Privacy Policy

The Fret-o-Matic Dev Blog (blog.fret-o-matic.com) is operated by Torgrim Nyerrød, resident in Norway, European Economic Area (EEA). As an EEA resident, the General Data Protection Regulation (GDPR) applies in full to the processing of your personal data.

Contact: legal@fret-o-matic.com

When you sign in to leave comments, we receive the following data from your OAuth provider:

• Display name — shown on your comments
• Email address — used for account identification; never displayed publicly
• Profile picture URL — displayed as your comment avatar
• Provider identifier — used to uniquely identify your account across sessions

We also store your comments, votes, and emoji reactions you submit. A consent timestamp and a SHA-256 hash of your IP address (never plaintext) are recorded in an audit log for GDPR compliance purposes.

If you do not sign in, we collect no personal data. Reading the blog requires no account.

Your data is used exclusively to provide the commenting service you sign up for:

• Displaying your name and avatar on comments you post
• Authenticating you across sessions
• Associating your votes and reactions with your account
• Maintaining the GDPR audit trail required under Norwegian law

We do not sell, share, or transfer your data to third parties for marketing purposes.

Contract (GDPR Article 6(1)(b)): Processing your name, email, and avatar is necessary to provide the commenting service you have chosen to use by signing in.

Legitimate interest (GDPR Article 6(1)(f)): Session cookies are used to maintain your authenticated state across page loads. These are strictly functional and do not require a consent banner under GDPR Recital 47.

We do not use analytics, advertising, or tracking pixels. No consent banner is required at this time.

We set one session cookie (next-auth.session-token) when you sign in. This cookie expires with your session or at the configured token expiry. It is an HttpOnly, Secure (in production), SameSite=Lax cookie used solely to maintain your authenticated session.

No third-party tracking, advertising, or analytics cookies are set.

See our Cookie Policy for full details.

Your account data is retained until you request deletion or your account has been inactive for 2 years, whichever comes first.

Comments you delete are soft-deleted: the comment body is replaced with "[comment removed]" and your user ID is removed. The comment thread structure is preserved for other readers. On account deletion, all your comments are anonymised in this way.

As an EEA data subject, you have the following rights:

• Right of access (Art. 15): Download all data we hold about you via "Download My Data" in your profile panel.
• Right to erasure (Art. 17): Delete your account via "Delete My Account" in your profile panel. This is processed immediately.
• Right to rectification (Art. 16): Contact us at legal@fret-o-matic.com to correct inaccurate data.
• Right to data portability (Art. 20): Your data export is provided as a machine-readable JSON file.
• Right to object (Art. 21): You may object to processing by deleting your account or contacting us.

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the Norwegian data protection supervisory authority:

Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway
datatilsynet.no

For any privacy-related enquiries, data subject requests, or to exercise your rights, contact us at: legal@fret-o-matic.com