Privacy Policy
This Privacy Policy explains how Paddock collects, processes, and protects your personal data. We take data protection seriously and comply with the EU General Data Protection Regulation (GDPR).
1. Data Controller
The controller responsible for processing your personal data under Art. 4(7) GDPR is:
2. What Data We Process
2.1 Account Data
When you register, we collect your email address, name, and username. If you register with a password, we store a bcrypt-hashed password. If you register via Google OAuth, we also store your Google account ID and OAuth token.
2.2 Profile Data
Optionally, you may provide a profile picture, a short bio, vehicle information, and — as an organizer — a display name, website, and social media links.
2.3 Event and RSVP Data
We store events you create, your RSVP responses, saved events, and application data for events that require applications.
2.4 Payment Data
Ticket purchases are processed through Stripe. Paddock only stores your Stripe customer ID and subscription data. Payment card information is processed exclusively by Stripe and is never transmitted to Paddock.
2.5 Google Calendar Integration (optional)
If you enable Google Calendar sync, we store an OAuth access and refresh token for your Google account. You can disconnect this at any time in your settings.
2.6 Meta Integration (optional)
If you enable Facebook/Instagram cross-posting as an organizer, we store your Facebook page ID, page access token, and Instagram account ID. You can disconnect this at any time in your settings.
2.7 Technical Data
To protect the platform, we temporarily process IP addresses in memory (Redis) for rate-limiting purposes. This data is not stored persistently.
3. Legal Bases
We process your data on the following legal bases:
- Art. 6(1)(b) GDPR (Contract performance): Account data, RSVP data, ticket and payment data — to provide our platform services.
- Art. 6(1)(f) GDPR (Legitimate interests): Security measures (rate-limiting, fraud prevention), technical operation of the platform.
- Art. 6(1)(a) GDPR (Consent): Google Calendar sync, Meta integration, email newsletters. You may withdraw your consent at any time.
4. Data Processors and Third-Party Providers
We use the following service providers, with whom we have concluded data processing agreements (DPAs) under Art. 28 GDPR or will do so. Some providers are based in the US — transfers are carried out on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where applicable, the EU–U.S. Data Privacy Framework certification.
| Provider | Purpose | Country |
|---|---|---|
| Stripe, Inc. | Payment processing (tickets, subscriptions) | USA |
| Google LLC | Google OAuth (login), Google Calendar integration, Google Fonts (typefaces) | USA |
| Microsoft Corporation | Email delivery (Office 365 SMTP) | USA |
| Meta Platforms, Inc. | Facebook/Instagram cross-posting (organizers only, optional) | USA |
5. Cookies and Local Storage
Paddock uses only strictly necessary cookies. A cookie consent banner is therefore not required.
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Authentication session (JWT) | 24 hours |
Local Storage
We store only your changelog read position (which app version you last viewed) to avoid showing the "What's New" modal repeatedly.
6. Data Retention
- Account data is stored until you delete your account. After deletion, data is permanently removed within 30 days (soft-delete mechanism).
- Payment data (Stripe IDs, invoices) is retained in accordance with statutory retention obligations (§ 147 German Tax Code: 10 years).
- Technical rate-limiting data (IP addresses) is only held briefly in memory (for at most a few minutes).
7. Your Rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): You may request information about the data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
- Right to erasure (Art. 17 GDPR): You may request deletion of your data. You can delete your account directly in your settings.
- Right to restriction (Art. 18 GDPR): You may request that processing of your data be restricted.
- Right to data portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing of your data based on legitimate interests.
- Right to withdraw consent (Art. 7(3) GDPR): Consents (e.g., Google Calendar, Meta integration, newsletters) can be withdrawn at any time in your settings.
To exercise your rights, contact us at: max.kliemt@paddockevents.de
8. Right to Lodge a Complaint
You have the right to lodge a complaint with the competent data protection supervisory authority. The authority responsible for us is:
Sächsischer Datenschutz- und Transparenzbeauftragter (Saxon Data Protection and Transparency Commissioner)
Devrientstraße 5, 01067 Dresden, Germany
9. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy as needed to reflect changes in legal requirements or platform functionality. The current version is always available on this page.
Last updated: May 2026