Libroo

Privacy Policy

Last updated: 23.06.2026

This privacy policy explains how ("we", "us") processes personal data when you visit the public Libroo website at libroo.app and when you use the hosted Libroo application at app.libroo.app.

1. Controller

The controller responsible for data processing is:

Email:

We have not appointed a data protection officer because we are not legally required to do so.

2. What Services This Policy Covers

This policy covers:

  • The public Libroo website, including pages that may redirect users to the hosted Libroo application.
  • The hosted Libroo application, including account registration, login, library management, book lookup, lending features, uploads, and email notifications.
  • Related technical infrastructure used to operate these services.

This policy does not cover independently operated third-party websites that may be linked from our website or application.

3. General Hosting and Technical Access Data

When you visit the website or use the hosted application, technical data is processed to deliver the service securely and reliably. This may include:

  • IP address.
  • Date and time of access.
  • Requested URL or resource.
  • Referrer URL.
  • Browser type and version.
  • Operating system.
  • Device and network information.
  • HTTP status codes and error information.
  • Security and abuse-prevention events.

We process this data to provide the website and application, maintain security, detect abuse, troubleshoot errors, and ensure reliable operation.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interests are secure, reliable, and technically functional operation of the website and application. Where processing is required to provide a requested service, the legal basis may also be Art. 6(1)(b) GDPR.

4. Hosting Provider: Cloudflare

The hosted service is operated using Cloudflare infrastructure, including Cloudflare Workers, Cloudflare D1, and Cloudflare R2.

Provider:

Cloudflare, Inc. 101 Townsend Street San Francisco, CA 94107 United States

Cloudflare acts as our hosting and infrastructure provider and may process personal data stored within the application insofar as this is technically necessary to provide hosting, database, storage, security, and content delivery services.

Because Cloudflare is headquartered in the United States, personal data may be transferred to countries outside the European Economic Area. Where required, we rely on appropriate safeguards such as adequacy decisions, participation in the EU-U.S. Data Privacy Framework where applicable, EU Standard Contractual Clauses, or other safeguards recognized under GDPR.

Legal basis for our use of Cloudflare: Art. 6(1)(f) GDPR and, where required to provide the hosted application, Art. 6(1)(b) GDPR. Cloudflare acts as a processor where it processes personal data on our behalf.

5. Accounts and Authentication

When you create or use a Libroo account, we process data needed for authentication and account management, such as:

  • Email address.
  • Name or display name, if provided.
  • Password authentication data. We do not store plain-text passwords.
  • Session data.
  • Account role, permissions, and admin status.
  • Registration date and account status.
  • Email verification status.
  • Password reset and security-notification metadata.

We process this data to create and manage your account, authenticate you, protect your account, provide access to the application, and operate administrative functions.

Legal basis: Art. 6(1)(b) GDPR for account and service provision. Art. 6(1)(f) GDPR for security, abuse prevention, and administrative integrity.

6. Library and Lending Data

When you use the hosted Libroo application, you may enter and manage library-related data. This may include:

  • Books in your library.
  • Authors, titles, ISBNs, tags, notes, ratings, reading status, and shelf or location information.
  • Lending records, including borrower names or contact details if you enter them.
  • Import and export data.
  • Administrative audit data where relevant.

You decide what information you enter. Please avoid entering sensitive personal data unless it is necessary for your own use of the service.

Users are responsible for ensuring that they have an appropriate legal basis for entering personal data relating to third parties into the application, such as borrower names or contact details.

We process this data to provide the library management and lending features of the application.

Legal basis: Art. 6(1)(b) GDPR for providing the application. Art. 6(1)(f) GDPR for maintaining the integrity, security, and auditability of the hosted service.

7. Uploaded Files and Book Covers

If you upload files, images, or book covers, we process and store those files to provide the application features. Uploaded images may be converted or optimized before storage.

Files are stored using Cloudflare R2. Uploaded content may contain personal data if you include it in the file or image.

Legal basis: Art. 6(1)(b) GDPR for providing upload and display functionality. Art. 6(1)(f) GDPR for storage security, optimization, and service reliability.

8. Book Lookup Through Open Library

The application allows book lookup using ISBNs or other book identifiers through Open Library.

Provider:

Open Library / Internet Archive 300 Funston Avenue San Francisco, CA 94118 United States

When you use book lookup, the search query, ISBN, title, or similar lookup data may be transmitted to Open Library so that matching book information can be retrieved. Book lookup requests generally do not contain personal data. However, the request may be associated with your account or use of the application.

Legal basis: Art. 6(1)(b) GDPR, because the lookup is requested as part of the application feature. Where applicable, Art. 6(1)(f) GDPR also applies; our legitimate interest is providing convenient book metadata lookup.

