Table of Contents
Controller
Overview of Processing Activities
Relevant Legal Bases
Rights of Data Subjects
Erasure of Data
Hosting and Provision of the Website
Server Log Files
Content Management System (Storyblok)
Web Analytics (Umami)
Use of Cookies
Payment Methods (Donations)
Newsletter and Electronic Notifications
Surveys and Polls
Presence on Social Networks
Liability for Links
Copyright
Transfer to Third Countries
Currency of this Privacy Policy
Controller
obenstadt e.V.
Board
Katrien Sietske Suzanne Ligt
Van Weelstraat 11B
3022ZA Rotterdam
Netherlands
Deputy Board
Daria Sankina
Kottwitzstraße 36
20253 Hamburg
Germany
Email: info@obenstadt.de
Overview of Processing Activities
The following overview summarises the types of data processed and the purposes of their processing in connection with the website "obenstadt.de", and refers to the categories of data subjects affected.
Types of data processed
Master data
Payment data
Contact data
Content data
Usage data
Meta / communication data
Categories of data subjects
Visitors
Communication partners
Users
Donors
Purposes of processing
Appointment coordination and visitor service
Responding to enquiries and communication
Marketing (press releases, newsletter, self-promotion)
Provision of our online offering and user-friendliness
Security measures and protection against misuse
Reach measurement and statistical analysis of website usage
Relevant Legal Bases
The following provides an overview of the legal bases of the General Data Protection Regulation (GDPR) under which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection rules may apply, in particular the German Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG).
Consent (Art. 6(1)(a) GDPR) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6(1)(f) GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
In addition to the data protection rules of the GDPR, national data protection regulations apply in Germany.
Rights of Data Subjects
Pursuant to Art. 15 to 21 GDPR, you have the right to:
Access the personal data we hold about you and information about its processing (Art. 15 GDPR).
Rectification of inaccurate personal data (Art. 16 GDPR).
Erasure of your data held by us (Art. 17 GDPR), unless statutory retention obligations or other reasons prevent erasure.
Restriction of processing (Art. 18 GDPR).
Object to the processing of your data (Art. 21 GDPR).
Data portability, where you have given consent or where processing is based on a contract with us (Art. 20 GDPR).
Withdraw a given consent with effect for the future (Art. 7(3) GDPR).
Right to lodge a complaint: You have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of your usual place of residence or place of work. The competent authority for obenstadt e.V. is:
The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22
20459 Hamburg
Germany
https://datenschutz-hamburg.de
Erasure of Data
The data processed by us will be deleted in accordance with statutory requirements as soon as the consents on which the processing is based are revoked or other authorisations cease to apply (e.g. if the purpose of processing the data has ceased to exist or the data is not required for that purpose). Where data is not deleted because it is required for other and legally permitted purposes, its processing will be restricted to those purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law, or whose storage is necessary for the assertion, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person.
Our privacy notices may also contain further information on the retention and erasure of data, which take precedence for the respective processing activities.
Hosting and Provision of the Website
Our website is hosted by Vercel Inc. and delivered via their European edge network (in particular the Frankfurt am Main, Germany region). Each time a page is requested, Vercel automatically collects the server log data described below for the purpose of providing the service, ensuring IT security and optimising delivery.
Service provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA
Website: https://vercel.com
Privacy policy: https://vercel.com/legal/privacy-policy
Data Processing Agreement (DPA): https://vercel.com/legal/dpa
Standard Contractual Clauses for safeguarding the third-country transfer to the USA: included in the DPA.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in the secure and high-performance operation of the online offering.
TLS encryption: For security reasons and to protect the transmission of confidential content, this website uses TLS/SSL encryption. You can recognise an encrypted connection by the https:// prefix in your browser's address bar.
Server Log Files
Each time our website is accessed, our hosting provider (Vercel) automatically records data in log files. This data includes:
IP address of the requesting device (truncated/anonymised where technically possible)
Date and time of the request
Requested URL and HTTP status code
Volume of data transferred
Referrer (previously visited page)
User agent (browser and operating system information)
This data is processed exclusively to ensure operation, for error analysis and to defend against attacks, and is deleted after a short period (usually no more than 30 days). The data is not combined with other data sources.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in the secure operation of the online offering.
Content Management System (Storyblok)
The content of this website is managed using the headless CMS "Storyblok". When a page is requested, the content is fetched server-side from Storyblok and delivered to your browser. In standard operation, no personal data of website visitors is transmitted to Storyblok.
Service provider: Storyblok GmbH, Wasagasse 26/2, 1090 Vienna, Austria
Website: https://www.storyblok.com
Privacy policy: https://www.storyblok.com/privacy
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in the high-performance operation of the website and efficient content management.
Web Analytics (Umami)
This website uses Umami Analytics, a privacy-friendly open-source web analytics tool. The analytics server is operated under analytics.ck71.com in a data centre in Nuremberg, Germany. As a result, all processing of analytics data takes place within the European Union; no transfer to third countries occurs.
