How to change personal data consents
Click here to change your consents
How to change the cookie consents
Click here to change the cookie consents
Third-party Services
Click here to disable all third-party services
Privacy Policy
A. Introduction
Thank you for visiting HRDLOG.net.
HRDLOG.net is an amateur radio website operated by Claudio IW1QLH (hereinafter “the controller”). The website may generally be accessed without the provision of personal data. Certain features - including, but not limited to, the maintenance of a personal logbook and access to member-restricted content - require registration and, consequently, the processing of personal data.
Within the scope of our data protection responsibilities, the entry into force of the EU/UK General Data Protection Regulation (Regulation (EU/UK) 2016/679; hereinafter: “GDPR”) to ensure the protection of personal data of the data subject (we also refer to you as the data subject as “customer”, “user”, “you”, or “data subject”).
This privacy policy describes what personal data is collected by HRDLOG.net, for what purposes, on what legal basis, and what rights users have under the General Data Protection Regulation (GDPR). It also documents the cookies and third-party services used on the website.
Technical and organisational measures have been implemented to protect personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection cannot be guaranteed. For sensitive communications, users may contact the controller directly by email.
In the context of the ongoing development of data protection law and technological or organisational changes, our Privacy Policy is regularly reviewed to determine whether it needs to be adapted or supplemented. You will be informed of any changes.
This Privacy Policy was last updated in June 2026.
B. General
1. Definitions
This privacy policy uses the following terms as defined in the GDPR:
- Personal data (Art. 4(1) GDPR): any information relating to an identified or identifiable natural person, including name, callsign, IP address, location data, and online identifiers.
- Processing (Art. 4(2) GDPR): any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure, and erasure.
- Controller (Art. 4(7) GDPR): the entity that determines the purposes and means of processing.
- Processor (Art. 4(8) GDPR): an entity that processes personal data on behalf of the controller.
- Consent (Art. 4(11) GDPR): a freely given, specific, informed, and unambiguous indication of agreement to processing, expressed by a statement or clear affirmative action.
2. Controller and Contact
a. Controller
The controller within the meaning of Article 4(7) GDPR is:
Claudio Cordeglio
IW1QLH
Enquiries and requests relating to data protection - including subject access requests, rectification requests, erasure requests, and objections - may be directed to:
privacy@iw1qlh.net
b. UK Representative
In accordance with Article 27 UK GDPR, the controller has designated a representative in the United Kingdom:
Rickert Services Ltd UK
IW1QLH
PO Box 1487
Peterborough
PE1 9XX
United Kingdom
art-27-rep-iw1qlh@rickert-services.uk
3. Legal Basis for Processing
In general, we only process data if we have a legal basis for doing so. We will discuss the specific legal bases in more detail for each processing operation. In general, however, the following applies:
- Article 6(1)(a) GDPR (consent): where the data subject has given freely given, specific, informed, and unambiguous consent. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.
- Article 6(1)(b) GDPR (performance of a contract): where processing is necessary for the performance of a contract to which the data subject is party, or to take steps at their request prior to entering into a contract.
- Article 6(1)(c) GDPR (legal obligation): where processing is necessary to comply with a legal obligation to which the controller is subject.
- Article 6(1)(f) GDPR (legitimate interests): where processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Where the controller relies on Article 6(1)(f) GDPR, the relevant legitimate interests are identified in the description of each processing operation.
Where cookies or similar technologies are used to store information on or access information from the user’s terminal equipment, the applicable standard under Article 5(3) of the ePrivacy Directive and its national implementing legislation (including, for Germany, section 25 TDDDG) also applies. Cookies requiring consent are set only after the user has given prior consent through the cookie consent banner.
4. Your Rights
Under the GDPR, you have various rights regarding the processing of your personal data. To exercise your rights, you must send a request either by email or by post to the addresses given above.
- a) Right of access (Art. 15 GDPR)
You have the right to request information about whether and which of your personal data are being processed.
- b) Right to Rectification (Art. 16 GDPR)
You have the right to request the immediate rectification of inaccurate or incomplete personal data.
- c) Right to erasure (Art. 17 GDPR)
You may request the erasure of your personal data, provided that the legal requirements for this are met.
- d) Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of the processing of your personal data if one of the legal requirements is met.
- e) Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format.
- f) Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data for reasons arising from your particular situation, provided that the processing is based on Art. 6(1)(e) or (f) GDPR.
