← Back to Goha

Privacy Policy

Last updated: 2026-07-11

Who is responsible

The controller responsible for data processing on this site ("Goha", "we") is the person named in the Impressum. Contact details for privacy requests are listed there.

No account — how we identify you

Goha has no login. When you first open the site, your browser generates a random identifier (a "clientId") that is stored in your browser's local storage and sent with your requests so we can show and manage your keys. Anyone using that browser can see and manage the keys tied to that identifier; clearing your site data removes it.

What data we process, and why

We process the following, on the legal basis of Art. 6(1)(b) GDPR (performing the service you request) and Art. 6(1)(f) GDPR (our legitimate interest in security and abuse prevention):

  • Your clientId and the keys tied to it (creation time, expiry time, optional label).
  • A hardware identifier (HWID) that the script sends the first time a key is used, so the key can be locked to that device.
  • IP addresses and request metadata, logged for rate limiting, abuse prevention, and security, and recorded on activity events (e.g. key created, key validated). We do not use this for profiling or advertising.
  • An admin session cookie — only ever set for the site operator, not for normal visitors.

Cookies and local storage

We use your browser's local storage for the clientId and your key list, and a strictly-necessary cookie during ad-gate verification. These are required for the service to function. The operator's admin panel uses a session cookie. We do not set advertising or analytics cookies ourselves.

Third-party ad providers set their own cookies. See the next section — where the law requires consent for those, it is obtained before you are forwarded to them.

Ad providers (Linkvertise / work.ink)

Creating or extending a key is monetized through an ad-link step. You choose the provider — Linkvertise or work.ink— and are forwarded to their page. Once there, that provider's own privacy policy governs what they collect (which typically includes device data and advertising cookies). We only receive a confirmation that you completed their flow; we do not receive your activity on their pages.

Hosting and processors (incl. transfers outside the EU)

Our application runs on Render (hosting) and our database is Neon(PostgreSQL). Both act as processors on our behalf and may process data on servers located in the United States. Such transfers are safeguarded by the EU Standard Contractual Clauses / the providers' data-processing terms.

How long we keep data

Keys are kept until they expire or you delete them. Expired keys are dropped from active queries. Activity events are retained for up to about 90 days and then automatically deleted. Server logs are kept only as long as needed for security.

Your rights

Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21). You may also lodge a complaint with a supervisory authority. To exercise any of these, contact us via the Impressum. Because keys are not tied to a real identity, we may need the clientId or key in question to locate your data.

Children

This service is not directed at children. If you are under the age of digital consent in your country, please do not use it without the involvement of a parent or guardian.

Data removal

Deleting a key removes it from our database. Clearing your browser's site data removes your local identifier. For anything further, contact the address in the Impressum.