Operator of the analytics server (processor):
Carsten Krause
Am Kiefernsteg 2
14547 Beelitz
Data processed:
Pages requested (URL, title)
Referrer (referring page)
Browser type and version (user agent)
Operating system
Screen resolution
Browser language
Geographical origin at country/city level (derived from the IP address)
What Umami does not do:
It sets no cookies.
It performs no cross-site tracking.
It stores no personal data within the meaning of the GDPR on a permanent basis. IP addresses are used solely to generate an anonymous, daily-rotating hash and are not retained.
It does not perform fingerprinting.
Data is not shared with third parties.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) in a statistical analysis of the use of our online offering, with a view to improving its content and reach. As no cookies or comparable technologies for accessing the end device are used, consent under § 25 TDDDG is not required.
Storage location: Data centre in Nuremberg, Germany (EU).
Retention period: Aggregated statistics are stored until revoked.
Objection: You can object to the collection at any time by enabling the "Do Not Track" (DNT) setting in your browser. When DNT is enabled, you will not be tracked by Umami.
Further information on Umami: https://umami.is/docs
Use of Cookies
Cookies are small text files or other forms of storage that hold information on end devices and read information from end devices. obenstadt.de itself does not set any cookies that require consent.
For booking tickets and reserving places, we use the external third-party provider Stager B.V. (Zomerhofstraat 82, 3032 CM Rotterdam, Netherlands). The booking does not take place on obenstadt.de but on the platform of Stager B.V., to which we merely link. Only when you follow this link are you redirected to the pages of Stager B.V.; there, Stager B.V. may set its own cookies and process data. Stager B.V. is independently responsible for this and obtains any required consent on its own platform.
We have no influence over the data processing carried out by Stager B.V. We refer you to the terms and conditions and the privacy notices of Stager B.V., which are available within the respective websites or transactional applications.
Further information can be found in the privacy policy: https://stager.co/en/company/privacy-policy/
Notes on consent: We use cookies in compliance with statutory provisions. Where necessary, we obtain prior consent from users. Consent is not required, in particular, where the storage and reading of information, including cookies, is strictly necessary for the functions and operation of a website.
Retention period: With regard to the retention period, the following types of cookies are distinguished:
Temporary cookies (session cookies): are deleted at the latest after a user leaves an online offering and closes the end device.
Permanent cookies: remain stored even after the end device has been closed. For example, login status or preferred content can be displayed when a user revisits a website.
Withdrawal and objection (opt-out): Users may withdraw consents given at any time and may also object to processing in accordance with the statutory provisions in Art. 21 GDPR. Users may also object via their browser settings, e.g. by deactivating the use of cookies (this may also restrict the functionality of online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Payment Methods (Donations)
In connection with our events we ask you for donations. You may donate in cash, by bank transfer via a QR code, or online via the donation platform betterplace.org.
QR code (bank transfer): The QR code provided at our events contains only our bank account details (a credit transfer / SEPA QR code). When you scan it with your banking app, only the transfer details are imported into your app; you carry out the payment itself through your own bank. No personal data is transmitted to us or to third parties in this process.
Online donation via betterplace.org: For online donations we use the donation platform betterplace.org. During the donation process, the data you enter (e.g. name, email address and payment/bank details) is processed and stored by the platform operator. As a rule, we receive from betterplace.org only the information required to allocate the donation (e.g. name and donation amount), but not full account or credit card details.
We have no influence over the data processing carried out by betterplace.org. We refer you to the terms and conditions and the privacy notices of betterplace.org, which are available within the respective websites.
Further information on processing operations, procedures and services:
betterplace.org: Donation platform; service provider: betterplace.org gGmbH, Schlesische Straße 26, 10997 Berlin, Germany; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); website: https://www.betterplace.org; privacy policy: https://www.betterplace.org/c/regeln/datenschutz; data protection contact: datenschutz@betterplace.org.
Newsletter and Electronic Notifications
We send newsletters, emails and other electronic notifications (hereafter "newsletter") only with the recipient's consent or under a statutory permission. If the contents of the newsletter are specifically described during sign-up, those contents are decisive for the user's consent. Otherwise, our newsletters contain information about our activities and us.
To subscribe to our newsletters, it is generally sufficient to provide your email address. We do, however, ask you to optionally provide your name and further details, so we can address you personally and learn through which communication channels you reached us.
The newsletter is sent via the third-party provider Substack Inc. Substack Inc. uses user-related data for its services. The personal data processed by Substack Inc. includes name and email address.
Further information on processing operations, procedures and services:
Substack Inc.: Portal for the provision of newsletters; service provider: Substack Inc., 111 Sutter Street, 7th Floor, San Francisco, CA 94104, USA; legal bases: consent (Art. 6(1)(a) GDPR) and performance of a contract (Art. 6(1)(b) GDPR); website: https://substack.com; privacy policy: https://substack.com/tos.
We have no influence over the data processing carried out by Substack Inc. We refer you to the terms and conditions and the privacy notices of Substack Inc., which are available within the respective websites or transactional applications.
