Privacy Policy

This Privacy Policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter "Data") within our online service tender-narratives.club (the "Service") in accordance with the General Data Protection Regulation (GDPR).

1. Data Controller

• Sören Sandbothe
• mail@tender-narratives.club

2. Types of Data Processed

• Inventory Data: Display name (username), email address, password (stored exclusively as a hash).
• Content Data: Texts and titles you create in "Plays" and "Figures", uploaded media files (e.g., images, audio, video).
• Contact Data: Email address (for notifications).
• Metadata/Usage Data: Your internal User ID (linked to your content as "Owner" or "Creator").
• Technical Data (Server Log Files): IP address, date and time of the request, browser type and version, operating system, referrer URL (the previously visited page).
• Technical Data (Application): IP address (temporarily for security functions like rate-limiting).

3. Purpose of Processing

• Provision of the Service: Providing core functions such as registration, login, creation, and storage of content (Plays, Figures).
• Performance of Contract: Fulfilling our obligations under the Terms of Service.
• Communication: Sending transactional emails (e.g., password reset) and optional email notifications about new contributions (if activated by you).
• Security Measures: Ensuring the stability and security of the Service, e.g., through server log files and IP-based rate-limiting to defend against abuse and brute-force attacks.

4. Legal Bases

The processing of your data is based on the following legal bases of the GDPR:

• Art. 6(1)(a) GDPR (Consent): For the registration process, during which you actively consent to this Privacy Policy and the Terms of Service. You also consent to receiving email notifications (which can be disabled at any time).
• Art. 6(1)(b) GDPR (Performance of Contract): This is the primary legal basis for operating the Service. The processing of your inventory data (email, password hash, User ID) and content data is necessary to enable your use of the Service according to the Terms of Service (i.e., to "perform the contract").
• Art. 6(1)(f) GDPR (Legitimate Interest): Our legitimate interest in ensuring the technical security, stability, and integrity of our Service justifies the storage of server log files and the temporary use of IP addresses for rate-limiting.

5. Data Collection in Detail

5.1. Hosting and Server Log Files
Our hosting provider collects data (server log files) for every access to the server. This includes the IP address, time, browser type, operating system, and referrer URL. This data is not merged with other data sources and serves exclusively to ensure trouble-free operation and to defend against threats. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR). The logs are typically deleted after 7 to 14 days.

5.2. Registration and User Account
Registration is required to use the Service. We collect your display name, email address, and a password, which we store exclusively as a "hash" (a non-reversible checksum). This data is necessary for the performance of the user contract (Art. 6(1)(b) GDPR).

5.3. Cookies (Session Cookies)
This Service uses technically necessary cookies (so-called "session cookies"). Cookies are small text files stored on your device.

Our session cookie (e.g., kirby_session) is essential for the function of the Service. It stores your login information (to keep you logged in) and remembers if you have entered a Play password. This cookie does not store any personal or tracking information and is deleted when you close your browser.

As this cookie is technically necessary to provide the core functions you request (login, access), the legal basis is Art. 6(1)(b) GDPR (Performance of Contract) or lit. f (Legitimate Interest in providing the function).

We do not use tracking cookies, analytics services (like Google Analytics), or any third-party services that process data for advertising purposes.

5.4. Email Notifications
When you contribute content to a Play, you may receive email notifications about new activities in that Play. This function is part of the Service (Art. 6(1)(b) GDPR). You can disable the receipt of these notifications at any time in your profile settings (withdrawal of your consent).

6. Data Retention and Deletion

We store your data only for as long as is necessary to fulfill the purposes for which it was collected or as required by law.

• Account Data and Content Data: Are stored as long as your user account is active. If you delete your user account, your inventory data and all "Plays" (as Owner) and "Figures" (as Creator) created by you will be permanently deleted.

• Server Log Files: Are automatically deleted by the hoster after a short period (see 5.1).

7. Your Rights as a Data Subject

You have the following rights regarding your personal data at any time:

• Right of Access (Art. 15 GDPR): You have the right to request confirmation as to whether data concerning you is being processed, and to information about this data.
• Right to Rectification (Art. 16 GDPR): You have the right to request the completion or correction of incorrect data concerning you. You can change your core data (e.g., display name, password) directly in your profile settings.
• Right to Erasure (Art. 17 GDPR): You have the right to request that data concerning you be deleted immediately. You can do this yourself by deleting your account.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request a restriction on the processing of your data.
• Right to Withdraw Consent (Art. 7(3) GDPR): You have the right to withdraw any consent you have given (e.g., for email notifications) at any time with future effect.
• Right to Object (Art. 21 GDPR): You may object at any time to the future processing of your data that is based on a legitimate interest (Art. 6(1)(f) GDPR).
• Right to Data Portability (Art. 20 GDPR): You have the right to receive data concerning you, which you have provided to us, in a common and machine-readable format.

8. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).