# Privacy Policy
**Last updated:** October 2025

## 1. Data Controller
Responsible under the General Data Protection Regulation (GDPR):

**Sören Eberhardt-Biermann**  
Schweriner Str. 15  
19306 Neustadt-Glewe  
Germany  

Email: info@fotospiel.app
Website: [https://fotospiel.app](https://fotospiel.app)

---

## 2. General Information
We process personal data in compliance with the GDPR and the German Federal Data Protection Act (BDSG).  
Use of the Fotospiel App requires only the personal data necessary to host and participate in photo events.

---

## 3. Types of Data Processed
- Organizer data: name, email address, payment information (via Paddle/Stripe), event details (title, date, photo tasks, photos)
- Guest data: uploaded photos, display name (optional), likes/reactions
- Technical data: IP address, browser type, timestamp, device information
- Communication data: messages sent via contact form or email

---

## 4. Purpose and Legal Basis of Processing
| Purpose | Legal Basis | Description |
|----------|--------------|-------------|
| Providing the app and hosting events | Art. 6(1)(b) GDPR | Contract performance |
| Storing and displaying photos | Art. 6(1)(b) GDPR | Core feature of the app |
| Payment processing and invoicing | Art. 6(1)(b), (c) GDPR | Use of Paddle and Stripe services |
| Web analytics via Matomo | Art. 6(1)(f) GDPR | Statistical analysis to improve the app |
| Server logs and security | Art. 6(1)(f) GDPR | Ensuring system security |
| Responding to inquiries | Art. 6(1)(f) or (b) GDPR | Communication with users |

---

## 5. Hosting and Data Processing
Our servers are operated by **Hetzner Online GmbH**, Industriestr. 25, 91710 Gunzenhausen, Germany.  
A data processing agreement pursuant to Art. 28 GDPR is in place.  
All processing takes place within the EU.

---

## 6. Payment Processing
Payments are handled by **Paddle (Europe) S.à r.l. et Cie, S.C.A.** and **Stripe Payments Europe, Ltd.**  
We do not store payment or credit card data.  
Legal basis: Art. 6(1)(b) and (c) GDPR.

Privacy policies:  
- Paddle: https://www.paypal.com/de/webapps/mpp/ua/privacy-full  
- Stripe: https://stripe.com/de/privacy

---

## 7. Web Analytics with Matomo
We use **Matomo** (self-hosted) for anonymous usage analysis.  
No data is shared with third parties.  
IP addresses are anonymized.  
Only technically necessary cookies are used.  
Legal basis: Art. 6(1)(f) GDPR.

---

## 8. Cookies
Only technically necessary cookies are used.  
Legal basis: Art. 6(1)(f) GDPR.  
No consent is required.

---

## 9. Data Retention Periods
| Data Type | Retention Period | Reason |
|------------|------------------|--------|
| Photos | Deleted within 30 days after the booked storage period ends | Automatic deletion |
| User accounts (hosts) | Deleted after 24 months of inactivity | Contract completed |
| Payment data | 10 years | Legal retention obligations |
| Server logs | 7 days | IT security |
| Contact messages | Max. 6 months | After processing completed |

---

## 10. Data Disclosure
Data is only shared with:
- Payment providers (Paddle, Stripe)
- Hosting provider (Hetzner)
- Public authorities when legally required

No data is transferred outside the EU.

---

## 11. Data Subject Rights
You have the following rights under GDPR:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)

Requests may be sent to: info@fotospiel.app

---

## 12. Withdrawal of Consent
If processing is based on consent, you may withdraw it at any time with future effect.

---

## 13. Data Security
We apply appropriate technical and organizational measures to secure your data, including encryption, access controls, and backups.

---

## 14. Changes to this Privacy Policy
We may update this Privacy Policy to reflect legal or functional changes.  
The current version is always available at [https://fotospiel.app/privacy](https://fotospiel.app/privacy).