Privacy Policy
Last updated: 2026-05-15
We take the protection of your personal data seriously and treat your data confidentially in accordance with statutory data protection regulations (GDPR, BDSG, TDDDG) and this privacy policy.
§1 — Data Controller (Art. 4 No. 7 GDPR)
Michael Kurenkov Moislinger Allee 13 23558 Lübeck Germany Email: contact@fiturbia.com Phone: +49 176 56742929
§2 — Data Protection Officer
A data protection officer is not legally required (Art. 37 GDPR in conjunction with § 38 BDSG). For data protection inquiries, please contact the controller directly using the contact details above.
§3 — General Information on Data Processing
Scope: We process our users' personal data only to the extent necessary to provide a functional platform and to deliver our content and services. Processing of personal data takes place regularly only with the user's consent or to fulfil a contract to which the data subject is party, or where processing is permitted by law. Principles: Data minimization (Art. 5(1)(c) GDPR), transparency (Art. 5(1)(a) GDPR), purpose limitation (Art. 5(1)(b) GDPR), storage limitation (Art. 5(1)(e) GDPR).
§4 — Legal Basis for Processing
- Art. 6(1)(a) GDPR — consent of the data subject - Art. 6(1)(b) GDPR — performance of a contract and pre-contractual measures (usage agreement) - Art. 6(1)(c) GDPR — compliance with a legal obligation - Art. 6(1)(f) GDPR — legitimate interests (security, fraud prevention, reach measurement, product improvement)
§5 — Individual Processing Activities
For each processing activity: purpose, data categories, legal basis, retention period.
5.1 Registration and User Account
Purpose: Provision and use of the user account. Data: Email address, password (hashed using bcrypt), display name, registration timestamp, timestamp and version of the accepted Terms/Privacy Policy. Legal basis: Art. 6(1)(b) GDPR (performance of contract); proof of consent/acknowledgement Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR. Retention: On account deletion personal data is pseudonymised immediately (soft-delete). The soft-delete marker is retained for 30 days for recoverability after technical errors and is then permanently removed together with backups.
5.2 Email Verification
Purpose: Verification of the email address to protect against fake accounts. Data: One-time token, send timestamp, verification timestamp. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (security). Retention: Token 24 hours; verification status permanently with the account.
5.3 Profile Information
Purpose: Display in the profile, discoverability in the community, matching with activities and other users. Data (voluntary): Profile picture, biography, sports, fitness level, gender, city/country. Public profiles generally show display name, profile picture, biography and sports; city/country is shown to other users only where required by the relevant feature (e.g. crew connection). Legal basis: Art. 6(1)(a) GDPR (consent through voluntary input) in conjunction with Art. 6(1)(b) GDPR. Retention: Until changed or deleted by the user or upon account deletion.
5.4 Location, Maps and Radius Search
Purpose: Showing nearby spots and activities, selecting locations when creating spots/activities, map and search features. Data: Location coordinates (GPS permission, manual map selection or saved profile location), city/country, location-search queries, map viewport and technical request data when loading map tiles. Legal basis: Art. 6(1)(a) GDPR for device-location permissions; Art. 6(1)(b) GDPR for saved profile/spot/activity locations; Art. 6(1)(f) GDPR for performant map delivery. Recipients: Geoapify, CARTO and OpenFreeMap (see §6). Retention: Saved profile locations until changed or account deletion; spot/activity locations until deletion or anonymisation of the relevant content; pure search queries are not stored permanently by us.
5.5 Crew Connections and QR Codes
Purpose: Mutually adding users to a personal crew through a short-lived QR code and displaying the crew list. Data: user IDs of both crew members, connection timestamp, QR scan session ID, cryptographic QR token, creation/expiry/consumption timestamp, ID of the scanning user and profile details required for display (display name, profile picture, bio, sports). Legal basis: Art. 6(1)(b) GDPR (providing the crew feature) and Art. 6(1)(f) GDPR (abuse protection, rate limiting). Retention: QR scan sessions expire after 60 seconds and are regularly deleted, at the latest after 24 hours. Crew connections remain until removed by either user or upon account deletion.
