Legal

Privacy policy

Baryon Systems runs no analytics, no advertising, no behavioural tracking. This page tells you the small amount of data that does flow when you use this site, and the rights the EU GDPR gives you over it.

1. Who is responsible (data controller)

Tom Jankowiak, sole operator of Baryon Systems, is the data controller within the meaning of Art. 4(7) GDPR.

• Email: lapizh@icloud.com
• Postal address: provided on request to the email above.

See also our Imprint.

2. What we collect when you just visit

Nothing personally identifying. This site is a collection of static HTML, CSS and JavaScript files served over HTTPS. We do not set tracking cookies, we do not run analytics scripts (no Google Analytics, no Plausible, no Matomo, no Fathom), and we do not embed social-media widgets.

The web server that hosts the site keeps short-lived technical request logs (timestamp, IP address, requested URL, user agent) for the strict purpose of operating and protecting the service (security, abuse prevention, troubleshooting). Legal basis: Art. 6(1)(f) GDPR — legitimate interest in keeping the site up and safe. These logs are not used to profile you and are deleted on a short rolling window (typically within 14 days).

3. Third parties that load when the page renders

The interactive 3D hero on the home page loads the Three.js rendering library from unpkg.com, a public JavaScript CDN operated by Cloudflare, Inc. To deliver that file the CDN necessarily sees your IP address and request headers. This is processed under their own policies (see Cloudflare’s privacy policy).

If you do not want any data to leave the EU through that CDN you can block third-party requests to unpkg.com in your browser; the rest of the site will keep working without the 3D hero.

4. What we collect when you contact us

The demo and investor forms on this site do not submit to a server. They open your own email client with the message pre-filled and you choose to send it. When you write to lapizh@icloud.com we receive whatever you put in the message — typically your name, email address, organisation, and the reason you reached out.

• Purpose: replying to you, scheduling a demo, evaluating an investor introduction.
• Legal basis: Art. 6(1)(b) GDPR (pre-contractual / contractual contact at your request) and Art. 6(1)(a) GDPR (your consent in writing the message).
• Retention: for as long as the conversation is active, plus a reasonable archival period for accounting and dispute purposes (usually no more than 24 months after the last contact). You can request earlier deletion at any time.
• Recipients: only the data controller. The mailbox is hosted with Apple iCloud Mail; transit and storage are encrypted by the provider.

5. When you create an account (preview)

During the 2026 public preview you can create a Baryon Systems account at signup.html. The account is shared between the website and the desktop app.

• What we store: your email address, a bcrypt hash of your password (cost factor 11), the account creation date, and — only if you opt in to two‑factor authentication — your TOTP secret and single‑use recovery codes. No phone number, no real name, no address.
• Where it lives: a single SQLite file on a VPS we operate in an EU data centre (Netcup, Nürnberg). It is not replicated to any third party. No managed database service, no Supabase, no Firebase.
• What we do not do: we do not send marketing emails, we do not share your address with anyone, we do not run analytics on your account activity, we do not profile you. The only outbound email you can ever receive from us is a direct reply to a message you sent first.
• Purpose: authenticating you to the web app and the desktop app, and giving you a place to manage your own workspace. Legal basis: Art. 6(1)(b) GDPR (performance of the user agreement you accept on signup) and Art. 6(1)(f) for security of the system.
• Retention: for as long as your account exists. You can delete it yourself at any time from account.html — deletion is immediate and irreversible. We do not keep tombstones, soft deletes, or recoverable backups of deleted accounts beyond the rolling 14‑day encrypted server backup which is automatically pruned.
• Workspace data: any logs, firewall rules, chat messages, or ledger entries you generate inside the desktop app live on infrastructure you control (your Linux server). They never touch our VPS.

6. Your rights under GDPR

You always have the following rights regarding your data:

• Access — ask what we hold about you (Art. 15).
• Rectification — correct anything inaccurate (Art. 16).
• Erasure (“right to be forgotten”) — ask us to delete your data (Art. 17).
• Restriction of processing (Art. 18).
• Data portability — receive your data in a portable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
• Complain to a data-protection supervisory authority in the EU member state where you live, work, or where the alleged infringement happened (Art. 77).

To exercise any of these rights write to lapizh@icloud.com. We reply within 30 days as required by Art. 12(3) GDPR.

7. No automated decision-making

We do not make decisions about you based on automated processing, including profiling (Art. 22 GDPR).

8. International transfers

As described in section 3, the optional 3D hero loads a file through Cloudflare, a US-headquartered company that operates a global CDN with EU edge nodes. Cloudflare relies on the EU–US Data Privacy Framework and on Standard Contractual Clauses for any transfers outside the EEA.

9. Changes to this policy

If the policy changes materially we will update the “Last updated” date at the top of this page. For any breaking change (new processing purpose, new recipient) we will surface it in the cookie notice banner so you see it on your next visit.