Loading localized content...
Privacy Policy
Effective 6 January 2026
Controller
The controller responsible for data processing is:
SUPA UG (haftungsbeschränkt) Weyertal 109, 50931 Köln, Germany Email: max.valjan@gmail.com
This Privacy Policy describes how we collect, use, and share personal data when you access the SUPA mobile application, web experience, and related services (collectively, the "Service").
1. Personal Data We Collect
We collect personal data you provide and data generated through your use of the Service.
- Account and Profile Data: name, username, email address, phone number, profile photo, bio, interests, and optional social links.
- Age and Eligibility Data: date of birth and age-related status where required.
- Activity and Community Data: activities or places you create or join, invitations, RSVPs, tickets, check-ins, and feedback.
- Messages and Attachments: chat messages and files you choose to share.
- Payments and Payouts: orders, tickets, refunds, and payout settings such as country and currency.
- Offsite Payment Proofs (if used): transaction identifiers, screenshots, and notes you submit.
- Identity Verification (optional): ID document images and verification status when you submit them.
- Location Data (optional): foreground location and derived addresses when you use location-based features.
- Contacts and Calendar (optional): contacts you choose to share and calendar entries you choose to create.
- Device and Usage Data: device type, OS, app version, IP address, and minimal diagnostics for reliability and security.
- Cookies and Similar Technologies: we use strictly necessary cookies for authentication and session management. We do not use tracking or advertising cookies.
2. Purposes, Legal Bases, and Legitimate Interests
We process personal data for the purposes listed below, each paired with the applicable legal basis under Art. 6(1) GDPR.
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Service (accounts, activities, tickets, check-ins) | Performance of contract (Art. 6(1)(b)) |
| Process payments, refunds, and payouts | Performance of contract (Art. 6(1)(b)) |
| Verify eligibility and age-restricted access | Performance of contract (Art. 6(1)(b)) |
| Deliver notifications you opt into; respond to support requests | Performance of contract (Art. 6(1)(b)) |
| Monitor performance, fix bugs, and improve features | Legitimate interest (Art. 6(1)(f)) — maintaining a reliable and secure service |
| Protect the Service, prevent abuse, and enforce our terms | Legitimate interest (Art. 6(1)(f)) — security and fraud prevention |
| Process optional device permissions (location, contacts, calendar) | Consent (Art. 6(1)(a)) |
| Process identity verification documents | Consent (Art. 6(1)(a)) |
| Comply with legal obligations (tax, accounting, regulatory) | Legal obligation (Art. 6(1)(c)) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Where we rely on legitimate interests, we have assessed that these interests are not overridden by your rights and freedoms.
3. Provision of Data
Providing account data (name, email, phone number) is required to use the Service. If you do not provide this data, we cannot create your account. All other data marked "optional" above is voluntary.
4. Sharing and Disclosure
We do not sell personal data. We share personal data only with:
- Service providers that process data on our behalf to operate the Service (e.g., hosting, payment processing, analytics).
- Other users, when you choose to share activity content, invitations, or profile information.
- Professional advisers and auditors operating under confidentiality obligations.
- Authorities or third parties when required by law or necessary to protect rights, safety, or property.
- Successors in a corporate transaction, subject to the new entity honoring this policy.
5. International Data Transfers
We host and process data in the European Union (Frankfurt). If personal data is transferred outside your jurisdiction, we use safeguards such as Standard Contractual Clauses or other approved mechanisms to protect your data.
6. Data Retention
We retain personal data only as long as necessary to provide the Service and comply with legal obligations. Account and profile data are kept until you delete your account. Transaction and payout records may be retained as required by law. Identity verification documents are retained until verification is completed and then deleted within 30 days. Offsite payment proofs are retained for up to 180 days after the payment is confirmed or the dispute window closes. We anonymise or delete data when it is no longer required.
7. Your Rights
Subject to applicable law, you have the right to:
- Access personal data we hold about you (Art. 15 GDPR).
- Rectification of inaccurate or incomplete data (Art. 16 GDPR).
- Erasure of your data ("right to be forgotten") (Art. 17 GDPR).
- Restriction of processing (Art. 18 GDPR).
- Data portability — receive your data in a structured, machine-readable format (Art. 20 GDPR).
- Object to processing based on legitimate interests (Art. 21 GDPR).
- Withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR).
- Lodge a complaint with the competent supervisory authority. For us this is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf, https://www.ldi.nrw.de.
To exercise your rights, contact us at max.valjan@gmail.com.
8. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.
9. Security
We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, or alteration. Despite our efforts, no system can be completely secure, and we cannot guarantee absolute security.
10. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16, and we delete such information if we learn that a child has provided it.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy in the app, on our website, or by other appropriate means. The revised policy becomes effective when posted unless otherwise stated.
12. Contact Us
If you have questions or wish to exercise your rights, contact us at max.valjan@gmail.com or by mail at: SUPA UG (haftungsbeschränkt), Weyertal 109, 50931 Köln, Germany.