Privacy Policy
Last updated: 9 June 2026
This Privacy Policy explains how Evestival collects, uses, and protects your personal data when you visit evestival.com or use our Android app (together the "Service"). It is written in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the German Federal Data Protection Act (BDSG).
1. Data Controller
The data controller responsible for this Service is:
Luis Prieto
Alte Ziegelei 19, 67346 Speyer, Germany
E-mail: [email protected]
Full legal notice: Impressum
2. Categories of data we collect
We collect only data that is necessary for the specific purpose stated. The categories are:
- Identity & contact data — name, e-mail address (account registration, contact form, newsletter).
- Authentication credentials — hashed password, JSON Web Token (JWT) stored in your browser's
localStorage, e-mail verification tokens. - Event / user content — event title, description, dates, venue, address, category, image, official website URL, YouTube URL, image credit. Submitted by registered users.
- Interaction data — which events you saved, which you marked as attending, ratings (1–5 stars), and public comments you post.
- Approximate location — GPS coordinates you voluntarily share when using the "Near Me" feature. These are transmitted in the encrypted request body only and are not stored.
- Communication data — messages submitted via the contact form (name, e-mail, subject, message text).
- Newsletter subscription — e-mail address only.
- Technical log data — partially anonymised IP address (last octet masked), request path, HTTP status code, timestamp. Recorded by our server for security and debugging.
- Analytics data — page URL, full referrer URL, anonymised IP address (last two octets masked), browser type and version, operating system, device type, screen resolution, visit duration, and campaign parameters (UTM tags) where present. Collected by self-hosted Matomo, which is cookieless by default (no cross-site tracking); first-party analytics cookies are set only if you accept them, to recognise returning visits (see §4.9 and our Cookie Policy). Visitors with the browser Do Not Track (DNT) setting enabled are excluded entirely.
- Advertising identifiers — if you accept cookies, Google AdSense may set advertising cookies and collect data as described in section 5.
- Push notification token — if you grant notification permission in the Android app, a Firebase Cloud Messaging (FCM) device token is stored to send event reminders. You can revoke permission at any time in your device settings.
3. Legal bases
We rely on the following legal bases under Article 6 GDPR:
| Basis | When we use it |
|---|---|
| Art. 6(1)(b) — Contract | Account creation and management; processing event submissions; saved events; attendance; ratings; comments; e-mail verification; push notifications. |
| Art. 6(1)(a) — Consent | Newsletter subscription; Matomo first-party analytics cookies (returning-visitor recognition); Google AdSense advertising cookies. You may withdraw consent at any time. |
| Art. 6(1)(f) — Legitimate interest | Server security logs (14-day retention); cookieless, anonymised Matomo analytics (the default mode, before any consent); responding to contact form enquiries. Our interest is operating a secure, functional service; this does not override your rights. |
| Art. 6(1)(c) — Legal obligation | Disclosing data to law enforcement or courts when required by applicable law. |
4. How we use your data
4.1 Account & authentication
We store your name, e-mail, and a bcrypt-hashed password to create and maintain your account. We issue a JWT for browser-side authentication (stored in localStorage, never in a cookie). E-mail address verification tokens are single-use and expire after 7 days.
4.2 Event submissions
When you submit an event, we store the event data you provide. Your name and e-mail are associated with the submission for moderation purposes only. Approved events are published publicly. Rejected events are deleted within 14 days. The address you provide is geocoded (converted to latitude/longitude by OpenStreetMap Nominatim, an EU-based open-source service) to enable map display and "Near Me" search.
4.3 Saved events, attendance & ratings
We store which events you save, mark as attending, and rate in order to personalise your experience and provide aggregate statistics to other users (e.g., attendance count). Individual ratings are linked to your account but shown anonymously to others.
4.4 Comments
Comments you post are stored publicly under your display name. You may request deletion at any time via the contact form or account settings.