- g) Withdrawal of Consent
If the processing of your personal data is based on consent, you have the right to withdraw this consent at any time with future effect. The lawfulness of the processing carried out prior to the withdrawal remains unaffected.
- h) Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority regarding the collection and processing of your personal data.
EU residents have the right to contact the data protection authority of any EU member state of their choice to exercise their data protection rights. An overview of all data protection authorities in the EU, along with contact details, can be found at the following link: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
UK residents can contact the UK Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/data-protection-complaints/
5. Retention Periods
In compliance with legal requirements, particularly pursuant to Art. 17 and 18 of the GDPR. Unless stated otherwise in this Privacy Policy, we delete stored data as soon as it is no longer necessary for the intended purpose. Data is retained after the intended purpose has ceased only if this is necessary for other legally permissible purposes, or if statutory retention obligations apply. In these cases, processing is restricted, i.e. the data is blocked and cannot be processed for other purposes.
Personal data is retained only for as long as necessary for the purpose for which it was collected, or as required by applicable law. The criteria used to determine retention periods are described in Section 3 above for each category of data. After the applicable period, data is routinely deleted.
HRDLOG.net maintains periodic backups of its data for operational resilience. Account and profile data is backed up daily; logbook data is backed up monthly. Data that has been deleted by the user or by the controller may therefore remain in backup copies for up to 30 days before the relevant backup is overwritten. Backup files are not accessible to third parties and are used solely for disaster recovery purposes.
6. Recipients and Third Country Transfer
HRDLOG.net uses external service providers for certain processing operations. These providers act as processors within the meaning of Article 28 GDPR and are bound by data processing agreements that restrict them to processing personal data solely on the controller’s instructions.
Where personal data is transferred to a third country (i.e. outside the EEA, or - for UK GDPR purposes - outside the UK), such transfers are carried out only in reliance on one of the following safeguards:
- An adequacy decision of the European Commission (Article 45 EU GDPR) or adequacy regulations made by the UK Secretary of State (Article 45 UK GDPR);
- Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) EU GDPR) or, for UK transfers, an International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs approved by the ICO under section 119A(1) of the Data Protection Act 2018;
- Certification under the EU-US Data Privacy Framework (DPF) (adequacy decision of the European Commission, 10 July 2023) and/or the UK Extension to the EU-US DPF (UK-US Data Bridge, in force 12 October 2023).
The applicable transfer mechanism is identified in the description of each third-party service.
For UK residents: personal data processed on servers located in Italy and the Czech Republic (both EEA member states) is transferred on the basis of the UK Adequacy Regulations made pursuant to Article 45 UK GDPR, under which all EEA member states, including Italy, have been recognised as providing an adequate level of data protection.
7. Automated Decision-Making
HRDLOG.net does not use automated decision-making or profiling as defined in Article 22 GDPR.
8. Children
You must be at least 16 years old to use our website. We do not knowingly collect personal data from children under the age of 16 and we do not allow anyone under the age of 16 to use the website.
9. Data Security
HRDLOG.net primary objective is to ensure the confidentiality, integrity and availability of your personal information. We use technical and organisational security measures to protect the personal data we collect, particularly against accidental or intentional manipulation, loss or destruction, and against unauthorised access. We continually improve our security measures in line with technological developments.
C. Information and Processing of Your Personal Data When Using HRDLOG.NET
The table below sets out the categories of personal data processed by HRDLOG.net, together with the applicable legal basis, purpose, and retention period. Further detail on specific processing operations is provided in the sections that follow.
