Privacy Policy
Last updated: 13 July 2026
What we collect
- Email address — your account identity. Sign-in is by magic link; there are no passwords. Optional passkeys store a public key, never biometrics.
- Payment reference — your card is held by Stripe. We store only a customer reference plus the card brand and last four digits. We never see or store the card number.
- Commitments — the place, schedule, and stake you set. Place details come from a venue search; your search text (and, if you grant location, your approximate position for nearby suggestions) is forwarded through our server to Mapbox.
- Check-in location — checking in requires your browser-reported position. We store the reported coordinates and their distance to the venue for each check-in, as proof the occurrence was kept. Location is read only when you have the app open during a check-in window — never in the background.
- Charges — missed occurrences and the resulting stake charges (amount, outcome, Stripe payment reference) are recorded as billing history.
What we don't do
- We don't sell your data.
- We don't run analytics, tracking cookies, or advertising pixels.
- We don't read your location outside an open check-in window.
Legal bases (GDPR Art. 6)
- Contract — running your account, commitments, check-ins, and charging forfeited stakes: that is the product you signed up for.
- Legitimate interests — keeping the service secure and preventing abuse, including audit logs of support actions.
- Legal obligation — retaining billing records required by tax law.
Third-party processors
- Hetzner — hosting and database. Germany (EU).
- Stripe — payments and card storage. USA.
- Resend — delivery of sign-in emails (sent from EU infrastructure; Resend is a US company).
- Mapbox — venue search and geocoding. USA.
These processors act on our behalf and receive only what their function needs. US transfers rely on the EU Standard Contractual Clauses and, where available, the EU–US Data Privacy Framework.
Retention and deletion
We keep your data as long as your account exists. There is no self-serve account deletion yet — email us and we delete your account and data within 30 days. Billing records are retained as long as tax law requires.
Cookies
Session cookie only — required to keep you signed in. Nothing else is set.
Your rights (GDPR)
Access, correction, deletion, portability, and objection — email us and we act within 30 days. You can also lodge a complaint with a supervisory authority; for us that is the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI).
Contact
Controller: Johannes Nanninga — full details in the Impressum.