Last updated 15 July 2026
Katharsa runs a waitlist. That's the only personal data we handle right now, and this page explains all of it. No analytics, no advertising pixels, no third-party trackers, no data sold or shared for marketing. If that changes, this page changes first.
The data controller is [ENTITY NAME], [REGISTERED ADDRESS], [COMPANY NUMBER].
You can reach us at ops@katharsa.com for anything on this page.
| Data | Why |
|---|---|
| Email address | To write to you once, when Katharsa opens. |
| Your consent, the exact wording you agreed to, and the time you agreed | The GDPR requires us to be able to demonstrate that you consented. Storing the wording is how we prove what you actually agreed to. |
| A truncated IP address (last octet removed, e.g. 203.0.113.0) | Part of the same consent record. Truncated so it can't identify your device. |
| Country (from your connection) | To plan where to launch. Country-level only — not a location. |
| Browser user-agent | Abuse detection. |
| A hashed IP address, kept separately | Rate limiting, so nobody can flood the form. Hashed with a secret key and never stored in the clear. |
That's the complete list. We don't ask for your name, and we'd rather not know it.
Your consent — Article 6(1)(a) GDPR. You gave it by ticking the box. That's the only basis we rely on, which means if you withdraw it, we stop.
Every email we send carries an unsubscribe link, and using it deletes your record — we don't keep a suppression list of people who left. You can also just write to ops@katharsa.com and ask. Withdrawing is as easy as consenting was, which is the standard the GDPR sets and one that a lot of services quietly fail.
Cloudflare, Inc. hosts this site and the database. They're our processor, under their standard data processing addendum, and they don't get to use your data for anything of their own. Data may be processed outside the EEA; Cloudflare relies on Standard Contractual Clauses for those transfers.
Migadu-Mail GmbH (Switzerland) handles email sent to and from our addresses. Switzerland has an EU adequacy decision, so no additional transfer safeguards are needed.
Nobody else. We don't use an email marketing platform — the list lives in our own database, which is a deliberate choice and the reason this section is short.
One, and it isn't a tracker: katharsa_age_ok, set only if you confirm you're 18 or over, so the age gate doesn't ask again for 30 days. It holds the value 1. No advertising or analytics cookies exist on this site.
Under the GDPR you can ask us to show you your data, correct it, delete it, hand it to you in a portable format, restrict what we do with it, or object to it. Write to ops@katharsa.com and we'll respond within 30 days. There's no charge.
If we get it wrong, you can complain to the Romanian supervisory authority, ANSPDCP — dataprotection.ro — or to the authority where you live.
The site is served over HTTPS. Email addresses are indexed by a SHA-256 hash rather than in plaintext. IP addresses are truncated before storage. Rate-limit records store hashed addresses only. Access to the database is restricted to the operator.
None of that makes a breach impossible. If one happens and it puts you at risk, we'll tell you and the supervisory authority, as the GDPR requires.
Katharsa is for adults. This site is not directed at anyone under 18 and we don't knowingly collect data from minors. If you believe a minor has given us their details, write to ops@katharsa.com and we'll delete the record.
If we change how we handle your data, this page gets updated and the date at the top changes. If the change is significant, we'll email you before it takes effect rather than after.