| Category | Data | Consent | Legal basis | Purpose | Retention |
| Account data |
Callsign, password (stored as a one-way hash; plain-text is never stored or recoverable), country, language preference, registration date |
No |
Art. 6(1)(b) GDPR - processing necessary for the performance of a contract (provision of the logbook service). |
User authentication and account management. |
For the duration of the account. Upon account deletion, data is removed within 1 day. |
| IP address at registration |
IP address recorded at the time of account creation. |
No |
Art. 6(1)(f) GDPR - legitimate interest of the controller in preventing abuse, fraud, and unauthorised account creation. |
Security and abuse prevention. Not combined with other personal data for profiling purposes. |
Up to 12 months from registration. |
| Email address |
Email address provided at registration or subsequently, provided voluntarily. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Account notifications, QSL confirmations, service communications. |
For the duration of the account, or until consent is withdrawn. Withdrawal does not affect lawfulness of prior processing. |
| Name and surname |
First name and last name, provided voluntarily. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Personalisation of the user profile and QSL card information. |
For the duration of the account, or until consent is withdrawn. Withdrawal does not affect lawfulness of prior processing. |
| Postal address |
Street address, city, country, postal code. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Paper QSL card exchange. |
For the duration of the account, or until consent is withdrawn. Withdrawal does not affect lawfulness of prior processing. |
| User profile image |
Image uploaded by the user. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Display on the user’s public logbook profile. |
For the duration of the account, or until consent is withdrawn. Withdrawal does not affect lawfulness of prior processing. |
| Equipment and diploma photographs |
Photographs of amateur radio equipment, antenna installations, diplomas, and similar images uploaded voluntarily by the user. Upload is entirely optional and does not affect core logbook functionality. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Display on the user’s public profile. Users may optionally generate an embed code (iframe) to publish their photo gallery on an external website of their choice (e.g. a personal site or club website). This is an explicit, opt-in action initiated by the account holder. |
Until the user deletes the individual photographs or the account. Withdrawal does not affect lawfulness of prior processing. |
| PayPal email address (QSL card owner) |
Email address associated with the user’s PayPal account, stored only if the OQRS PayPal payment feature is explicitly activated by the user. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Enabling PayPal payments within the OQRS service. When a requester opts to pay via PayPal, HRDLOG.net redirects to the PayPal payment page, where the owner’s PayPal email address is visible to the requester. The payment is settled directly between the requester and the owner; HRDLOG.net receives payment status confirmation from PayPal but does not handle the funds. |
For the duration of the account, or until consent is withdrawn. Withdrawal does not affect lawfulness of prior processing. |
| OQRS request data (QSL card requesters) |
Name, postal address, and, optionally, email address of the person submitting a QSL card request via the OQRS. The requester may or may not be a registered HRDLOG.net user. |
No |
Art. 6(1)(b) GDPR - processing necessary to take steps at the request of the data subject prior to or in connection with a service arrangement (dispatch of the requested QSL card). |
Transmitting the requester’s details to the HRDLOG.net user who owns the requested callsign, so that the QSL card can be prepared and dispatched. |
Retained for as long as necessary to process the QSL request and deleted thereafter. |
| Logbook data (QSO records) - own operating data (registered user) |
Callsign of correspondent, frequency, band, mode, date and time of contact, signal reports (RST), grid locator, DXCC entity, operator comments, and any other fields entered by the user. |
No |
Art. 6(1)(b) GDPR - processing necessary for the performance of a contract. |
Core logbook service; logbook storage, generation of statistics and awards tracking. |
For the duration of the account. Users may delete individual QSO records or their entire logbook at any time. |
| Logbook data (Public display) |
Yes |
Art. 6(1)(a) GDPR - consent, for any public display or aggregation of logbook data beyond the user’s private account. |
Propagation of aggregated public data (e.g. most-wanted DXCC lists) where the user has enabled logbook sharing. |
| Logbook data (QSO records) - correspondent callsigns appearing in registered users’ logbooks (see Note on Correspondent Callsigns below) |
Callsign of the correspondent station; frequency, band, mode, date and time of contact, signal reports (RST), grid locator, DXCC entity, as entered by the logging user. |
No |
Art. 6(1)(f) GDPR - legitimate interests. The legitimate interests pursued are: the provision of an accurate and verifiable logbook service integral to amateur radio award verification and QSL confirmation; and the enablement of QSO record-keeping, which is inherent to and inseparable from amateur radio operating as a licensed activity. |
Recording of correspondent callsigns as required for QSO verification, award credit, and QSL card exchange. Correspondent callsigns may appear in aggregated statistics (e.g. most-wanted DXCC entity lists) where the logging user has enabled logbook sharing. |
Public display of the registered user’s operating activity; generation of community-level amateur radio statistics and propagation data; most-wanted DXCC entity lists and equivalent aggregated outputs. |
| Award and activity data |