9. Email Delivery

The hosted application sends transactional emails, such as verification emails, password reset emails, invite emails, account security notifications, and administrative notices.

Email processing may include:

  • Recipient email address.
  • Email subject and body.
  • Delivery status.
  • Technical metadata needed for delivery and troubleshooting.

Email provider:

Plunk, hosted service at useplunk.com Privacy policy: www.useplunk.com/privacy

Plunk is used to send transactional emails from the hosted application.

Legal basis: Art. 6(1)(b) GDPR for emails needed to provide account and application functions. Art. 6(1)(f) GDPR for security notifications and administrative messages.

10. Cookies, Local Storage, and Similar Technologies

The website and hosted application may use technically necessary cookies or similar browser storage to:

  • Keep you signed in.
  • Maintain sessions.
  • Protect against misuse.
  • Store security or application state needed for the service to work.

We do not use non-essential advertising or tracking cookies. Where analytics or similar tools require consent, they are used only after consent has been obtained.

Legal basis for technically necessary storage: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. Where access to or storage of information on a user's device is involved, this is used only where it is strictly necessary to provide the requested service, or otherwise only with consent where required by law, in particular under § 25 TDDDG.

11. Analytics

We use a self-hosted Umami instance to collect privacy-friendly, aggregated usage statistics for the public website and hosted application. This includes information such as page views, referrers, browser type, operating system, device type, and approximate geographic region.

The Umami instance is operated by us. Umami is configured without cookies and is not used for advertising, cross-site tracking, selling user data, or creating user profiles.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is understanding whether the website and application work reliably and which parts are used, so we can improve the service.

12. Support and Direct Contact

If you contact us by email or another support channel, we process the information you provide, such as your email address, message content, and related technical or account information.

We use this data to respond to your request, provide support, investigate issues, and document the communication where necessary.

Infrastructure and Archiving

To receive and reply to inquiries, we use Apple iCloud Mail as email infrastructure. Incoming and outgoing email correspondence may be transmitted, stored, and processed through Apple’s mail infrastructure.

For technical data security, continuity, documentation, and system integrity, incoming and outgoing support communications may also be backed up in a secure, self-hosted local archive managed by us and accessible only to authorized personnel.

Legal basis: Art. 6(1)(b) GDPR where the communication relates to your use of the service. Art. 6(1)(f) GDPR for general communication, support quality, system security, and backup documentation. Legal obligations may be based on Art. 6(1)(c) GDPR.

13. Recipients and Processors

We may share personal data with the following categories of recipients where necessary:

  • Hosting, database, storage, and security providers.
  • Email and communications infrastructure providers.
  • Book metadata providers, if you use lookup features.
  • Technical service providers who help operate or maintain the service.
  • Legal, tax, or administrative authorities where legally required.

Processors are bound by data processing agreements where required by GDPR.

14. International Transfers

Some providers may process personal data outside the European Economic Area. Where personal data is transferred to recipients outside the EEA, we rely on appropriate safeguards such as adequacy decisions, participation in the EU-U.S. Data Privacy Framework where applicable, EU Standard Contractual Clauses, or other safeguards recognized under GDPR.

15. Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless longer retention is required by law.

Typical retention periods:

  • Account data: retained until the account is deleted and thereafter only for as long as necessary to comply with legal obligations, resolve disputes, or establish, exercise, or defend legal claims.
  • Library and lending data: retained while the account or workspace exists, unless deleted earlier through application features or by request.
  • Uploaded files: retained while needed for the account or library entry they belong to.
  • Session data: retained until expiry or logout, subject to technical cleanup cycles.
  • Email and support correspondence: retained in our active mailbox as long as needed to handle the request. Copies within our local backup archive are retained for technical documentation and system integrity, and are periodically reviewed or cleared when the underlying purpose or legitimate documentation interest no longer applies.
  • Security and server logs: Technical server logs are primarily handled directly by our infrastructure platform. Cloudflare may retain platform, access, and security logs according to its standard operational retention settings and our account configuration, unless longer retention is required to investigate abuse, security incidents, or legal claims.
  • Legal and accounting records: retained for the statutory retention period where applicable.

16. Your Rights

Subject to the legal requirements, you have the following rights:

  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at .

The competent supervisory authority for the controller is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

17. Right to Object

Where we process personal data based on legitimate interests under Art. 6(1)(f) GDPR, you may object to that processing on grounds relating to your particular situation. We will stop processing the data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is needed for legal claims.

18. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

19. Obligation to Provide Data

You are not legally required to provide personal data to us. However, some data is necessary to create an account, use the hosted application, provide library features, send transactional emails, or maintain security. Without this data, the relevant service or feature may not be available.

20. Changes to This Policy

We may update this privacy policy when the service, legal requirements, or providers change. The version published on the website is the current version.