Update legal privacy disclosures and dates

.beads/issues.jsonl

@@ -61,7 +61,7 @@
 {"id":"fotospiel-app-gsv","title":"Localized SEO: validate hreflang via Search Console/Lighthouse","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:36.4821072+01:00","created_by":"soeren","updated_at":"2026-01-01T16:02:36.4821072+01:00"}
 {"id":"fotospiel-app-hbt","title":"Moderation queue for guest content","description":"Queue for flagged guest content (photos, feedback). Bulk actions to hide/delete/resolve with audit.","notes":"Land the plane: tests run (FilamentPanelNavigationTest, PhotoModerationQueueTest, TenantFeedbackModerationQueueTest, TenantLifecycle*), migrations added for photo + feedback moderation, no follow-up blockers.","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-01-01T14:18:37.777772819+01:00","updated_at":"2026-01-02T17:33:22.599440896+01:00","closed_at":"2026-01-02T17:33:22.599440896+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-ihd","title":"Superadmin control surface spec and access matrix","description":"Define the minimal superadmin control surface, permissions, and mapping to tenant/guest responsibilities. Document scope and non-goals.","notes":"Added superadmin control surface + access matrix to docs/ops/operations-manual.md (Section 1.1), including non-goals and role scope.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T14:18:10.789147344+01:00","updated_at":"2026-01-02T17:33:57.71777777+01:00","closed_at":"2026-01-02T17:33:57.71777777+01:00","close_reason":"Closed"}
-{"id":"fotospiel-app-iqd","title":"Legal: disclose checkout/coupon fraud IP/device signals","description":"Update Legal Pages (privacy policy) to disclose IP/device capture for coupon fraud signals and retention window.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-02T23:33:44.532864199+01:00","created_by":"soeren","updated_at":"2026-01-02T23:33:44.532864199+01:00"}
+{"id":"fotospiel-app-iqd","title":"Legal: disclose checkout/coupon fraud IP/device signals","description":"Update Legal Pages (privacy policy) to disclose IP/device capture for coupon fraud signals and retention window.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T23:33:44.532864199+01:00","created_by":"soeren","updated_at":"2026-01-04T11:15:55.947463643+01:00","closed_at":"2026-01-04T11:15:55.947463643+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-iyc","title":"Superadmin audit log for admin actions","description":"Audit trail for superadmin actions without PII payloads.","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-01-01T14:20:19.043695952+01:00","updated_at":"2026-01-02T11:57:23.328889123+01:00","closed_at":"2026-01-02T11:57:23.328889123+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-iyh","title":"Security review follow-ups: signed URL TTLs, guest asset throttles, CORS allowlist, logging hygiene","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:42.642109576+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:42.642109576+01:00"}
 {"id":"fotospiel-app-jk4","title":"Checkout refactor: CheckoutController + marketing route alignment","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:06:21.088319132+01:00","created_by":"soeren","updated_at":"2026-01-01T16:06:26.663419594+01:00","closed_at":"2026-01-01T16:06:26.663419594+01:00","close_reason":"Completed in codebase (verified)"}

docs/content/legal/agb-de.md

@@ -1,6 +1,6 @@
 # Allgemeine Geschäftsbedingungen (AGB) für „Die Fotospiel App“
 
-**Stand:** Oktober 2025
+**Stand:** Januar 2026
 
 **Anbieter:**  
 Sören Eberhardt-Biermann  

docs/content/legal/agb-en.md

@@ -1,6 +1,6 @@
 # Terms and Conditions (T&C) for "The Fotospiel App"
 
-**Last updated:** October 2025
+**Last updated:** January 2026
 
 **Provider:**  
 Sören Eberhardt-Biermann  

docs/content/legal/datenschutz-de.md

@@ -1,5 +1,5 @@
 # Datenschutzerklärung
-**Stand:** Oktober 2025
+**Stand:** Januar 2026
 
 ## 1. Verantwortlicher
 Verantwortlich für die Datenverarbeitung im Sinne der Datenschutz-Grundverordnung (DSGVO):
@@ -23,7 +23,7 @@ Die Nutzung der Fotospiel App ist grundsätzlich nur mit den personenbezogenen D
 ## 3. Arten der verarbeiteten Daten
 - Veranstalterdaten: Name, E-Mail-Adresse, Zahlungsinformationen (über Paddle), Eventdaten (Titel, Datum, Aufgaben, Bilder)
 - Nutzerdaten (Gäste): hochgeladene Fotos, Anzeigename (frei wählbar), Reaktionen/Likes
-- Technische Daten: IP-Adresse, Browsertyp, Zeitstempel, Geräteinformationen, anonyme Sitzungskennung (session_id)
+- Technische Daten: IP-Adresse, Browsertyp, Zeitstempel, Geräteinformationen, anonyme Sitzungskennung (session_id) sowie Checkout-/Coupon-Missbrauchssignale (z. B. Geräte-/Browsermerkmale, Coupon-/Transaktionsmetadaten)
 - Kommunikationsdaten: Inhalte von Kontaktanfragen über das Formular oder per E-Mail
 