DXCC, SOTA, POTA, and other award progress and confirmations derived from logbook entries. |
No |
Art. 6(1)(b) GDPR - processing necessary for the performance of a contract. |
Award progress tracking and confirmation. |
For the duration of the account. |
| Real-time upload data |
QSO data transmitted via the HRDLOG.net API from desktop logging software (e.g. Ham Radio Deluxe, Log4OM, and others). |
No |
Art. 6(1)(b) GDPR - processing necessary for the performance of a contract. |
Real-time logbook updates. |
Stored as part of the logbook; same retention as logbook data. |
| DX Cluster spot data |
Spots submitted by registered users via the DX Cluster feature, including: callsign of the spotted station (DXer), spotter callsign, frequency, date and time of submission, and comment. |
No |
Art. 6(1)(b) GDPR - processing necessary for the performance of a contract (provision of the DX Cluster service). |
Real-time display of DX activity to registered users. Spot data is visible to other HRDLOG.net users as part of the DX Cluster feed. |
Up to 12 months from submission; older records are routinely deleted. |
| Server log data |
IP address, browser type and version, operating system, referring URL, pages visited, date and time of access. |
No |
Art. 6(1)(f) GDPR - legitimate interests of the controller (security, abuse prevention, error diagnosis). |
Website security, detection of attacks, error diagnosis. This data is not used to draw conclusions about individual users and is not combined with other personal data. |
Web server technical logs (which contain IP addresses) are retained for a maximum of 30 days for security purposes, troubleshooting, and abuse prevention. Application-level operational logs (authentication events, errors, security events) are retained for 12 months. GDPR consent audit logs (recording each user’s consent and withdrawal events, including timestamp, IP address, and user agent) are retained indefinitely, as they constitute the legal record of lawful processing basis. |
| Third-party service credentials (LoTW, eQSL, and similar) |
Usernames and passwords for third-party amateur radio online services (such as Logbook of The World - LoTW, eQSL, QRZ.com, and similar), provided voluntarily by the user to enable automatic log confirmation and data exchange. These credentials are stored in encrypted form using reversible encryption. |
Yes |
Art. 6(1)(a) GDPR - consent. |
Automated submission of QSO confirmations and data exchange with third-party amateur radio platforms. |
Until the user removes the credentials or deletes their account. Users may delete stored third-party credentials at any time via account settings. |
| Contact data |
Email address and any personal data included in a message sent via the contact form. |
No |
Art. 6(1)(f) GDPR - legitimate interest in responding to user enquiries; Art. 6(1)(b) where the enquiry relates to the contracted service. |
Responding to user enquiries and support requests. |
Retained only for as long as necessary to resolve the enquiry. |
1. Note on Correspondent Callsigns
QSO records entered by registered users include the callsign of the contacted station. A callsign is a unique identifier assigned by the national telecommunications authority and publicly broadcast over amateur radio frequencies by the holder, as required by the ITU Radio Regulations and national licensing conditions. The callsign is therefore not passively collected by HRDLOG.net but is broadcast by the holder themselves as a mandatory identification requirement.
Correspondents whose callsigns appear in logbook records maintained on HRDLOG.net have not necessarily registered with the service and have not provided consent for this specific processing.
The legal basis for this processing is Art. 6(1)(f) GDPR - legitimate interests of the controller. The legitimate interests pursued are: the provision of an accurate and verifiable logbook service integral to amateur radio award verification and QSL confirmation; and the enablement of QSO record-keeping, which is inherent to and inseparable from amateur radio operating as a licensed activity. Every active amateur radio operator can reasonably anticipate, within the meaning of Recital 47 GDPR, that their callsign will be recorded in the logbooks of stations with whom they have made contact. Processing is limited to what is strictly necessary for the logbook and award functions; no profiling is carried out.
Where personal data are not collected directly from the data subject, Art. 14 GDPR requires the controller to provide certain information. In the present case, individual notification of each correspondent whose callsign appears in a logbook record is not feasible and would constitute a disproportionate effort within the meaning of Art. 14(5)(b) GDPR, for the following reasons: the controller does not hold contact details for correspondents who are not registered users; callsign entries are created by registered users, not directly by the controller; and the number of correspondents across all logbook records makes individual notification practically impossible.
The notification obligation under Art. 14 GDPR is satisfied through this publicly accessible privacy policy, as individual notification of each correspondent would be impossible and constitute a disproportionate effort (Art. 14(5)(b) GDPR).
Any amateur radio operator who wishes to request removal of their callsign from QSO records on HRDLOG.net may contact the controller.
Requests will be evaluated in accordance with Art. 17 GDPR, taking into account the legitimate interests of the registered users who entered the records. Where erasure would conflict with the rights of registered users who entered the records in good faith, this will be weighed and communicated to the requestor with reasons.
All requests will be responded to within one calendar month in accordance with Art. 12(3) GDPR.
2. Server Log Files
When you visit HRDLOG.net, certain information is automatically stored in so-called server logs. This information helps us to improve our website and ensure that it operates smoothly.
