Skip to content
events
Sign in DE

Privacy Policy

Last updated: March 2026

1. Data Controller

Rafael Alex
Ullsteinstraße 16
90763 Fürth
Germany

Email: events@rafaelalex.de

2. Collection and Processing of Personal Data

We collect and process personal data only to the extent necessary to provide our services.

2.1 During Registration

  • Name
  • Email address
  • Password (encrypted)

Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment).

2.2 When Using as a Guest

  • Name (voluntary)
  • Email address (required when added by organizer; used for invitation emails and reminders)
  • RSVP status
  • Star rating (1–5) submitted after the event (voluntary; shared with the organizer in a summary email)

Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment — event participation).

2.3 Social Login

When signing in via Google, Facebook, or Apple, we receive: name, email address, and profile picture URL (Apple does not provide a profile picture). We discard access tokens after authentication.

Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment). Provider privacy policies: Google, Meta/Facebook, Apple.

2.4 Push Notifications (optional)

If you enable push notifications, we store a technical subscription endpoint from your browser (not personal data — merely a random URL provided by your browser's push service) along with cryptographic keys for encrypting messages. In the native mobile app, push notifications are delivered via Firebase Cloud Messaging (FCM) (Google LLC). A device-specific token is transmitted to Firebase for this purpose. On iOS, messages are relayed through the Apple Push Notification Service (APNs) (Apple Inc.). Firebase processes data in accordance with Google's privacy policy. Apple processes data in accordance with Apple's privacy policy. We use this data exclusively to deliver push notifications. You can revoke it at any time in your notification settings. Legal basis: Art. 6 (1) lit. a GDPR (consent).

2.5 Mobile App

Our service is also available as a native iOS app. The following additional data processing applies: Contacts access: If you grant permission, the app can access your device contacts to simplify inviting guests. Contact data is used only for this purpose and is not stored on our servers. Legal basis: Art. 6 (1) lit. a GDPR (consent).

2.6 Children's Events

For events specifically created for children, organizers may collect the child's name, a parent's phone number, and a pickup time. This data is used solely for organizing the respective event and is deleted when the event is removed. Data is entered by parents or the organizer — not by children themselves. Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment).

3. Cookies

We use only technically necessary cookies:

  • Session cookie — Authentication and CSRF protection (duration: 120 minutes)
  • XSRF-TOKEN — Cross-site request forgery protection (duration: session)
  • Guest token — Recognition of guests without an account (duration: 90 days)
  • Remember me — Optional persistent login when actively selected by the user (duration: 5 years)

Since only technically necessary cookies are used, no consent is required (§ 25 (2) TDDDG).

4. Payment Processing

For paid features, we use Stripe (Stripe, Inc.) as our payment processor. Stripe is certified under the EU-US Data Privacy Framework. When you make a purchase, Stripe collects and processes your payment data (credit card details, billing address) directly. We store only a Stripe customer ID and transaction references. Stripe processes data in accordance with their privacy policy. Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment). Event organizers who sell tickets connect their own Stripe Express account via Stripe Connect. In this process, Stripe collects the organizer's personal and banking details (name, IBAN/bank account, tax identification) directly as part of the Connect onboarding. We store only a Stripe Connect account ID, not the organizer's financial data. Guest payments for tickets are processed directly through the organizer's connected Stripe account; we receive only a platform fee. In the native mobile app, subscriptions are processed through the Apple App Store. We use RevenueCat (RevenueCat, Inc., USA) to manage in-app purchases. RevenueCat is certified under the EU-US Data Privacy Framework. RevenueCat receives an anonymized app user ID and purchase receipts. Payment data is processed exclusively by the app store. Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment). More information: revenuecat.com/privacy.

