pRIVACY pOLICY
Last updated: 15 March 2026 | Download PDF
1. cONTROLLER (GDPR aRT. 13(1)(a))
[aRTS] — operated by [TO BE FILLED: Legal Name], [TO BE FILLED: Street Address], [TO BE FILLED: City, Postal Code], Germany.
Email: arts4berlin@outlook.com
See also our Impressum for full legal contact details.
2. dATA wE cOLLECT
We collect data only when you take an explicit action (sign in, submit a form, make a purchase). No advertising cookies, third-party tracking scripts, or analytics are used. Data is stored both on your device (browser localStorage) and on our server (encrypted SQLite database on a Hetzner VPS in Helsinki, Finland — EU jurisdiction).
3. pROCESSING aCTIVITIES & lEGAL bASIS
Authentication (OAuth / Email+Password)
Data: anonymised user identifier ("sub" claim), email address, display name. We do not receive or store passwords for OAuth logins. Email+password credentials are hashed with bcrypt.
Legal basis: Contract performance — GDPR Art. 6(1)(b).
Retention: Until account deletion.
Session tokens
Data: cryptographic session token stored in your browser's localStorage (or sessionStorage in Stealth Mode). Server stores a SHA-256 hash of the token.
Legal basis: Contract performance — Art. 6(1)(b).
Retention: 7 days (sliding window), or until logout/account deletion.
IP logging
Data: encrypted IP address, login provider, membership tier, timestamp, encrypted user-agent. IP is encrypted at rest using AES-GCM; only a truncated hash is used for analytics.
Legal basis: Legitimate interest — security and abuse prevention — Art. 6(1)(f).
Retention: 90 days maximum.
User profile & preferences
Data: alias, membership tier, join date, XP points, display settings. PII fields (email, name, OAuth sub) are encrypted at rest with AES-GCM.
Legal basis: Contract performance — Art. 6(1)(b).
Retention: Until account deletion.
Favourites
Data: piece IDs you have favourited, stored server-side. Client-side favourites are additionally encrypted with AES-GCM using keys derived from your OAuth identifier.
Legal basis: Contract performance — Art. 6(1)(b).
Retention: Until account deletion.
Feedback
Data: star rating, text (encrypted at rest), page context.
Legal basis: Consent — Art. 6(1)(a). You may withdraw consent at any time.
Retention: Until account deletion or consent withdrawal.
Newsletter
Data: email address (encrypted at rest), name, subscription source.
Legal basis: Consent — Art. 6(1)(a).
Retention: Until unsubscribe or account deletion.
Payments & transactions (Stripe)
Data: payment card details are collected and processed exclusively by Stripe. [aRTS] never stores, accesses, or retains card data. We store: transaction ID, amount, commission, Stripe session ID — no payment card details.
Legal basis: Contract performance — Art. 6(1)(b); Legal obligation for tax record retention — Art. 6(1)(c).
Retention: Transaction records are retained in pseudonymised form for 10 years per German tax law (AO §147, UStG §14b).
Algorithm & recommendations
Data: behavioural signals (views, favourites, purchases), recommendation cache, click-through tracking.
Legal basis: Legitimate interest — personalised experience — Art. 6(1)(f). You may object at any time (see rights below).
Retention: Impressions are purged after 180 days. Recommendation cache is regenerated periodically. All data deleted on account deletion.
Content moderation (AI-assisted)
Data: listing metadata, moderation verdicts, AI confidence scores. Content is evaluated by automated models (HuggingFace classifiers + Claude) for safety compliance.
Legal basis: Legitimate interest — platform safety — Art. 6(1)(f).
Retention: Moderation logs are retained (anonymised on account deletion) for audit purposes. You have the right to request human review of any automated decision (Art. 22).
Form submissions (Formspree)
Data: inquiry content, reports, art submissions. Data is transmitted to Formspree servers.
Legal basis: Consent — Art. 6(1)(a).
Retention: Subject to Formspree's Privacy Policy.
4. dEVICE sTORAGE (TTDSG §25)
We use your browser's localStorage (and sessionStorage in Stealth Mode) instead of cookies. Under the German Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) §25, accessing storage on your device requires consent unless strictly necessary.