The data collected includes:
- Technical data (date and time you accessed one of our websites; your browser type and settings; your operating system; the pages you visited and the duration of your visit, as well as the amount of data transferred and the access status, e.g. for downloads, success messages or error messages)
- IP address. This is done to enable you to use the websites you have accessed and to improve our website. We only store your IP address for the duration of your visit so that you can access and use the website for information purposes. Any further evaluation will only take place in accordance with the following provisions and based on your consent.
The processing of the aforementioned data is mandatory in accordance with Article 6 (1) (f) GDPR for the correct display of our website and to ensure stability and security for the performance of the website.
For the operation of this website, we commission a hosting provider to process meta and communication data of our website users on our behalf and based on our legitimate interests in the efficient and secure provision of this website in accordance with Article 6 (1) (f), Article 28 GDPR. A data processing agreement has been concluded.
3. Contact Form
When a user submits a contact form enquiry, the data provided (name, email address, subject, and message) is processed solely for the purpose of responding to the enquiry. The legal basis is Article 6(1)(f) GDPR where the enquiry is informational, or Article 6(1)(b) GDPR where it relates to a contracted service. You provide further information voluntarily, i.e. on the basis of your consent Article 6 (1) (a), Article 7 GDPR. Data is retained only for as long as necessary to resolve the enquiry.
4. Surveys
HRDLOG.net occasionally conducts voluntary surveys to collect feedback from users with the aim of improving the service. Surveys are implemented directly on the HRDLOG.net platform without the use of third-party survey tools; all responses are processed and stored exclusively on HRDLOG.net’s own infrastructure, operated by Aruba S.p.A. as processor under Article 28 GDPR. No survey data is transmitted to external services.
Participation is entirely voluntary. Users are under no obligation to participate, and declining to do so has no effect on access to any feature of the service.
Surveys are directed at registered donors. Data collected: callsign, free-text responses, rating scores.
The processing of personal data submitted in connection with a survey is carried out on the basis of Article 6(1)(a) GDPR - your consent, given by voluntarily completing and submitting the survey form. You may withdraw your consent at any time by contacting the controller; however, withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Survey responses are used solely for the purpose of analysing user feedback and improving the HRDLOG.net service. Responses are not shared with third parties, used for commercial purposes, or linked to logbook or operating data.
Individual survey responses are retained for a period of 1 year, after which they are deleted or irreversibly anonymised. Aggregated, non-identifiable analytical outputs may be retained as long as necessary.
5. Third Party Single Sign-On Service
HRDLOG.net allows users to log in using a Google account instead of registering directly. When this option is used, the user is redirected to Google’s authentication page; HRDLOG.net receives from Google only the user’s name and email address, which are used solely to identify and assign the user in the system. HRDLOG.net does not receive the user’s Google password. The legal basis is Article 6(1)(a) GDPR - consent.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information: https://www.google.com/policies/privacy/partners/
6. Security of Credentials in Third-Party Software
HRDLOG.net supports real-time log uploads from desktop amateur radio logging software (including Ham Radio Deluxe, Log4OM, and similar applications). To enable this, users enter their HRDLOG.net username and a dedicated upload code - not their account password - into the configuration of the relevant software.
The upload code is an application-specific token generated exclusively for the upload function. If compromised, it can be regenerated at any time from the account settings page without affecting the account password or any other account data.
In accordance with Article 32 GDPR, users are advised to:
- treat the upload code as a sensitive credential and not share it or include it in publicly accessible files;
- restrict access to logging software configuration files to the current OS user account where possible;
- take particular care when sharing a computer with others;
- refer to the documentation of the logging software for guidance on protecting stored credentials at the application level.
HRDLOG.net has no control over how third-party software stores credentials on the user’s device. In the event of a suspected compromise, users should regenerate their upload code immediately and change their account password if they believe it may also have been exposed.
7. Registration for an Account
Users may register on HRDLOG.net by providing personal data. Mandatory data required for registration: callsign and password. Optional data which the user may choose to provide in their account profile: email address, name and surname, postal address, profile image, equipment and diploma photographs and third-party service credentials (such as LoTW and eQSL login details).
The processing of mandatory registration data (callsign and password) is carried out on the basis of Article 6 (1) (b) GDPR, as it is necessary for the performance of the contract for the provision of the logbook service entered into upon registration.