5. Email Delivery (Resend)

For sending emails (invitations, reminders, notifications, password reset), we use Resend (Resend, Inc., USA). Your email address, name, and message content are transmitted to Resend. Resend is certified under the EU-US Data Privacy Framework. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place. Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment) or Art. 6 (1) lit. f GDPR (legitimate interest in delivering notifications). More information: resend.com/legal/privacy-policy

6. Data Sharing and Processing

We share personal data with third parties only when necessary to provide our services. The following processors are used: email delivery (Resend), payment processing (Stripe), in-app purchase management (RevenueCat), push notifications (Firebase Cloud Messaging, Apple Push Notification Service), error monitoring (Sentry). Data processing agreements pursuant to Art. 28 GDPR are in place with all processors. For US-based service providers (Stripe, Resend, Sentry, Google/Firebase, RevenueCat), an adequate level of data protection is ensured through certification under the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs).

7. Data Deletion and Retention Periods

Registered users can delete their account and all associated data at any time in the account settings. Upon account deletion, personal data is immediately anonymized or deleted. The user's events are retained for 90 days (soft delete) and then permanently removed.

Retention periods at a glance:

  • Event data: 90 days after deletion, then permanent removal
  • Guest data: anonymized upon account deletion (name and email removed)
  • Payment data: 10 years (statutory retention obligation under German tax law)
  • Server log files: 14 days
  • Error logs (Sentry): 90 days

8. Your Rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) — You may request information about the data we process.
  • Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — You may request deletion of your data, unless statutory retention obligations apply.
  • Right to restriction (Art. 18 GDPR) — You may request restriction of processing.
  • Right to data portability (Art. 20 GDPR) — You may request your data in a machine-readable format. This is available in your account settings under "Data Export".
  • Right to object (Art. 21 GDPR) — You may object to processing based on Art. 6 (1) lit. f (legitimate interest) at any time.
  • Right to withdraw consent (Art. 7 (3) GDPR) — You may withdraw any given consent (e.g., push notifications, contacts access) at any time. The lawfulness of processing prior to withdrawal remains unaffected.
  • Right to lodge a complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a supervisory authority. Competent authority: Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, Germany, www.lda.bayern.de.

To exercise your rights, contact us at events@rafaelalex.de.

9. Automated Decision-Making

We do not use automated decision-making including profiling within the meaning of Art. 22 GDPR.

10. Web Analytics (Rybbit Analytics)

This application uses Rybbit Analytics, a privacy-friendly web analytics service, hosted on servers in Germany (instance operated by maki-it.de). Rybbit is completely cookieless and GDPR-compliant. No personal data is collected and no cookies are set. The analysis is fully anonymized without tracking individual users.

According to § 25 TDDDG (Telecommunications Digital Services Data Protection Act), no consent is required for this type of analysis.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in analyzing user behavior to optimize the application). More information: rybbit.io

11. Server Log Files

The hosting provider automatically collects information in server log files that your browser transmits with each page request: IP address, requested URL, date and time of access, HTTP status code, data volume transferred, referrer URL, browser type, and operating system. This data is used exclusively to ensure smooth operation and detect abuse. It is not merged with other data sources. Log files are automatically deleted after 14 days. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in operational security).

12. Error Monitoring (Sentry)

This application uses Sentry (Functional Software, Inc., USA) to detect and analyze technical errors. Sentry is certified under the EU-US Data Privacy Framework. When an application error occurs, technical data such as error messages, stack traces, and the requested URL are transmitted. Personal data (IP addresses, passwords, tokens, email addresses, names) is automatically stripped before transmission. Data is processed on EU servers (Frankfurt). Error logs are deleted after 90 days. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in operational stability and error resolution). More information: sentry.io/privacy

13. Location Search (OpenStreetMap)

For location search, this application uses the Nominatim API provided by the OpenStreetMap Foundation (OSMF, United Kingdom — EU adequacy decision in place). When you search for a location, the search query is transmitted directly from your browser to Nominatim. Due to the nature of the request, your IP address is also transmitted to OSMF servers. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in providing location search). More information: osmfoundation.org/wiki/Privacy_Policy

14. Hosting

This website is hosted by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) on servers in the EU. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place. Data transmission is encrypted via HTTPS. Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in reliable service delivery).