VereinPlan
VereinPlan

Rechtliches

Privacy Policy

We take the protection of your personal data very seriously. This privacy policy informs you about the nature, scope, and purpose of the processing of personal data within our platform VereinPlan.

1. Controller

VereinPlan - Tim Burkert
c/o Online-Impressum #7370
Europaring 90
53757 Sankt Augustin
E-Mail: vereinplan@mail.online-impressum.de

2. Data Protection Officer

No data protection officer has been appointed. For data protection inquiries, please contact the controller directly:
Tim Burkert
E-Mail: vereinplan@mail.online-impressum.de

3. Overview of Processing

The following categories of personal data are processed when using VereinPlan:

  • Identity data: Name, email address, club membership
  • Contact data: Email address
  • Usage data: Login timestamps, session data, IP address, user agent
  • Content data: Calendar entries, organization data, uploaded media, event information
  • Device data: Push notification token, device type (when using the mobile app)

4. Legal Bases for Processing

The processing of personal data is based on the following legal bases of the GDPR:

  • Art. 6(1)(a) GDPR (Consent): For social login (Google, Apple), push notifications, and AI-powered features.
  • Art. 6(1)(b) GDPR (Performance of contract): For providing the platform, registration, login, session management, email sending, and club management.
  • Art. 6(1)(f) GDPR (Legitimate interest): For technical security measures, error diagnosis, and storing IP address and user agent to secure session management.

5. Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements and the state of the art to ensure a level of protection appropriate to the risk. These include in particular:

  • Encrypted transmission of all data via TLS/HTTPS
  • Encrypted session management via AES encryption (key derived via Argon2id)
  • Password hashing with bcrypt
  • HTTP-Only, Secure, and SameSite cookies
  • Role-based access control (Admin, Organizer, Member) at club level

6. Registration, Login, and Session Management

During registration, your name and email address are collected. The password is stored exclusively as a bcrypt hash. We also offer passwordless login via Passkeys (WebAuthn/FIDO2) — cryptographic keys are generated locally on your device and no biometric data is transmitted to us.

With each login, a session is created and stored in our database. The following data is recorded: session ID, user ID, IP address, user agent, creation time, and expiration date. Sessions are valid for 30 days by default and are extended with each authenticated request. You can revoke individual sessions or all sessions at any time.

Web App: The session is stored in an encrypted HTTP-Only cookie (vereinplan_session) with Secure and SameSite=Lax attributes.

Mobile App: The encrypted session token is stored locally on the device (iOS Keychain / Android EncryptedSharedPreferences) and transmitted as a Bearer token.

Legal basis: Art. 6(1)(b) GDPR (Performance of contract).

7. Social Login (Google and Apple)

You can optionally sign in via your Google or Apple account. The following data is transmitted from the respective provider to us:

  • Google OAuth 2.0: Email address, name, Google user ID. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy. Google is certified under the EU-US Data Privacy Framework.
  • Apple Sign-In: Email address, name (only on first login), Apple user ID. Provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. Privacy policy: https://www.apple.com/legal/privacy/. Data transfer is based on EU Standard Contractual Clauses (SCC).

The use of social login is voluntary. On first login, a user account is created or — if the email address already exists — linked to an existing account.

Legal basis: Art. 6(1)(a) GDPR (Consent through active use of the social login button).

8. Push Notifications

When using the mobile app, you can enable push notifications. A device-specific token is generated and stored in our database. Delivery is handled via:

  • Apple Push Notification service (APNs): For iOS devices. The device token and notification content are transmitted. Provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA.
  • Firebase Cloud Messaging (FCM): For Android devices. The device token and notification content are transmitted. Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (Google is certified under the EU-US Data Privacy Framework).

Push notifications can be disabled at any time in the device settings. The stored token will be deleted.

Legal basis: Art. 6(1)(a) GDPR (Consent through enabling push notifications).

9. Email Sending

For sending transactional emails (e.g., email confirmations, invitations, notifications), we use the service Lettermint. Your email address and the email content are transmitted to Lettermint. Processing takes place on servers within the European Union.

Provider: Lettermint (lettermint.co). A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Lettermint.

Legal basis: Art. 6(1)(b) GDPR (Performance of contract — emails are necessary for using the platform).