The processing of optional media content (email address, profile image, equipment and diploma photographs) is carried out on the basis of Article 6 (1) (a) GDPR (consent), given by the user by voluntarily uploading such content. Users may withdraw this consent at any time by deleting the relevant content through their account settings, without affecting the lawfulness of processing prior to withdrawal.
Passwords are stored exclusively in irreversibly hashed form using industry-standard cryptographic algorithms; the controller does not have access to passwords in plain text.
The IP address and timestamp of registration are also stored to prevent misuse of the service and to enable investigation of any offences if necessary. This processing is carried out on the basis of Article 6(1)(f) GDPR. The legitimate interests pursued by the controller are the prevention of abusive or fraudulent registrations and the ability to provide evidence to competent law enforcement authorities in the event of a cyber-offence. This data is retained for up to 12 months.
Third-party service credentials (LoTW, eQSL, and similar) are stored in reversibly encrypted form and used solely for the purpose of connecting to the relevant third-party services on the user’s behalf. They are not disclosed to any third party and are deleted upon deactivation of the relevant synchronisation setting or account closure.
8. Chat
HRDLOG.net provides a chat function exclusively available to registered users. The chat allows users to exchange text messages and file attachments within the platform.
Data processed: When using the chat function, HRDLOG.net processes the following personal data: the user’s callsign (as sender identifier), the content of messages sent and the date and time of each message. Chat messages are accessible only to registered users of HRDLOG.net and are not visible to the public.
Legal basis: The processing of personal data in connection with the chat function is carried out on the basis of Article 6(1)(a) GDPR - your consent. Consent may be withdrawn at any time by reverting to the private setting.
Chat messages and associated attachments are retained for 1 year after which they are deleted. Users may delete their own messages at any time.
The Chat data is processed exclusively on HRDLOG.net’s infrastructure, operated by Aruba S.p.A. as processor under Article 28 GDPR. Chat content is not shared with third parties.
9. Your Logbook Data and Visibility
QSO records you upload to HRDLOG.net are stored on servers located in the European Union (Italy and the Czech Republic), operated by Aruba S.p.A. For users based in the United Kingdom, the transfer of personal data to Italy or the Czech Republic is covered by the UK Adequacy Regulations.
Access to a user’s logbook is controlled by the visibility settings chosen in the account:
- Private: QSOs are visible only to the account holder. Processing basis: Article 6(1)(b) GDPR.
- Public: the logbook is visible to anyone, however the following data can be hidden: QSO Start time, QSL status, QSO Comment. Processing basis: Article 6(1)(a) GDPR - the user’s consent, given by affirmatively selecting the public setting. Consent may be withdrawn at any time by reverting to the private setting. Where public logbook entries contain correspondent callsigns, those callsigns are processed on the basis of Article 6(1)(f) GDPR (see Section C.1).
- Embedded script: the user may generate a script to publish their logbook on an external website. This is an opt-in action and is carried out on the basis of Article 6(1)(a) GDPR. Once data is published via the embedded script, HRDLOG.net has no control over its processing on the external website. The user becomes independently responsible, as a data controller within the meaning of Article 4(7) GDPR, for personal data processed through the embedded logbook on their own website.
Regardless of visibility settings, logbook data is used in aggregate to generate statistics such as most-wanted DXCC lists. Where these outputs contain no individual callsigns or identifiable information, they do not constitute personal data within the meaning of Article 4(1) GDPR. Where correspondent callsigns appear in aggregated outputs, Article 6(1)(f) GDPR applies.
D. Cookies and Similar Technologies
Cookies are small text files placed on the user’s device by a website and retrieved on subsequent visits. They cannot execute programs or transmit malicious code. Cookies may, however, contain identifiers that constitute personal data within the meaning of Article 4(1) GDPR where they can be linked to an identifiable individual.
HRDLOG.net uses four categories of cookies. Necessary cookies are placed without prior consent as they are technically required for the operation of the service. Preferences, Statistics and Marketing cookies are placed only upon prior, freely given consent through the cookie consent banner.
1. Consent Manager
Our website uses a proprietary consent management technology developed directly by us to obtain your consent to the storage of certain cookies on your device or for the use of certain technologies and to document them in a data protection compliant manner. This technology is managed internally and does not transfer your consent data to third-party providers.
The cookie consent is used to obtain the legally required consent for the use of cookies. The legal basis for this is Article 6 (1) (c) GDPR.
