- Generate a session token (a random string) stored in your browser's localStorage and in our database. This token expires after 7 days, at which point you need to log in again.
We do not store passwords — there are none. Your email address is the only account identifier, and it cannot be changed after creation.
We block disposable email addresses to protect platform integrity.
Legal basis: Art. 6(1)(b) GDPR (contract performance — you request access, we provide it).
Submissions (Projects, Team Profiles, Pitches)
When you submit a project brief, register a team, or pitch for a project, we store everything you provide: titles, descriptions, team details, methodology, pricing, and any other information you include. This data is stored as structured JSON in our database.
Your submissions are sent to an AI service (see Anthropic below) for quality refinement — the AI reviews your submission and may ask clarifying questions before it goes live. The AI does not make decisions about who wins. It only helps improve the quality of what you submit.
Hidden evaluation criteria that buyers define are stored in our database and are never exposed to teams, never shown in API responses, and never aggregated or shared. The criteria exist solely to score pitches, and only the buyer who created them can see them.
Legal basis: Art. 6(1)(b) GDPR (contract performance — the platform's core service).
Server Logs
Our web server records standard access logs: IP address, timestamp, requested URL, HTTP status code, response size, referrer, and user agent. These logs are used for security monitoring and debugging.
Retention: Log files older than 30 days are automatically deleted.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and operational stability).
Operational Logs
Our application logs operational events (e.g., "user verified," "submission activated") to structured log files. These logs may contain email addresses and user identifiers for debugging purposes.
Retention: 30 days, then automatically deleted.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational monitoring).
Third-Party Processors
We use a small number of third-party services. Each processes only the minimum data needed for its specific purpose.
Anthropic (AI Refinement)
When you submit content (a project brief, team profile, or pitch), it is sent to Anthropic (Anthropic, PBC, San Francisco, USA) for quality review using their Claude API. Anthropic receives the text of your submission and returns refinement questions or a quality assessment.
Anthropic does not train their models on API data. Data sent via the API is retained by Anthropic for up to 30 days for abuse monitoring, then deleted per their data retention policy.
Legal basis: Art. 6(1)(b) GDPR (necessary for the refinement service you requested).
See Anthropic's privacy policy.
Resend (Email Delivery)
Magic-link verification emails are sent via Resend (Resend, Inc., San Francisco, USA). Resend receives your email address and the verification URL. No other personal data is shared with Resend.
Legal basis: Art. 6(1)(b) GDPR (necessary to deliver the login email you requested).
Hetzner Object Storage (Backups)
Database backups may be stored on Hetzner Object Storage (S3-compatible, EU data center in Falkenstein, Germany). Backups contain the full database including user accounts and submissions.
Retention: Hourly backups kept for 7 days. Daily backups kept for 30 days.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in disaster recovery).
Client-Side Storage
We store exactly one item in your browser's localStorage: your session token (lobout_token). This is a random string that authenticates your requests. It is not a cookie, contains no personal information, and is deleted when you log out.
We do not use cookies of any kind. No cookie banner is needed because no consent-requiring technologies are used.
Security Measures
We take the security of your data seriously. While we don't disclose specific implementation details, here are the principles and protections we've built into the platform:
- No password database. Magic-link authentication eliminates the most common attack vector entirely. There are no credentials to steal.
- Cryptographically random session tokens. Sessions use 256-bit random tokens with a 7-day expiry. They are validated server-side on every request.
- Structural AI isolation. When your submissions are sent to our AI service for refinement, they are structurally separated from the system's instructions. Your content cannot influence how the AI behaves — it can only be evaluated by it.
- Input validation. All data entering the system is validated for type, size, and format before processing. Oversized payloads are rejected. Malformed inputs are blocked.
- No network-exposed database. Our database is a local file on the server, not a networked service. There is no database connection string for an attacker to discover or exploit.
- Minimal data collection. We collect only what the platform needs to function: your email (for authentication) and your submissions (for the marketplace). Nothing more.
- Regular security assessments. We maintain a documented security review process covering authentication, input handling, API integrations, infrastructure, and deployment.
- EU hosting. All stored data — the database, logs, and backups — resides on servers in Germany.
Data Retention
| Data | Retention |
|---|---|
| Email address | Until you delete your account (Settings → Delete Account) |
| Submissions (projects, teams, pitches) | Until you delete your account (Settings → Delete Account) |
| Session tokens | 7 days from creation, then cleared |
| Server access logs | 30 days |
| Operational logs | 30 days |
| Database backups | 7 days (hourly) / 30 days (daily) |
Your Rights
Under the GDPR you have the right to:
- Access your stored personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
To erase your data (Art. 17), use Delete Account in your Settings tab. This anonymizes your account and removes all personal data. For all other rights, email anyone [at] lobout.com.
You also have the right to lodge a complaint with a supervisory authority. The responsible authority is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden.