# Privacy Policy **Last updated:** January 2026 ## 1. Data Controller Responsible under the General Data Protection Regulation (GDPR): **Sören Eberhardt-Biermann** Schweriner Str. 15 19306 Neustadt-Glewe Germany Email: info@fotospiel.app Website: [/en/](/en/) --- ## 2. General Information We process personal data in compliance with the GDPR and the German Federal Data Protection Act (BDSG). Use of the Fotospiel App requires only the personal data necessary to host and participate in photo events. --- ## 3. Types of Data Processed - Organizer data: name, email address, payment information (via Paddle), event details (title, date, photo tasks, photos) - Guest data: uploaded photos, display name (optional), likes/reactions - Technical data: IP address, browser type, timestamp, device information, anonymous session identifier (session_id), and checkout/coupon abuse signals (e.g., device/browser characteristics, coupon/transaction metadata) - Communication data: messages sent via contact form or email --- ## 4. Purpose and Legal Basis of Processing | Purpose | Legal Basis | Description | |----------|--------------|-------------| | Providing the app and hosting events | Art. 6(1)(b) GDPR | Contract performance | | Storing and displaying photos | Art. 6(1)(b) GDPR | Core feature of the app | | Payment processing and invoicing | Art. 6(1)(b), (c) GDPR | Use of Paddle services | | Fraud and abuse prevention (checkout/coupons) | Art. 6(1)(f) GDPR | Protecting against fraud, abuse, and improper coupon redemptions | | Web analytics via Matomo | Art. 6(1)(f) GDPR | Statistical analysis to improve the app | | Server logs and security | Art. 6(1)(f) GDPR | Ensuring system security | | Responding to inquiries | Art. 6(1)(f) or (b) GDPR | Communication with users | --- ## 5. Hosting and Data Processing Our servers are operated by **Hetzner Online GmbH**, Industriestr. 25, 91710 Gunzenhausen, Germany. A data processing agreement pursuant to Art. 28 GDPR is in place. All processing takes place within the EU. --- ## 6. Payment Processing Payments are handled by **Paddle.com Market Ltd.** We do not store payment or credit card data. During checkout and coupon redemption, we process technical signals (e.g., IP address, device/browser characteristics, timestamps) for fraud and abuse prevention. This data may be shared with Paddle. Legal basis: Art. 6(1)(b) and (c) GDPR. Privacy policies: - Paddle: https://www.paddle.com/legal/privacy --- ## 7. Web Analytics with Matomo We use **Matomo** (self-hosted) for anonymous usage analysis. No data is shared with third parties. IP addresses are anonymized. In the guest areas of the app, an anonymous session identifier (**session_id**) is used and stored in a technically necessary cookie or in the browser’s local storage to associate uploads, likes, and tasks with a device or session. This identifier does not contain clear data such as names or email addresses and becomes invalid at the latest when the event or gallery storage period ends. Only technically necessary cookies are used. Legal basis: Art. 6(1)(f) GDPR. --- ## 8. Cookies Only technically necessary cookies are used. Legal basis: Art. 6(1)(f) GDPR. No consent is required. --- ## 9. Data Retention Periods | Data Type | Retention Period | Reason | |------------|------------------|--------| | Photos | Deleted within 30 days after the booked storage period ends | Automatic deletion | | User accounts (hosts) | Deleted after 24 months of inactivity | Contract completed | | Payment data | 10 years | Legal retention obligations | | Server logs | 7 days | IT security | | Contact messages | Max. 6 months | After processing completed | --- ## 10. Data Disclosure Data is only shared with: - Payment providers (Paddle) - Hosting provider (Hetzner) - Public authorities when legally required No data is transferred outside the EU. --- ## 11. Data Subject Rights You have the following rights under GDPR: - Right of access (Art. 15) - Right to rectification (Art. 16) - Right to erasure (Art. 17) - Right to restriction of processing (Art. 18) - Right to data portability (Art. 20) - Right to object (Art. 21) Requests may be sent to: info@fotospiel.app --- ## 12. Withdrawal of Consent If processing is based on consent, you may withdraw it at any time with future effect. --- ## 13. Data Security We apply appropriate technical and organizational measures to secure your data, including encryption, access controls, and backups. --- ## 14. Changes to this Privacy Policy We may update this Privacy Policy to reflect legal or functional changes. The current version is always available at [/en/privacy](/en/privacy).