Strictly necessary (no consent required): session token, theme preference, CAPTCHA verification state, stealth mode flag.
Consent-based: feedback data, apparel voucher, view preferences (grid/list), streak data, XP tracking, bot settings, GDPR consent record. These are only stored after you provide consent via our storage consent banner. You may withdraw consent at any time through your iD dashboard or by clearing browser storage.
No advertising cookies are used. No document.cookie is set at any point.
5. rECIPIENTS & tHIRD pARTIES
Your data may be shared with the following service providers (data processors under GDPR Art. 28):
Stripe (Stripe, Inc. — US/EU) — payment processing. Subject to Stripe's Privacy Policy.
Cloudflare (Cloudflare, Inc. — US/EU) — CDN, DDoS protection, DNS. Processes IP addresses and request metadata. Subject to Cloudflare's Privacy Policy.
Hetzner (Hetzner Online GmbH — Germany) — VPS hosting. Data is stored on servers in Helsinki, Finland (EU). Subject to Hetzner's Privacy Policy.
Formspree (Formspree, Inc. — US) — form submissions. Subject to Formspree's Privacy Policy.
Google (Google LLC — US) — OAuth authentication. Subject to Google's Privacy Policy.
Apple (Apple Inc. — US) — Sign In with Apple. Subject to Apple's Privacy Policy.
Resend (Resend, Inc. — US) — transactional emails (password resets, notifications). Subject to Resend's Privacy Policy.
6. iNTERNATIONAL dATA tRANSFERS
Some of our service providers (Stripe, Cloudflare, Google, Apple, Formspree, Resend) may process data in the United States. These transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c). Our primary database is hosted within the EU (Hetzner, Helsinki, Finland).
7. eNCRYPTION & sECURITY
All personal data stored on our server is encrypted at rest using AES-GCM with a server-side encryption key. IP addresses and user-agents are encrypted before storage. Email addresses, names, and OAuth identifiers are encrypted at the field level. Client-side favourites are additionally encrypted with keys derived from your OAuth identifier. All connections use TLS 1.2+ (enforced by Cloudflare and Caddy). The server is protected by UFW firewall, fail2ban, and Cloudflare-only IP whitelisting.
8. yOUR rIGHTS (GDPR aRT. 15–22)
Under the General Data Protection Regulation, you have the following rights:
Right of access (Art. 15) — request a copy of all personal data we hold about you.
Right to rectification (Art. 16) — correct inaccurate personal data.
Right to erasure (Art. 17) — request deletion of your personal data. You can delete your account immediately via the iD dashboard (dELETE aCCOUNT button). This deletes all personal data from our server and your device immediately. Transaction records are retained in pseudonymised form for 10 years per German tax law (AO §147). A non-reversible tombstone hash is retained for 3 years for fraud prevention.
Right to restriction (Art. 18) — restrict processing of your data in certain circumstances.
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
Right to object (Art. 21) — object to processing based on legitimate interest (e.g., algorithm recommendations, IP logging).
Right regarding automated decisions (Art. 22) — our content moderation uses AI-assisted decision-making. You may request human review of any automated moderation decision.
Withdrawal of consent (Art. 7(3)) — where processing is based on consent (feedback, newsletter), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Deletion timeline: requests are fulfilled within 30 days (GDPR Art. 12(3)). Self-service deletion via the iD dashboard is immediate. Backup propagation completes within 30 days.
9. sUPERVISORY aUTHORITY
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Berlin is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
www.datenschutz-berlin.de
10. dATA rETENTION sUMMARY
Session tokens: 7 days (sliding) or until logout.
IP logs: 90 days maximum.
User profile, favourites, settings, feedback, redemptions: until account deletion.
Impressions (behavioural data): 180 days.
Newsletter subscription: until unsubscribe.
Transaction/sales records: 10 years (AO §147, UStG §14b) — pseudonymised after account deletion.
Tombstone hash (post-deletion): 3 years (Art. 6(1)(f) — fraud prevention).
Moderation audit logs: indefinite (anonymised on account deletion).
11. cONTACT
Privacy concerns, data access requests, and erasure requests can be raised through the TaLK page or by emailing arts4berlin@outlook.com.
iMPRESSUM | lISTING tERMS | bOT tERMS
← Back to about