Theriodex – Privacy Policy

Last updated: 28 August 2025

1. Controller

• Hexaitos, henceforth referred to as simply “operator”, based in Germany
• Contact: privacy@btlr.sh

2. What we collect

Only basic server logs are collected automatically. These may include:

• IP address, timestamp, request method and path, HTTP status, response size, User‑Agent, and referrer.
• Internal application events needed for operation or debugging (for example: which Pokémon ID was requested, request processing messages, error messages).
• We do not collect user accounts, profiles, or behavioural tracking data for advertising. No analytics or third‑party trackers are used.

Examples of collected logs

Below you will find some (partially redacted for privacy) examples of log files.

Sinatra server logs

This web application runs on Sinatra, a Ruby-based domain-specific language and web application library. Sinatra itself is unable to see the IP from which the request was made. Note below that all requests appear to be originating from 10.5.0.1. The operator is unable to infer the actual origin of the request – only the reverse proxy running on OpenBSD (described below) saves such information. The Sinatra logs are kept for 30 days.

Aug 28 09:15:24 theriodex ruby[1043]: I, [2025-08-28T09:15:24.417548 #1043] INFO -- : cache: [HEAD /] miss


Aug 28 09:15:24 theriodex ruby[1043]: 10.5.0.1 - - [28/Aug/2025:09:15:24 +0000] "GET / HTTP/1.0" 200 5755 0.0048


Aug 28 09:15:24 theriodex ruby[1043]: (28.08-2025 09:15) - The following Pokémon was selected: 548.


Aug 28 09:15:24 theriodex ruby[1043]: The following data was returned: {types: [[12]], flavour_text: "The leaves on its head are very bitter. Eating one of these leaves is known to refresh a tired body.", species_name: "Bulb Pokémon", evolutions: ["petilil", "lilligant"], evolutions_formatted: {"petilil" => "Petilil", "lilligant" => "Lilligant"}, name: "Petilil", abilities: [["Chlorophyll", 0, 1, 34, "chlorophyll"], ["Own Tempo", 0, 2, 20, "own-tempo"], ["Leaf Guard", 1, 3, 102, "leaf-guard"]], weight: 66.0, height: 5.0, stats: {hp: 45, atk: 35, def: 50, spatk: 70, spdef: 50, speed: 30}, sprite: "/sprites/pokemon/548.png", sprite_back: "/sprites/pokemon/back/548.png", front_shiny: "/sprites/pokemon/shiny/548.png", back_shiny: "/sprites/pokemon/back/shiny/548.png", front_female: nil, back_female: nil, front_shiny_female: nil, back_shiny_female: nil, animated_front: "/sprites/pokemon/versions/generation-v/black-white/animated/548.gif", animated_back: "/sprites/pokemon/versions/generation-v/black-white/animated/back/548.gif", animated_front_shiny: "/sprites/pokemon/versions/generation-v/black-white/animated/shiny/548.gif", animated_back_shiny: nil}


Aug 28 09:15:24 theriodex ruby[1043]: I, [2025-08-28T09:15:24.421210 #1043] INFO -- : cache: [HEAD /] miss


Aug 28 09:15:24 theriodex ruby[1043]: 10.5.0.1 - - [28/Aug/2025:09:15:24 +0000] "GET / HTTP/1.0" 200 5425 0.0032

Reverse proxy (relayd on OpenBSD) logs

Below an example of a log from relayd, the reverse proxy employed in this web application. These logs are kept for 24 hours. They show the IP address from which the request was made – i.e. the IP address of the user – as well as time, user agent, operating system and requested resources.

Aug 28 11:09:57 osprey relayd[56008]: relay https_relay_v6, session 420 (1 active), 0, 2a02:908:[redacted] -> :5678, done, [btlr.sh/] [Host: btlr.sh] [User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0] GET -> 10.5.0.16:5678 {content-type: text/html;charset=utf-8} {Content-Length: 5583}; [btlr.sh/sprites/pokemon/439.png]

3. Why we collect it (purposes) and legal basis

Purposes:

• Operation and maintenance of the service (ensure availability, debugging, caching).
• Security and abuse prevention (detect and respond to attacks or misuse).
• Performance monitoring and troubleshooting.

Legal basis:

Legitimate interest (Art. 6(1)(f) GDPR) in operating a secure, reliable service. Server logs are useful for debugging purposes and mitigating potential attacks. To ensure maximum user privacy, the logs which store the user’s IP address are stored for only 24 hours (the logs of the reverse proxy) whereas the logs of the Sinatra server itself are stored for 30 days. These logs, however, cannot be used to identify the actual origin of the request, as Sinatra sees all requests as originating from 10.5.0.1, the IP of the relayd load balancer.

4. Where data is stored

• All server processing and storage take place in the European Union.
• Hosting locations include the operator’s own server running at home (Germany) as well as a VPS operated by OpenBSD Amsterdam and a small cloud instance provided by Scaleway in their WAW 2 Availability Zone (Warsaw).
• Email services are provided by mailbox.org and the DNS is hosted at deSEC.
• DPAs can be provided upon request.

5. Retention

• Relayd logs are retained for 1 day (24 hours).
• Sinatra logs are retained for 30 days (as they do not have any personally identifiably information in them).
• In case of an ongoing security investigation or legal obligation, relevant logs may be kept for longer as necessary.

6. Recipients and disclosures

• Logs are accessible only to the operator.
• We do not share logs with advertising or analytics companies. We may be required to disclose data to comply with legal obligations or official requests.

7. Security

Reasonable technical and organisational measures are in place to ensure this site’s safety. Despite this, no internet service is 100% secure. If you believe to have found a security issue with this application, we kindly ask you to contact us swiftly with details so that it can be handled promptly. The source code of this application is freely available either on Codeberg or the operator’s own Forgejo instance.

8. Your rights

You have the right to:

• Access the personal data we hold about you.
• Request rectification, erasure, restriction of processing, or object to processing.
• Request portability of any personal data we have that you provided.
• Lodge a complaint with your national supervisory authority.

To exercise these rights, contact the operator at privacy@btlr.sh. For deletion requests related to specific log entries, provide the date/time and other identifying details to help locate the records.

9. Changes to this policy

This policy may be updated. The “Last updated” date above will indicate the current version.