4.5 Location / "Near Me" search
If you use the "Near Me" feature, your browser requests your GPS coordinates and transmits them over HTTPS in the encrypted request body of a POST request. Coordinates are used only to calculate nearby events and are not stored in our database or access logs.
4.6 Contact form
Messages submitted via the contact form are stored in our database to allow us to reply. We retain them for 90 days after the matter is resolved, then delete them. Your e-mail address is used only to respond to your enquiry.
4.7 Newsletter
If you subscribe to our newsletter, we store your e-mail address and the date of subscription. You may unsubscribe at any time by clicking the link in any newsletter e-mail or by contacting us. Consent is documented and stored.
4.8 Server security logs
Our web server (Caddy) and API log request metadata — anonymised IP (last octet replaced with .0), request path, HTTP method and status code, timestamp. GPS coordinates are not logged. Logs are deleted automatically after 14 days. Legal basis: Art. 6(1)(f) — legitimate interest in detecting and defending against attacks.
4.9 Analytics (Matomo — cookieless by default; cookies only with consent)
We use a self-hosted instance of Matomo running on our own server in Germany (Contabo GmbH). All analytics data is processed solely on our own server and is never shared with third parties. The following data is recorded per page view:
- Page URL visited and full referrer URL
- IP address with the last two octets masked (e.g.
192.168.x.x) — the original IP is never stored - Browser type and major version, operating system, device type (desktop / tablet / phone)
- Screen resolution and approximate visit duration
- On-site interactions (e.g. which search and filter features are used)
- Campaign parameters (UTM tags) if present in the URL you followed
Cookieless by default. Unless you accept cookies, Matomo writes no cookies and no persistent identifier to your device and your IP is anonymised before storage. In this mode the processing does not require consent under Art. 5(3) ePrivacy Directive; legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding how the Service is used. Because no identifier is stored, returning visits cannot be linked, so each visit is counted as new.
If you accept cookies, Matomo sets first-party cookies (_pk_id, _pk_ses, _pk_ref, and a mtm_cookie_consent consent record) so that we can recognise returning visitors and measure retention. These cookies hold only a random identifier — never your name or email — and are detailed in our Cookie Policy. Legal basis for these cookies: your consent under Art. 5(3) ePrivacy Directive and Art. 6(1)(a) GDPR, which you may withdraw at any time by clearing your consent (the analytics cookies are then deleted and Matomo reverts to cookieless mode).
Opt-out: Visitors who have enabled the Do Not Track (DNT) browser setting are excluded from all Matomo tracking automatically — in both modes. To enable DNT, see your browser's privacy settings. Raw visit data is retained for 180 days; aggregated statistics are kept indefinitely.
4.10 Advertising (Google AdSense)
With your consent (cookie banner), we display ads via Google AdSense. Google may set advertising cookies and collect data about your browsing behaviour to show personalised ads. See Google's Privacy Policy and Ad Settings. If you decline cookies, no AdSense script is loaded. Legal basis: Art. 6(1)(a) — consent.
4.11 Push notifications (Android app)
If you grant notification permission in the Android app, we store a Firebase Cloud Messaging (FCM) device token linked to your account. We use this token solely to send event reminders and alerts you have opted into. You can revoke permission in your device settings at any time; we will delete the token within 7 days.
4.12 Fonts (Bunny Fonts CDN)
We load web fonts from Bunny Fonts (fonts.bunny.net), a GDPR-compliant EU-based CDN operated by Bunny.net in the Netherlands. Bunny Fonts does not log IP addresses for font requests. No data is shared with Google for font delivery.