2. Cookie Table
| Type | Name | Purpose | Duration |
| 1. Necessary | ASP.NET_SessionId | Session management | Session |
| 1. Necessary | cookieconsent | Stores cookie consent choices | 1 year |
| 1. Necessary | ThirdPartyConsent | Stores third party consent choices | 1 year |
| 2. Preferences | callsign | Remembers user callsign | 1 month |
| 2. Preferences | uiculture | Remembers language preference | 1 year |
| 2. Preferences | keep_logged | Keep user logged in | 1 month |
| 2. Preferences | cluster_band | DX Cluster: band filter | 30 days |
| 2. Preferences | cluster_callsign | DX Cluster: callsign search | 30 days |
| 2. Preferences | cluster_highlight | DX Cluster: highlight spots | 30 days |
| 2. Preferences | rbn_pinned | DX Cluster: alerts panel | 30 days |
| 2. Preferences | hrdlog_rowpage | Rows per page setting | 1 month |
| 3. Statistics | hrdlog | Records first visit | 1 year |
| 3. Statistics | _ga | Google Analytics: unique user ID | 2 years |
| 3. Statistics | _ga_xxxxxxxxx | Google Analytics GA4 session | 2 years |
| 3. Statistics | _gat | Google Analytics: throttle rate | 1 minute |
| 3. Statistics | _gid | Google Analytics: daily user ID | 24 hours |
| 4. Marketing | (see Google AdSense, AdWords and DoubleClick sections) |
Cookie table was last updated: 18 June 2026. This table reflects the cookies currently in use and will be updated when cookies are added, modified, or removed.
E. Third-Party Services
1. Security and Performance
a. Hosting
Our website utilizes hosting and cloud services provided by Aruba.it (Aruba S.p.A. - via San Clemente, 53 - 24036 Ponte San Pietro (BG)). When you visit our website, your data is processed and stored on Aruba servers. As a result, Aruba receives your IP address and information about your browser and operating system.
Aruba acts as a processor for us and we have concluded a data processing agreement in accordance with Article 28 GDPR.
Further information: GDPR il Regolamento Europeo della Privacy | Aruba.it
b. Error-Tracking
To ensure the technical stability and security of our service, we monitor it using a self-hosted instance of an error-tracking software, deployed and operated entirely within our own server infrastructure. When a system error occurs, certain technical information, such as your IP address, browser name, user-agent, and error logs, is automatically transmitted to our self-hosted server to help us identify and correct the code issue. This data is processed exclusively for error analysis and security purposes, and is never used for marketing or user behavior profiling. The information is retained only as long as necessary to resolve the technical issue and is subsequently deleted. The legal basis for this processing is Article 6 (1) (f) GDPR, based on our legitimate interests in maintaining a secure, stable and functional website.
2. Google Services
We use the Google services listed in the following table. These services are provided by Google Ireland Limited, as our processor, and the parent company Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The transfer of personal data to the USA is based on the EU-US Data Privacy Framework certified parent company and the adequacy decision (Article 45 GDPR). For UK residents, this transfer is covered by the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge), which came into force on 12 October 2023 and under which Google LLC is also certified.
The use of Google Services is carried out on the basis of Article 6(1)(a) GDPR. Consent may be withdrawn at any time by adjusting your cookie preferences.
| Services | Purpose | Data Processing | Privacy Settings |
| Google Visualization API |
Visually display data on our website (e.g., charts and graphs). When you view a page containing this service, your web browser automatically transfers certain data. |
Technical data:
• IP address
• specific page URL |
Deactivation via your browser software or in the consent gate. |
| Google Maps |
Display interactive maps showing the approximate geographic distribution of amateur radio contacts. |
Technical data:
• IP address
• specific page URL
• location data
• device information
• date and time of access |
Deactivation via your browser software or in the consent gate. |
| Google Analytics 4 (GOA4) |
Website analysis, optimization, reports on website activity.
Creation of statistics on “demographic characteristics” that provide information on the age, gender and interests of site visitors without individualizing them.