5.6 Spots, Activities, Groups (User-Generated Content)
Purpose: Provision of the core functionality (discovery and organisation of sports locations and activities). Data: Text descriptions, location coordinates, addresses, time information, sports, skill levels, participant lists, roles (e.g. host/member/waitlist), recurring schedules and photos. Legal basis: Art. 6(1)(b) GDPR. Retention: Until deleted by the creator or upon account deletion. Community content that remains relevant to other users (e.g. verified spots, ratings, photos) may continue in anonymised form after account deletion by removing the link to the user.
5.7 Saved Spots, Ratings and Reviews
Purpose: Personal saved list, quality rating of spots and displaying community feedback. Data: saved spot, save timestamp, star rating, optional review text, rating status (active/hidden), user ID until anonymisation. Legal basis: Art. 6(1)(b) GDPR. Retention: Saved spots until removed from the list or account deletion. Ratings/reviews until deletion, moderation hiding, or anonymisation upon account deletion.
5.8 Chat and Direct Messages
Purpose: Communication between users and activity groups. Data: Message content, sender, thread members, context (direct chat/activity/group), timestamps, read status, mute and archive status. Legal basis: Art. 6(1)(b) GDPR. Retention: 24 months from sending or until deleted/archived by feature logic; upon account deletion, messages sent by the user and memberships are deleted.
5.9 Reports, Moderation and DSA Complaints
Purpose: Receiving and handling reports of illegal or rule-violating content, abuse prevention and compliance with legal obligations under the Digital Services Act. Data: reporting user or contact email for public reports, reported content (type, ID or URL), report reason, description, moderation status, reviewer, review timestamp, statement of reasons; for public reports also Turnstile verification data and IP address for bot/spam prevention. Legal basis: Art. 6(1)(c) GDPR (legal obligations, in particular DSA) and Art. 6(1)(f) GDPR (platform protection and legal defence). Recipient: Cloudflare Turnstile for bot verification (see §6). Retention: As long as required for handling, documentation, legal defence and statutory obligations; user references are anonymised upon account deletion unless overriding reasons prevent this.
5.10 In-App Notifications and Preferences
Purpose: Informing users about relevant events such as new messages, event joins, event starts, cancellations, photo/spot moderation and similar platform events. Data: user ID, notification type, title, body, context data (e.g. activity or chat ID), creation timestamp, read status, notification preferences. Legal basis: Art. 6(1)(b) GDPR for service-related notifications; Art. 6(1)(a) GDPR for optional channels such as push or email digest. Retention: Until account deletion or until removed by a future deletion feature; preferences until changed or account deletion.
5.11 Push Notifications (Firebase Cloud Messaging)
Purpose: Sending push notifications to devices. Data: Device token (FCM), notification content. Legal basis: Art. 6(1)(a) GDPR (consent when first enabling notifications). Recipient: Google Ireland Ltd. / Google LLC (see §6). Retention: Until consent is withdrawn or the device is removed.
5.12 Image Upload (Cloudflare R2)
Purpose: Storage and delivery of spot and profile images. Data: Image files (EXIF metadata is stripped server-side on receipt, in particular GPS coordinates), object-related metadata. Legal basis: Art. 6(1)(b) GDPR. Recipient: Cloudflare, Inc. (see §6). Retention: Until deleted by the user or upon account deletion.
5.13 Error Monitoring (Sentry)
Purpose: Error diagnosis and platform stabilization. Data: Error messages, stack traces, anonymized user ID (no email, no IP address), coarse device information, URL of the error event. Request headers, cookies, passwords, tokens and verification codes are scrubbed before transmission; session replay is disabled. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stability and security). Recipient: Sentry GmbH / Functional Software, Inc. (see §6). Retention: 30 days (Sentry standard), deletion thereafter.
5.14 Reach and Performance Measurement (Vercel Analytics + Speed Insights)
Purpose: Aggregated, anonymous usage statistics for product improvement and measuring page performance. Data: Anonymized page views, aggregated performance metrics. No cookies are set and no devices are recognised. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Due to the cookie-free operation and lack of user recognition, consent under § 25 TDDDG is not required. Recipient: Vercel Inc. (see §6). Retention: Aggregated statistics kept indefinitely without personal reference.
