Privacy policy

1. Privacy at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can personally identify you. For detailed information on the topic of data protection, please refer to our privacy policy below.

Data collection on this website

Who is responsible for the data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the Imprint of this website.

How do we collect your data?
Your data is collected when you provide it to us – e.g. by filling out the contact form, when registering a user account or when registering a team. Other data is automatically collected by our IT systems when you visit the website. This is primarily technical data (e.g. browser, operating system or time of page view).

What do we use your data for?
Part of the data is collected to ensure the website is provided error-free. Other data can be used to analyse your user behaviour or to process payments and tournament management.

What rights do you have regarding your data?
You have the right at any time to obtain information free of charge about the origin, recipient and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke it at any time for the future. You also have the right to request the restriction of processing of your personal data under certain circumstances, and to lodge a complaint with the competent supervisory authority.

2. Controller and mandatory information

Controller

Stefan Osbahr
Holmer Ring 7
25920 Risum-Lindholm
Germany

Email: kontakt@turnieros.de
Contact form: turnieros.de/kontakt

The controller is the natural person who, alone or jointly with others, decides on the purposes and means of processing personal data.

Retention period

Unless a more specific retention period has been stated within this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you assert a legitimate request for erasure or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial retention periods); in the latter case, deletion takes place after these reasons cease to apply.

Legal bases for data processing

Where we obtain consent for processing personal data, Art. 6 (1) (a) GDPR serves as the legal basis. For the processing of personal data required to fulfil a contract, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre-contractual measures. Where processing of personal data is required to fulfil a legal obligation, Art. 6 (1) (c) GDPR serves as the legal basis. If processing is necessary to safeguard a legitimate interest, and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis.

SSL / TLS encryption

For security reasons this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the browser address bar changes from "http://" to "https://" and by the lock icon in your browser bar. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

3. Data collection on this website

Cookies

Our website uses exclusively technically necessary session cookies for user login and session management. These cookies are strictly required for the proper operation of the website and are automatically deleted when the browser session ends. No consent is required for these, as they exclusively serve to provide the functions you have requested (Art. 6 (1) (f) GDPR).

We do not use any tracking, analytics or marketing cookies.

Server log files

The hosting provider of this site automatically collects and stores information in server log files, which your browser automatically transmits to us. This includes: browser type and version, operating system used, referrer URL, hostname of the accessing computer, time of the server request and IP address. This data is not merged with other data sources. The collection is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website. Server log files are automatically deleted after 30 days at the latest.

Contact form

Location detection & session management

When you log in to your user account, we determine your approximate location (country, region, city) based on your IP address. We use the ip-api.com service or a local MaxMind GeoLite2 database for this. Your IP address is not stored in plain text, only as a non-reversible SHA-256 hash.

In addition, we collect the following session data upon login: device type (desktop/mobile/tablet), operating system, browser, screen size and the determined approximate location. This data serves the security of your account (detection of suspicious logins from unknown countries) and the improvement of the service (anonymised usage statistics).

You can view your active sessions at any time under "Settings → Security" and end individual sessions. Active session data is automatically marked as ended on logout. Ended session data is automatically deleted after 12 months.

For non-logged-in visitors we use location detection exclusively for automatic language detection and to sort tournaments by proximity. This data is only stored temporarily in the cache (24 hours) and is not linked to user profiles.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the security of user accounts and the user-friendly presentation of the website).

If you send us enquiries via the contact form, your details from the form, including the contact details you provided there (name, email address and/or phone number, subject, message), will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. Additionally, to protect against misuse, we store your IP address and browser information (rate limiting, a maximum of 3 requests per hour).

The processing of this data is based on Art. 6 (1) (b) GDPR, provided your request relates to the fulfilment of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of the enquiries addressed to us (Art. 6 (1) (f) GDPR).

The data you enter in the contact form will remain with us until you request deletion, revoke your consent to storage, or the purpose for storing the data no longer applies. Mandatory legal provisions – in particular retention periods – remain unaffected.

Registration and user account

You can create a user account on our website. The following data is collected for this: name, email address, phone number (optional) and a self-chosen password. Your password is stored exclusively in encrypted form (bcrypt hash); we have no access to your plain-text password.

Registration is required to use certain functions of the platform (e.g. tournament management, team registration). Processing is based on Art. 6 (1) (b) GDPR (contract performance). We also store the time of the last login.

