soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
fae5ec26fbd2033dedcdb0afed25d8e0e7f908cc
fotospiel-app/docs/content/legal/datenschutz-en.md
Codex Agent fae5ec26fb
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (push) Has been cancelled
Details
tests / ui (push) Has been cancelled
Details
Update legal privacy disclosures and dates
2026-01-04 11:17:04 +01:00

126 lines
4.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Privacy Policy
**Last updated:** January 2026
## 1. Data Controller
Responsible under the General Data Protection Regulation (GDPR):
**Sören Eberhardt-Biermann**
Schweriner Str. 15
19306 Neustadt-Glewe
Germany
Email: info@fotospiel.app
Website: [/en/](/en/)
---
## 2. General Information
We process personal data in compliance with the GDPR and the German Federal Data Protection Act (BDSG).
Use of the Fotospiel App requires only the personal data necessary to host and participate in photo events.
---
## 3. Types of Data Processed
- Organizer data: name, email address, payment information (via Paddle), event details (title, date, photo tasks, photos)
- Guest data: uploaded photos, display name (optional), likes/reactions
- Technical data: IP address, browser type, timestamp, device information, anonymous session identifier (session_id), and checkout/coupon abuse signals (e.g., device/browser characteristics, coupon/transaction metadata)
- Communication data: messages sent via contact form or email
---
## 4. Purpose and Legal Basis of Processing
| Purpose | Legal Basis | Description |
|----------|--------------|-------------|
| Providing the app and hosting events | Art. 6(1)(b) GDPR | Contract performance |
| Storing and displaying photos | Art. 6(1)(b) GDPR | Core feature of the app |
| Payment processing and invoicing | Art. 6(1)(b), (c) GDPR | Use of Paddle services |
| Fraud and abuse prevention (checkout/coupons) | Art. 6(1)(f) GDPR | Protecting against fraud, abuse, and improper coupon redemptions |
| Web analytics via Matomo | Art. 6(1)(f) GDPR | Statistical analysis to improve the app |
| Server logs and security | Art. 6(1)(f) GDPR | Ensuring system security |
| Responding to inquiries | Art. 6(1)(f) or (b) GDPR | Communication with users |
---
## 5. Hosting and Data Processing
Our servers are operated by **Hetzner Online GmbH**, Industriestr. 25, 91710 Gunzenhausen, Germany.
A data processing agreement pursuant to Art. 28 GDPR is in place.
All processing takes place within the EU.
---
## 6. Payment Processing
Payments are handled by **Paddle.com Market Ltd.**
We do not store payment or credit card data.
During checkout and coupon redemption, we process technical signals (e.g., IP address, device/browser characteristics, timestamps) for fraud and abuse prevention. This data may be shared with Paddle.
Legal basis: Art. 6(1)(b) and (c) GDPR.
Privacy policies:
- Paddle: https://www.paddle.com/legal/privacy
---
## 7. Web Analytics with Matomo
We use **Matomo** (self-hosted) for anonymous usage analysis.
No data is shared with third parties.
IP addresses are anonymized.
In the guest areas of the app, an anonymous session identifier (**session_id**) is used and stored in a technically necessary cookie or in the browsers local storage to associate uploads, likes, and tasks with a device or session. This identifier does not contain clear data such as names or email addresses and becomes invalid at the latest when the event or gallery storage period ends.
Only technically necessary cookies are used.
Legal basis: Art. 6(1)(f) GDPR.
---
## 8. Cookies
Only technically necessary cookies are used.
Legal basis: Art. 6(1)(f) GDPR.
No consent is required.
---
## 9. Data Retention Periods
| Data Type | Retention Period | Reason |
|------------|------------------|--------|
| Photos | Deleted within 30 days after the booked storage period ends | Automatic deletion |
| User accounts (hosts) | Deleted after 24 months of inactivity | Contract completed |
| Payment data | 10 years | Legal retention obligations |
| Server logs | 7 days | IT security |
| Contact messages | Max. 6 months | After processing completed |
---
## 10. Data Disclosure
Data is only shared with:
- Payment providers (Paddle)
- Hosting provider (Hetzner)
- Public authorities when legally required
No data is transferred outside the EU.
---
## 11. Data Subject Rights
You have the following rights under GDPR:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
Requests may be sent to: info@fotospiel.app
---
## 12. Withdrawal of Consent
If processing is based on consent, you may withdraw it at any time with future effect.
---
## 13. Data Security
We apply appropriate technical and organizational measures to secure your data, including encryption, access controls, and backups.
---
## 14. Changes to this Privacy Policy
We may update this Privacy Policy to reflect legal or functional changes.
The current version is always available at [/en/privacy](/en/privacy).
Reference in New Issue View Git Blame Copy Permalink