5.15 Mobile Product Analytics and Feature Flags (PostHog, if enabled)
Purpose: Pseudonymous measurement of how users move through registration, email verification, password reset and onboarding, plus safe gradual rollout of individual mobile-app features. Data: internal pseudonymous user ID, temporary technical app-session identifier, event names, timestamps, onboarding step names, notification-permission result, coarse app/SDK/device metadata and aggregated funnel metrics. We do not send email addresses, display names, free-text fields, exact location coordinates, search terms, chat contents or uploaded content to PostHog. App lifecycle tracking, touch/screen autocapture and session replay are disabled in our configuration. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in product improvement, safe rollout and product stability). Recipient: PostHog (see §6), only if a PostHog key is active in the mobile-app configuration. Retention: In the app only in memory during the session; at the provider according to its contract and product settings.
5.16 Transactional Emails (Verification, Password Reset, Notifications)
Purpose: Sending operationally necessary emails. Data: Email address, message content, send timestamp. Legal basis: Art. 6(1)(b) GDPR. Recipient: SMTP2GO Pte. Ltd. (see §6). Retention: Delivery log 30 days.
5.17 Server Log Files
Purpose: Operations and error diagnostics, abuse prevention. Storage location: Our hosting providers (Vercel, Cloudflare, Netcup) store the timestamp, IP address, HTTP method, URL, status code, and user agent in their server logs when our platform is accessed. Retention follows the providers' privacy policies, typically 14 days at most. Application logs: Our own application logs do not record IP addresses; only method, path, status, response time, and a technical correlation ID. Legal basis: Art. 6(1)(f) GDPR.
5.18 Rate Limiting and Abuse Protection
Purpose: Protection against brute-force attacks, spam, excessive uploads, QR-token abuse and abusive reports. Data: IP address or user ID, requested endpoint, time window, counter value and expiry of the rate-limit key; for crew connect attempts, the user reference of the logged-in account. Legal basis: Art. 6(1)(f) GDPR (security and abuse prevention). Retention: According to the relevant time window, typically 60 seconds to 24 hours; automatic deletion from Redis thereafter.
§6 — Recipients (Processors and Third-Party Providers)
We transfer personal data only where necessary for operations, security, communication, map features or legal obligations. Processors are engaged under data processing agreements pursuant to Art. 28 GDPR. Transfers outside the EU/EEA rely on adequacy decisions, Standard Contractual Clauses of the European Commission (Art. 46(2)(c) GDPR) and — where applicable — the EU-US Data Privacy Framework.
| Recipient | Purpose | Location | Legal basis for transfer |
|---|---|---|---|
| Netcup GmbH | Backend hosting (via Dokploy) | Nürnberg, Germany | DPA (Art. 28 GDPR), EU — no SCCs required |
| Cloudflare, Inc. | CDN, R2 object storage | San Francisco, USA (EU edge) | DPA + Standard Contractual Clauses |
| Cloudflare, Inc. (Turnstile) | Bot/spam protection for public DSA notices | USA / worldwide | Art. 6(1)(f) GDPR; DPA or Cloudflare privacy terms + SCC/DPF where applicable |
| Vercel Inc. | Web hosting, Analytics, Speed Insights | San Francisco, USA | DPA + Standard Contractual Clauses |
| Functional Software, Inc. (Sentry) / Sentry GmbH | Error monitoring | USA / Germany | DPA + SCCs for the US entity |
| Google Ireland Ltd. / Google LLC (Firebase Cloud Messaging) | Push notifications | Dublin, Ireland / USA | DPA + Standard Contractual Clauses |
| SMTP2GO Pte. Ltd. | Transactional email delivery | Singapore (with EU servers) | DPA + Standard Contractual Clauses (Art. 46 GDPR) |
| Geoapify / KEPTAGO LTD | Address and location search, autocomplete and reverse geocoding | Cyprus / EU data centres | Art. 6(1)(b)/(f) GDPR; EU — no SCCs required |
| CARTO (basemaps.cartocdn.com) | Web map tile delivery | Madrid, Spain | Art. 6(1)(f) GDPR; EU — no SCCs required |
| Hyperknot Software Kft. (OpenFreeMap) | Mobile-app map tile delivery | Hungary | Art. 6(1)(f) GDPR; EU — no SCCs required |
| PostHog | Mobile product analytics, funnel measurement and feature flags, if enabled | EU/USA | DPA + Standard Contractual Clauses or DPF where applicable |
Note: If we engage additional processors in the future (e.g., payment providers with the introduction of paid features), we will update this list and inform you accordingly.