10. AI-Powered Features

VereinPlan uses AI models for the following features:

  • Planning assistant: An AI-powered chat assistant helps create events and shift schedules. The club name and user-entered messages and event data are transmitted to the AI provider. No personal data such as names or email addresses of users is sent to the AI provider.
  • Position analysis: To create skill profiles for positions, position titles and event descriptions are analyzed. No member data is transmitted.
  • Onboarding assistant: When setting up a new club, the public club website can be analyzed to automatically recognize structures. Only publicly accessible content from the specified website is processed.

AI processing is handled via the API of Mistral AI (mistral.ai). Provider: Mistral AI, 15 rue des Halles, 75001 Paris, France. Mistral AI is a European company based in France. Data processing takes place exclusively on servers within the European Union. No third-country transfer takes place.

Legal basis: Art. 6(1)(a) GDPR (Consent through active use of AI features).

11. Chat Messages

VereinPlan provides a chat feature that allows club members to communicate with each other. The following data is processed:

  • Message content: Sent text messages are stored persistently in the database. Deleted messages are cleared of content (soft-delete); the record is retained to maintain conversation structure.
  • Sender information: Each message is linked to the sending member (name, profile picture).
  • Timestamps: Creation time and, where applicable, edit time if a message is subsequently modified.
  • Attachments: Uploaded files and images are stored as media objects (see section 12).
  • Reactions: Emoji reactions to messages are stored and associated with the reacting member.

Messages are visible only to members of the respective channel (global club channel, group channel, or direct channel). Access is secured via role-based access control.

Legal basis: Art. 6(1)(b) GDPR (Performance of contract — providing the communication feature).

12. Media Storage

Uploaded media (e.g., club logos, profile pictures, event images) are stored in an S3-compatible object store provided by Hetzner Object Storage. Storage takes place on servers in Germany (Falkenstein, EU). No third-country transfer takes place.

Legal basis: Art. 6(1)(b) GDPR (Performance of contract).

13. Hosting and Infrastructure

VereinPlan is hosted on Hetzner Cloud (hetzner.com). All infrastructure components — application server, PostgreSQL database, Redis (task queue), and object storage — are operated on servers in Germany (Falkenstein, EU). No data transfer to third countries takes place for these components.

Provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Hetzner.

Legal basis: Art. 6(1)(b) GDPR (Performance of contract) and Art. 6(1)(f) GDPR (Legitimate interest in reliable hosting).

14. Cookies and Technical Storage

VereinPlan exclusively uses technically necessary cookies. No tracking, analytics, or advertising cookies are used. Specifically:

  • vereinplan_session: Encrypted session cookie to maintain your login. HTTP-Only, Secure, SameSite=Lax. Validity: 30 days (extended on use).
  • OAuth state cookies: Temporary cookies to protect the social login process against CSRF attacks. Validity: 10 minutes.

Since only technically necessary cookies are used, no consent via a cookie banner is required (§ 25(2) TDDDG).

Legal basis: Art. 6(1)(b) GDPR (Performance of contract) and § 25(2) TDDDG.

15. Transfer to Third Countries

Certain services require data transfer to the USA. The transfer is based on appropriate safeguards:

  • Google (OAuth, FCM): Adequacy decision of the EU Commission under the EU-US Data Privacy Framework (Art. 45 GDPR).
  • Apple (Sign-In, APNs): EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Note: AI processing via Mistral AI takes place exclusively within the EU and does not constitute a third-country transfer.

16. Storage Duration and Deletion

Personal data is only stored as long as necessary for the respective purposes:

  • User account: Data is stored as long as your account exists and removed after account deletion.
  • Sessions: Expire after 30 days of inactivity and are immediately invalidated upon revocation.
  • Email verification tokens: Deleted after 24 hours.
  • Push tokens: Deleted when push notifications are disabled.
  • AI chat histories: Not stored server-side and only exist during the active chat session.
  • Club data and content: Stored as long as the club uses the platform. After termination, deletion occurs according to the agreed timelines.

17. Your Rights as a Data Subject

You have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): You may request information about your personal data stored by us.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no legal retention obligation exists.
  • Right to restriction (Art. 18 GDPR): You may request the restriction of the processing of your data.
  • Right to data portability (Art. 20 GDPR): You may request to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data if it is based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): Consent given may be withdrawn at any time with effect for the future.

To exercise your rights, please contact the controller mentioned above.

18. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You may in particular contact the supervisory authority of your habitual residence, your place of work, or our registered office.

19. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to adapt it to changed legal situations or to changes in the service and data processing. The version published at this URL shall apply.

Last updated: April 2026