You can have your user account and the associated data deleted at any time by contacting us via the contact form or by email. Statutory retention obligations remain unaffected.

Team and tournament registration

When registering a team for a tournament, the following data is collected: team name, contact person (name, email address, phone number) and optional notes. This data serves the organisation and running of the tournament and is processed on the basis of Art. 6 (1) (b) GDPR.

After completion of the tournament, the data is stored for the duration of any statutory retention obligations and is then deleted, provided no legitimate interest exists in further storage.

Web push notifications

We offer the option to receive web push notifications (e.g. about new tournament results, contact enquiries or system messages). If you agree to push notifications in your browser, we store the technical data provided by your browser (push endpoint URL, encryption keys). Processing is based on your consent (Art. 6 (1) (a) GDPR).

You can withdraw your consent at any time by disabling push notifications in your browser settings. The stored push subscription data will then be deleted.

4. Payment processing

General information on payment processing

If payments arise in the context of tournament management (e.g. entry fees), we offer various payment options. The payment service providers listed below process your payment data as independent controllers. We ourselves do not store complete credit card or bank data, only reference IDs to assign the payment.

Stripe

We use the payment service provider Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland; parent company: Stripe, Inc., USA). When you pay with Stripe, the payment data you enter (e.g. credit card number, expiry date, CVC) is transmitted directly to Stripe and processed there. We receive only a confirmation of successful payment and a transaction ID from Stripe.

Data processing is based on Art. 6 (1) (b) GDPR (contract performance). Stripe may transfer data to the USA. The data transfer to the USA is safeguarded by the EU Commission's standard contractual clauses and, where applicable, the EU–US Data Privacy Framework. Further information: stripe.com/de/privacy.

PayPal

We offer payment via PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg). If you select PayPal as your payment method, you will be redirected to the PayPal website. There you enter your payment details and authorise the payment. After successful payment, PayPal sends us a confirmation, a transaction ID and the name and email address stored with PayPal.

Data processing is based on Art. 6 (1) (b) GDPR (contract performance). PayPal may transfer data to the USA. Further information: paypal.com.

Invoicing

When creating invoices, we store the following data: name and, if applicable, company name of the invoice issuer, address, tax number or VAT ID, bank details (IBAN, BIC), email address and phone number. This data is required to fulfil legal obligations (in particular tax and commercial retention obligations under §§ 147 AO, 257 HGB) and is stored on the basis of Art. 6 (1) (c) GDPR for a period of 10 years. Invoices are generated in ZUGFeRD format.

5. External services and APIs

Weather data (Bright Sky / DWD)

To display weather data at the tournament location, we use the open API Bright Sky ( brightsky.dev), which is based on data from the German Weather Service (DWD). Only the geographical coordinates of the event location are transmitted. No personal data is transferred to Bright Sky.

Address autocomplete (OpenPLZ API)

For the autocomplete of postal codes and place names we use the OpenPLZ API ( openplzapi.org). The postal code or place details you enter are transmitted to the service. This data is not personal data.

Geocoding and venue search

To search for and display sports venues we use geocoding services (Photon/Komoot, possibly LocationIQ, Geoapify). Entered addresses or place names are transmitted to these services to determine coordinates. As a rule, no personal data is transferred. The use is based on Art. 6 (1) (f) GDPR (legitimate interest in providing the map function).

6. Your rights

Right of access (Art. 15 GDPR)

You have the right to obtain confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have a right of access to this data and to the information specified in Art. 15 GDPR.

Right to rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.

Right to erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data, provided one of the reasons listed in Art. 17 GDPR applies and processing is not required.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data if one of the conditions of Art. 18 GDPR is met.

Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and to transmit it to another controller.

Right to object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6 (1) (f) GDPR.

Withdrawal of your consent

Insofar as processing is based on your consent (Art. 6 (1) (a) GDPR), you can withdraw it at any time for the future. The lawfulness of processing carried out up to the withdrawal is not affected. You can declare the withdrawal by email to kontakt@turnieros.de or via our Contact form.

Right to lodge a complaint with the supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with the competent data protection supervisory authority about our processing of personal data. The supervisory authority responsible for us is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel
Phone: 0431 988-1200
Email: mail@datenschutzzentrum.de
Website: datenschutzzentrum.de