§7 — Cookies and Similar Technologies (§ 25 TDDDG)
We do not use marketing cookies. For the expressly requested login, language settings, theme selection and app functionality, we use technically necessary cookies or comparable storage technologies such as Local Storage, SecureStore and AsyncStorage. These are exempt from consent under § 25(2)(2) TDDDG where they are strictly necessary to provide the requested digital service. Vercel Analytics and Speed Insights operate cookielessly and without user recognition. Mobile product analytics with PostHog runs in our app configuration without persistent SDK storage on the device; SDK persistence is set to memory. If we introduce analytics cookies or comparable persistent tracking storage in the future, we will request consent first.
| Cookie/Storage | Purpose | Retention | Type |
|---|---|---|---|
| Web Local Storage (`usc-auth`) | Authentication and web session renewal | Until logout, account deletion or local deletion; server-side refresh token maximum 30 days | Necessary |
| Mobile SecureStore | Secure storage of access/refresh tokens in the mobile app | Until logout, account deletion or app deletion; server-side refresh token maximum 30 days | Necessary |
| Local/Async Storage for theme, language, intro status, recent searches and local map/discover preferences | Saving expressly requested app settings | Until changed or locally deleted | Necessary/functional |
| PostHog SDK Memory Storage | Pseudonymous mobile product analytics and feature flags | Only during the current app session | Analytics/functional |
§8 — Transfers to Third Countries
Some processors or third-party providers (in particular Cloudflare, Vercel, Google/Firebase, Sentry US and, where configured, PostHog) are based in or process data in the United States. Transfer of personal data is based on the Standard Contractual Clauses of the European Commission (Implementing Decision (EU) 2021/914) pursuant to Art. 46(2)(c) GDPR and — where applicable — on the EU-US Data Privacy Framework (Commission adequacy decision of 10 July 2023).
§9 — Retention
Personal data is deleted as soon as the purpose of its processing no longer applies and no legal retention obligations prevent deletion. Specific retention periods are given in §5 per processing activity. General overview:
| Data category | Retention |
|---|---|
| User account | Until deletion + 30 days grace |
| Crew QR scan sessions | Valid for 60 seconds; deletion no later than 24 hours |
| Crew connections | Until removed by a user or account deletion |
| User content (spots, activities, photos, ratings) | Until deletion, moderation or anonymisation upon account deletion |
| Saved spots | Until removed from saved list or account deletion |
| Chat messages | 24 months |
| Reports/moderation data | As long as required for handling, evidence, legal defence or statutory obligations |
| In-app notifications | Until account deletion or future deletion feature |
| Rate-limit keys | 60 seconds to 24 hours |
| Server logs | 14 days |
| PostHog product analytics | According to provider/project retention; local app storage only in memory |
| Sentry errors | 30 days |
§10 — Rights of the Data Subject
You have the following rights regarding your personal data: - Right of access (Art. 15 GDPR) - Right to rectification of inaccurate data (Art. 16 GDPR) - Right to erasure (Art. 17 GDPR) - Right to restriction of processing (Art. 18 GDPR) - Right to data portability (Art. 20 GDPR) - Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR) - Right to withdraw consent with effect for the future (Art. 7(3) GDPR) To exercise these rights, contact: contact@fiturbia.com Access and deletion are additionally available directly in your account settings.
§11 — Right to Lodge a Complaint with a Supervisory Authority
Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98 24103 Kiel, Germany Phone: +49 431 988-1200 Email: mail@datenschutzzentrum.de Web: https://www.datenschutzzentrum.de
§12 — Automated Decision-Making / Profiling
No automated decision-making, including profiling within the meaning of Art. 22(1) and (4) GDPR, takes place.
§13 — Data Security
We implement appropriate technical and organisational measures to protect your personal data (Art. 32 GDPR), including TLS encryption in transit, bcrypt password hashing, least-privilege access control, regular security audits, and dependency updates.
§14 — Changes to This Privacy Policy
We reserve the right to adapt this privacy policy to reflect changes in legislation or in our services. The version currently in effect applies upon your return to the site. The effective date of the current version is stated below.