Privacy Policy

Back
ImprintPrivacy PolicyTerms of Use

1. Controller

The controller responsible for processing personal data on this website within the meaning of the GDPR is:

See Impressum.

For questions regarding data protection, please contact us by email at the address listed there.

2. Purpose and Legal Basis

Personal data (in particular your email address, booking/waitlist status, and IP address) are processed solely for the management of bookings and the waiting list for this event.

The legal basis is Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures at the request of the data subject).

Processing of the IP address to prevent abuse (rate limiting) is based on Article 6(1)(f) GDPR (legitimate interest in the security and proper operation of the service).

3. Data Collected

The following personal data are processed:

  • Email address (for authentication and booking management)
  • Booking and waitlist status (confirmation, cancellation, waitlist entry)
  • IP address (temporarily, to prevent abuse during login; automatically deleted after 10 minutes)
  • Session token (hashed value, stored as httpOnly cookie "rb_session", valid for 30 days)

No further data are collected. No profiling, tracking, or use for advertising purposes takes place.

4. Cookies

This website uses only one technically necessary session cookie:

  • Name: rb_session
  • Purpose: Authentication after login via magic link
  • Duration: 30 days
  • Legal basis: § 25(2) no. 2 TTDSG (technically required) in conjunction with Art. 6(1)(b) GDPR

No tracking cookies, advertising cookies, or third-party cookies are used. Consent is not required for this cookie.

5. Processors and Third Parties

To provide this service we use the following processors. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with each provider, or is included by default in their terms of service:

Convex, Inc. (Database service)

Convex, Inc., 353 Sacramento Street Suite 900, San Francisco, CA 94111, USA. The deployment used is located in the EU region (eu-west-1, Ireland). Personal data (email, booking status, IP address) are stored on servers in the EU. Convex provides a DPA pursuant to Art. 28 GDPR. For any transfer to the USA, standard contractual clauses (SCC) pursuant to Art. 46(2)(c) GDPR apply. More information: convex.dev/privacy.

Resend, Inc. (Email delivery service)

Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend is used exclusively to send the login link (magic link). Your email address is transmitted to Resend. Resend is a US company; data transfer is based on standard contractual clauses (SCC) pursuant to Art. 46(2)(c) GDPR. A DPA has been concluded. More information: resend.com/privacy.

Vercel, Inc. (Hosting)

Vercel, Inc., 340 Pine Street Suite 900, San Francisco, CA 94104, USA. The website is provided via Vercel's infrastructure. When the website is accessed, technical data (in particular IP address, timestamp, URL accessed) may be processed in access logs at Vercel. Vercel is a US company; data transfer is based on standard contractual clauses (SCC) pursuant to Art. 46(2)(c) GDPR. A DPA is available through Vercel's DPA programme. More information: vercel.com/legal/privacy-policy.

6. No Disclosure to Third Parties

Personal data are not sold, rented, or otherwise passed on to third parties. The processors listed under section 5 receive data solely within the scope of the described technical necessity.

7. Retention and Deletion

Personal data will be deleted in full after the event. Login tokens expire automatically after 15 minutes. IP-based rate-limit entries are automatically deleted after 10 minutes. Sessions expire after 30 days.

You can delete all your data yourself at any time by selecting "Remove my data" on the booking page. This will immediately and completely delete all stored data (booking, waitlist entry, session, user account).

8. Your Rights

Under the GDPR you have the following rights:

  • Access (Art. 15 GDPR): information about stored data
  • Rectification (Art. 16 GDPR): correction of inaccurate data
  • Erasure (Art. 17 GDPR): deletion of your data (also possible directly via the app)
  • Restriction (Art. 18 GDPR): restriction of processing
  • Portability (Art. 20 GDPR): receipt of your data in a structured, machine-readable format
  • Objection (Art. 21 GDPR): objection to processing based on legitimate interests (applies to IP address processing)

To exercise your rights, please contact us by email at the address given in section 1.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The competent authority at the controller's location is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374, 2509 AJ Den Haag, The Netherlands
autoriteitpersoonsgegevens.nl

10. No Automated Decision-Making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.

As of: March 2026