 ---
@@ -34,6 +34,7 @@ Die Nutzung der Fotospiel App ist grundsätzlich nur mit den personenbezogenen D
 | Bereitstellung der App und Durchführung von Veranstaltungen | Art. 6 Abs. 1 lit. b DSGVO | Nutzung der App durch Veranstalter und Gäste |
 | Speicherung und Anzeige von Fotos innerhalb des Events | Art. 6 Abs. 1 lit. b DSGVO | Durchführung der Fotospiel-Funktionalität |
 | Abrechnung und Zahlungsabwicklung | Art. 6 Abs. 1 lit. b, lit. c DSGVO | Nutzung der Dienste von Paddle |
+| Betrugs- und Missbrauchsprävention (Checkout/Coupons) | Art. 6 Abs. 1 lit. f DSGVO | Schutz vor Betrug, Missbrauch und unzulässigen Coupon-Einlösungen |
 | Webanalyse über Matomo (selbst gehostet) | Art. 6 Abs. 1 lit. f DSGVO | Statistische Auswertung zur Verbesserung der App |
 | Sicherheit, Server-Logs | Art. 6 Abs. 1 lit. f DSGVO | Sicherstellung des Betriebs, Fehleranalyse |
 | Beantwortung von Kontaktanfragen | Art. 6 Abs. 1 lit. f oder lit. b DSGVO | Kommunikation mit Nutzern und Interessenten |
@@ -51,6 +52,7 @@ Die Verarbeitung erfolgt ausschließlich innerhalb der EU.
 Die Zahlungsabwicklung erfolgt über **Paddle.com Market Ltd.**  
 Bei der Zahlung werden personenbezogene Daten an diesen Dienstleister übermittelt.  
 Wir speichern keine Zahlungs- oder Kreditkartendaten.  
+Im Rahmen von Checkout und Coupon-Einlösung verarbeiten wir technische Signale (z. B. IP-Adresse, Geräte-/Browsermerkmale, Zeitstempel) zur Betrugs- und Missbrauchsprävention. Diese Daten können an Paddle übermittelt werden.  
 Rechtsgrundlage: Art. 6 Abs. 1 lit. b und lit. c DSGVO.
 
 Datenschutzhinweise der Anbieter:  

docs/content/legal/datenschutz-en.md

@@ -1,5 +1,5 @@
 # Privacy Policy
-**Last updated:** October 2025
+**Last updated:** January 2026
 
 ## 1. Data Controller
 Responsible under the General Data Protection Regulation (GDPR):
@@ -23,7 +23,7 @@ Use of the Fotospiel App requires only the personal data necessary to host and p
 ## 3. Types of Data Processed
 - Organizer data: name, email address, payment information (via Paddle), event details (title, date, photo tasks, photos)
 - Guest data: uploaded photos, display name (optional), likes/reactions
-- Technical data: IP address, browser type, timestamp, device information, anonymous session identifier (session_id)
+- Technical data: IP address, browser type, timestamp, device information, anonymous session identifier (session_id), and checkout/coupon abuse signals (e.g., device/browser characteristics, coupon/transaction metadata)
 - Communication data: messages sent via contact form or email
 
 ---
@@ -34,6 +34,7 @@ Use of the Fotospiel App requires only the personal data necessary to host and p
 | Providing the app and hosting events | Art. 6(1)(b) GDPR | Contract performance |
 | Storing and displaying photos | Art. 6(1)(b) GDPR | Core feature of the app |
 | Payment processing and invoicing | Art. 6(1)(b), (c) GDPR | Use of Paddle services |
+| Fraud and abuse prevention (checkout/coupons) | Art. 6(1)(f) GDPR | Protecting against fraud, abuse, and improper coupon redemptions |
 | Web analytics via Matomo | Art. 6(1)(f) GDPR | Statistical analysis to improve the app |
 | Server logs and security | Art. 6(1)(f) GDPR | Ensuring system security |
 | Responding to inquiries | Art. 6(1)(f) or (b) GDPR | Communication with users |
@@ -50,6 +51,7 @@ All processing takes place within the EU.
 ## 6. Payment Processing
 Payments are handled by **Paddle.com Market Ltd.**  
 We do not store payment or credit card data.  
+During checkout and coupon redemption, we process technical signals (e.g., IP address, device/browser characteristics, timestamps) for fraud and abuse prevention. This data may be shared with Paddle.  
 Legal basis: Art. 6(1)(b) and (c) GDPR.
 
 Privacy policies:  

docs/content/legal/widerrufsbelehrung-de.md

@@ -1,6 +1,6 @@
 # Widerrufsbelehrung für „Die Fotospiel App“
 
-**Stand:** Oktober 2025
+**Stand:** Januar 2026
 
 ---
 

docs/content/legal/widerrufsbelehrung-en.md

@@ -1,6 +1,6 @@
 # Right of Withdrawal for “The Fotospiel App”
 
-**Last updated:** October 2025
+**Last updated:** January 2026
 
 ---