Double opt-in procedure: Subscription to our newsletter generally takes place via a so-called double opt-in procedure. That is, after subscribing you will receive an email asking you to confirm your subscription. This confirmation is necessary to ensure that nobody can subscribe with someone else's email address. Newsletter subscriptions are logged in order to demonstrate that the subscription process complies with legal requirements. This includes storing the time of subscription and confirmation, as well as the IP address. Changes to your data stored with the dispatch service provider are likewise logged.
Erasure and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to demonstrate that consent was previously given. The processing of this data is restricted to the purpose of defending against possible claims. An individual erasure request is possible at any time, provided the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the email address solely for that purpose in a so-called "block list".
The logging of the subscription process takes place on the basis of our legitimate interests for the purpose of demonstrating its proper conduct. Where we engage a service provider for sending emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.
Content: With our newsletter we provide information about obenstadt activities and events. The newsletter is sent at most once a week.
Types of data processed: master data (e.g. names, addresses); contact data (e.g. email, phone numbers); meta / communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).
Categories of data subjects: communication partners.
Purposes of processing: direct marketing (e.g. by email or post).
Legal bases: consent (Art. 6(1)(a) GDPR).
Right to object (opt-out): You may unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to further receipt. You will find an unsubscribe link at the end of every newsletter, or you may use one of the contact options indicated above.
Surveys and Polls
After events we may conduct surveys and polls in order to collect information for the respective communicated survey or polling purpose. The surveys and polls we carry out (hereafter "polls") are evaluated anonymously. Personal data is processed only insofar as this is necessary for the provision and technical execution of the polls (e.g. processing of the IP address in order to display the poll in the user's browser).
Types of data processed: contact data (e.g. email, phone numbers); content data (e.g. inputs in online forms); usage data (e.g. websites visited, interest in content, access times); meta / communication data (e.g. device information, IP addresses).
Categories of data subjects: communication partners; participants.
Purposes of processing: feedback (e.g. collecting feedback via online form).
Legal bases: legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing operations, procedures and services:
Google Forms: Creation and evaluation of online forms, surveys, feedback forms etc.; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; legal bases: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.google.com/forms; privacy policy: https://policies.google.com/privacy; data processing agreement: https://workspace.google.com/terms/dpa_terms.html; standard contractual clauses: https://cloud.google.com/terms/eu-model-contract-clause.
Presence on Social Networks (Social Media)
We maintain online presences on social networks such as Instagram and LinkedIn. In this context we process users' data in order to communicate with active users there or to provide information about us. We refer to these platforms by hyperlink so that no data is transmitted there without your consent.
We have no influence over the data processing carried out by the providers named. For a detailed presentation of the respective forms of processing and the available opt-out options, we refer to the privacy policies and information of the operators of the respective networks. Likewise, in the case of access requests and the assertion of data subject rights, we point out that these can most effectively be asserted with the providers. Only the providers have access to user data and can take appropriate measures and provide information directly. Should you nevertheless need help, you may contact us.
Types of data processed: contact data (e.g. email, phone numbers); content data (e.g. inputs in online forms); usage data (e.g. websites visited, interest in content, access times); meta / communication data (e.g. device information, IP addresses).
Categories of data subjects: users (e.g. website visitors, users of online services).
Purposes of processing: contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.
Legal bases: legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing operations, procedures and services:
Instagram: Social network; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.instagram.com; privacy policy: https://instagram.com/about/legal/privacy.
LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; legal bases: legitimate interests (Art. 6(1)(f) GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy.
Liability for Links
Our offering contains links to external websites of third parties whose content we have no influence over. For this reason, we cannot accept any liability for such third-party content. The respective provider or operator of such pages is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time of linking. Unlawful content was not recognisable at the time of linking.
However, permanent monitoring of the content of linked pages is not reasonable in the absence of concrete indications of an infringement. If we become aware of any infringements, we will remove such links immediately.
Copyright
Content and works on these pages created by the site operators are subject to German copyright law. Reproduction, editing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author or creator. Downloads and copies of these pages are permitted for private, non-commercial use only. Insofar as content on these pages was not created by the operator, the copyrights of third parties are observed. In particular, third-party content is identified as such. Should you nevertheless become aware of a copyright infringement, please notify us. If we become aware of any infringements, we will remove such content immediately.
Transfer to Third Countries
We point out that several of the service providers we use may process user data outside the European Union. These include in particular:
Vercel Inc. (hosting) – USA (delivery is, however, via the EU edge network, Frankfurt region)
Substack Inc. (newsletter) – USA
Google LLC (Google Forms) – USA
Meta Platforms (Instagram) – USA
LinkedIn / Microsoft Corp. – USA
This may give rise to risks for users, since, for example, the enforcement of users' rights in the USA may be more difficult. For US providers that are certified under the EU-U.S. Data Privacy Framework, an adequate level of data protection applies as a result of the European Commission's adequacy decision of 10 July 2023. In all other cases, transfers take place on the basis of the Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented by additional safeguards where appropriate.
Currency of this Privacy Policy
This privacy policy is dated 2026-06-07. Future updates will be available at this location.
Created using the privacy policy generator: https://datenschutz-generator.de/datenschutzerklaerung/