5. Third-party processors & recipients
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Contabo GmbH (hosting) | Server infrastructure; all application data is stored here. | Germany 🇩🇪 | EU — no transfer |
| Bunny.net (font CDN) | Delivery of web fonts (Playfair Display, DM Sans). No IP logging. | Netherlands 🇳🇱 | EU — no transfer |
| Google Ireland Limited (AdSense) | Personalised advertising — only when you accept cookies. | Ireland 🇮🇪 / USA 🇺🇸 | SCCs + Google DPA |
| Google LLC (Firebase / FCM) | Push notification delivery (Android app only, opt-in). | USA 🇺🇸 | SCCs + Firebase DPA (signed) |
| OpenStreetMap Nominatim (geocoding) | Converting event venue addresses to coordinates. Only event addresses (not user addresses) are sent. | EU 🇪🇺 | EU — no transfer |
| Transactional e-mail provider | Sending account verification and notification e-mails. | Germany 🇩🇪 | Data processing agreement in place |
We do not sell, rent, or share your personal data with any other party for marketing purposes.
6. International data transfers
Most data is processed within the EU/EEA (Germany, Netherlands, Ireland). Data transferred to the United States (Google AdSense, Firebase) is protected by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and the respective Data Processing Agreements with Google LLC / Google Ireland Limited. Copies of these safeguards are available on request.
7. Retention periods
| Data | Retention |
|---|---|
| Account data (name, e-mail, password hash) | Until account deletion. Deactivated accounts are purged within 30 days. |
| E-mail verification tokens | 7 days or until used, whichever is first. Expired tokens are purged nightly. |
| Approved events | Until deleted by the submitter or admin, or until the event end date + 90 days. |
| Rejected event submissions | 14 days after rejection, then deleted. |
| Saved events / attendance / ratings / comments | Until account deletion or manual deletion by the user. |
| Contact form messages | 90 days after the matter is resolved. |
| Newsletter subscription | Until unsubscription. Proof of consent kept for 3 years (Art. 7(1) GDPR). |
| Server / API security logs | 14 days (automatic rotation). |
| Matomo analytics | Raw visit data 180 days; aggregated statistics indefinitely. |
| FCM push token (Android) | Until you revoke notification permission; then deleted within 7 days. |
8. Your rights
As a data subject under GDPR, you have the following rights. To exercise any of them, please contact us at [email protected]. We will respond within one month (Art. 12(3) GDPR).
- Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data where no overriding legitimate ground exists. You can delete your account from your profile settings.
- Right to restriction of processing (Art. 18) — ask us to restrict processing while a dispute is resolved.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest. We will stop unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)) — withdraw consent for newsletter or advertising cookies at any time without affecting prior lawful processing.
- Right to lodge a complaint (Art. 77) — complain to the supervisory authority in your EU member state, or in Germany to:
LfDI Rheinland-Pfalz, Hintere Bleiche 34, 55116 Mainz — www.datenschutz.rlp.de
9. Children under 16
Our Service is intended for users who are at least 16 years of age. We do not knowingly collect personal data from anyone under 16. The minimum age of 16 applies to account creation in accordance with Art. 8(1) GDPR as implemented in German law (§ 7 TTDSG). Registration requires users to actively confirm they are at least 16.
If you believe a user under 16 has created an account, please contact us immediately at [email protected]. We will delete such accounts and all associated data without delay.
10. Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. Measures include:
- All data transmitted via HTTPS/TLS 1.2+ (enforced by Cloudflare and Caddy).
- Passwords stored as bcrypt hashes (never in plain text).
- JWT authentication — no session cookies, reducing CSRF risk.
- Server located in Germany (Contabo GmbH) with disk-level and network-level access controls.
- GPS coordinates transmitted only in encrypted POST request bodies, never in URLs or logs.
- Rate limiting and bot-detection on all authentication and submission endpoints.
No method of internet transmission is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and affected users without undue delay (Art. 34 GDPR).
11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be announced on the website and, for registered users, by e-mail at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this page periodically.
12. Contact & complaints
For any questions or to exercise your data rights, please contact:
Luis Prieto
Alte Ziegelei 19, 67346 Speyer, Germany
E-mail: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI RLP)
Hintere Bleiche 34, 55116 Mainz
www.datenschutz.rlp.de