With a UserID, improvement of the individual user experience across devices. |
Device information
JavaScript and pixels (reading of information on the end device)
Cookies (storage of information on end device)
Network information
• Abbreviated IP address (no clear assignment possible)
• Approximate location (country and city)
Technical data
• Browser and version
• Internet service provider
• Type of device
• Screen resolution
User behavior
• Pages visited
• Clicks and scrolling behavior
• Session duration
• Bounce rate (leaving without interacting)
Traffic sources
• Referring website
• Advertising material used
Interactions
• Added to favorites
• Social Media Shares
• External link clicks
Analyze user behavior across devices and create database models (e.g. conversation) |
Deactivated advertising function
Deactivated personalised advertising
Deactivated data sharing (in particular Google products and services, benchmarking, technical support, account specialist)
Storage period of cookies with randomly generated user ID for recognition in the web browser for 24 months since the last website visit
Deactivation via https://support.google.com/ads/answer/2662922 |
| Google DoubleClick |
Personalized advertising. |
Cookies (storage of information on end device)
User behavior of website visits including third-party providers:
• Search behavior
• Visited websites
• Clicks/click path
• Duration of visit |
Deactivation via your browser software or in the cookie banner. |
| Google Ads/Conversion Tracking |
Statistical evaluation of the success of advertising campaigns to adapt more efficient advertising campaigns. |
Cookies (storage of information on end device)
Encrypted user data e.g.:
• Name
• Date of birth
• Email
• Address
• Telephone number
• Customer-specific identifiers
• IP address
User behavior:
• Search behavior
• Visited websites
• Clicks/click path
• Duration of visit |
Deactivation via browser software or in the cookie banner. |
| Google AdSense |
Placement of ads to collect information about the use of this and other websites to improve the measurement of advertising campaigns. |
Cookies (storage of information on end device)
Technical data:
• IP address
• Browser type
• Operating system
• Device ID
User behavior:
• Search behavior
• Visited websites
• Clicks/click path
• Duration of visit |
Deactivation via browser software or in the cookie banner. |
For more information about the general data protection overview of all Google services, please visit https://policies.google.com/privacy and about the technologies used, please visit https://policies.google.com/technologies.
For more information about Google Analytics 4, please refer to the terms of service at https://support.google.com/analytics/answer/7318509?hl=en and at https://support.google.com/analytics/answer/12017362?hl=en.
3. ArcGIS Online (Esri)
HRDLOG.net uses ArcGIS Online, a mapping platform provided by Environmental Systems Research Institute, Inc. (Esri), 380 New York Street, Redlands, CA 92373, United States, to provide map background tiles for a locator widget displaying the approximate station location of the user.
When a page containing the ArcGIS locator widget is loaded, your browser requests map tile images from Esri’s servers. In the course of this request, Esri receives your IP address, the map area and zoom level requested, and technical browser information necessary to deliver the map tiles. No callsigns, account data, or other user identifiers are transmitted to Esri.
The use of ArcGIS Online is carried out on the basis of your consent Article 6 (1) (a) GDPR.
The use of ArcGIS Online involves the transfer of personal data to Esri in the United States. Esri is certified under the EU-US Data Privacy Framework and acts as a qualified entity, accepting responsibility for onward transfers to sub-processors. Esri additionally commits to EU Standard Contractual Clauses and the UK Addendum for transfers processed on behalf of its customers. For EEA users, the transfer is covered by the adequacy decision of the European Commission of 10 July 2023. For UK residents, the transfer is covered by the UK-US Data Bridge.
Further information: https://www.esri.com/en-us/privacy/overview
5. PayPal
HRDLOG.net uses PayPal in two contexts. PayPal is an online payment service operated by PayPal (Europe) S.à.r.l. et Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. If you use PayPal, you will be redirected directly to PayPal.
Donations: registered users may make a voluntary donation to support HRDLOG.net via PayPal. When doing so, the user’s callsign is transmitted to PayPal as a payment reference.
OQRS payments: when a QSL card requester chooses to pay via the OQRS, HRDLOG.net redirects to the PayPal payment page of the QSL card owner. The owner’s PayPal email address is visible on that page. The payment is settled directly between the requester and the owner. HRDLOG.net receives confirmation of payment status from PayPal but does not handle the funds.
The transfer of personal data to PayPal described above is carried out on the basis of Article 6(1)(b) GDPR (processing necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract) and/or Article 6(1)(f) GDPR (legitimate interests of HRDLOG.net and its users in the processing of payments), as applicable to the context of each transaction.
Personal data transmitted to PayPal may be transferred outside the European Economic Area, including to the United States. Such transfers are carried out in accordance with applicable data protection laws, including the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.
Further information: https://www.paypal.com/en/webapps/mpp/ua/privacy-full
Contents of this site
The contents of this site are not of a "newspaper" nature and do not represent an "editorial product" ex Law 62/2001, and therefore are not subject to application of Law 106/2004 and the implementation order through Presidential Decree 252/2006 regarding legal deposit.
This site is not a newspaper because it is updated without any periodicity.
