Privacy Policy

I. Name and Address of the Controller

Wiedenroth Technologies GmbH
Speicherstraße 9, 31134 Hildesheim, Germany
Email: info@wiedenroth-technologies.com
Web: https://wiedenroth.tech/kontakt/

II. Data Protection Officer

A data protection officer has not been appointed at this time, as the statutory requirements are not met. For questions regarding data protection, please contact:

info@wiedenroth-technologies.com

I. Registration and Use of the SaaS Platform

Data processed:

• First name, last name
• Email address
• Password (stored encrypted)
• Role (e.g. participant, organiser)
• Organisation affiliation
• User ID, IP address, log data

Purpose: Provision of the SaaS platform, user administration, event processing

Legal basis: Art. 6(1)(b) GDPR

Retention period: Contract term + 3 years, beyond that in accordance with statutory requirements

II. Event and Participant Data

Data processed:

• Event details
• Participant lists, registration data, attendance
• Certificates, billing data, feedback

Purpose: Organisation and processing of events

Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR

Retention period: Up to 3 years after the end of the event; billing data up to 10 years

IIa. Visitor and Behaviour Tracking in the Ticket Shop and Ticket Plugins

In the ticket shop and ticket plugins, we collect data on visitor behaviour so that our customers (organisers) can understand how their customers (participants) interact with their events.

Data processed:

• Page views (pages visited, page title, page path)
• Visit duration and scroll depth
• User actions (clicks, form interactions, downloads)
• Browser information (user agent, language, screen resolution)
• Referrer (the page from which the visitor came)
• IP address (anonymised, captured server-side)
• Browser fingerprint (optional, for device identification and bot detection)
• Session ID (to associate multiple page views with one session)
• Visitor ID (for anonymised recognition of returning visitors)

Purpose: Enabling analysis for our customers (organisers) so they can understand how their customers (participants) interact with their events. In addition, data collection serves to improve usability, detect abuse and bots, and optimise event presentation.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analysing and improving the platform as well as protecting against abuse)

Storage location: Data is stored exclusively on our own servers at Hetzner Online GmbH in Germany.

Anonymisation: The data collected is stored in anonymised form. IP addresses are processed in anonymised form. Browser fingerprints are used only for bot detection and abuse protection, not for personal identification.

Retention period: Data is stored for a maximum of 2 years, unless statutory retention obligations require longer storage. Anonymised statistical evaluations may be stored beyond that period.

III. Contact

Data processed: Information from contact forms or emails

Purpose: Communication, handling of enquiries

Legal basis: Art. 6(1)(a) and (b) GDPR

Retention period: Until final processing, max. 1 year

IV. Sign-in via OAuth Providers (Sign in with Apple, Google Sign In)

You can sign in to our platform via external OAuth providers (Apple "Sign in with Apple" and Google "Sign in with Google"). The technical implementation is carried out via self-hosted authentication infrastructure on our own servers at Hetzner Online GmbH in Germany.

Data processed:

• Email address (provided by the OAuth provider)
• Name (optional, if provided by the provider)
• Provider ID (to link the account)
• Authentication token (temporary, for sign-in)

Purpose: Simplified sign-in and registration, authentication, linking the account with the OAuth provider

Legal basis: Art. 6(1)(a) GDPR (consent through use of the OAuth provider), Art. 6(1)(b) GDPR (contract performance)

Storage location: All data is stored exclusively on our own servers at Hetzner Online GmbH in Germany. Authentication is carried out directly via the respective OAuth provider (Apple or Google); data transfer is limited to authentication itself.

Data transfer:

• Apple: During authentication, data is transferred to Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. Apple is certified under the EU-US Data Privacy Framework. After successful authentication, data is stored on our servers in Germany.
• Google: During authentication, data is transferred to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. After successful authentication, data is stored on our servers in Germany.

Data security: Authentication is carried out directly via the respective OAuth provider. We receive only the data released by the provider. Full authentication is performed by the provider. All data received is subsequently stored on our own servers in Germany.

Retention period: Linked OAuth provider information is stored for as long as the account is active. You can view the link at any time in the account settings.

Withdrawal: You can end the link with an OAuth provider at any time by changing your sign-in credentials. The OAuth provider's data will continue to be used for authentication for as long as you sign in with that provider.

Further information can be found in the providers' privacy policies:

• Apple: https://www.apple.com/de/privacy/
• Google: https://policies.google.com/privacy

V. Abuse Protection and Security (Cloudflare)

To protect against abuse, automated attacks, and spam, we use services from Cloudflare, in particular Cloudflare Turnstile for bot detection during sign-in, registration, and other sensitive forms. In addition, Cloudflare network protection features (e.g. CDN, WAF) may filter data traffic before it is forwarded to our servers.

Providers:

• Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA
• Cloudflare Germany GmbH, Rosental 7, 80331 Munich (EU contact)

Data processed:

• IP address (e.g. via CF-Connecting-IP)
• User agent, browser and device information
• Turnstile challenge token and interaction data to distinguish humans from bots
• Technical connection and security metadata (e.g. TLS fingerprints, request headers)
• Time and result of the security check

Purpose: Protection against abuse, brute-force attacks, automated spam, and DDoS; ensuring the security and availability of the platform

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security)

Data transfer: Data may be transferred to Cloudflare in the USA. Cloudflare is certified under the EU-US Data Privacy Framework and uses standard contractual clauses.

Storage location: Validation takes place at Cloudflare; we process only the check result and, where applicable, short-term security logs (hosting at Hetzner in Germany).

Retention period: Cloudflare stores data in accordance with its own privacy policy, generally only for the duration of the security check or briefly for attack defence. Our security logs are deleted after fulfilment of the purpose, at the latest after 30 days.

Further information: Cloudflare Privacy · Turnstile Privacy

VI. Sign-in via Magic Link and Email OTP

For sign-in and registration, you can request a one-time sign-in link (magic link) or a one-time code (OTP) by email instead of using a password.

Data processed:

• Email address
• Time of request and use of the link or code
• IP address and technical metadata of the request (for abuse prevention)

Purpose: Passwordless sign-in, verification of email address, account security

Legal basis: Art. 6(1)(b) GDPR (contract performance or pre-contractual measures)

Retention period: Magic links and OTP codes are valid only for a short period (typically a few minutes) and then expire. Log data on sign-in attempts is deleted in accordance with our security policies.

VII. Two-Factor Authentication (MFA)

Optionally, you can additionally secure your account with two-factor authentication (TOTP, e.g. via an authenticator app).

Data processed:

• MFA status (enabled/disabled)
• Hashed MFA secrets and recovery codes (no plaintext storage)
• Time of MFA setup and use

Purpose: Increased account security, protection against unauthorised access

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in user account security); where voluntarily activated, additionally Art. 6(1)(a) GDPR (consent)

Retention period: For as long as MFA is active for your account; after deactivation, the associated MFA data is deleted.

VIII. Waiting List

For sold-out or not yet released events, you can register for a waiting list.

Data processed:

• Name, email address
• Desired number of tickets and event reference
• Time of registration and notification status

Purpose: Management of waiting list places, notification when tickets become available

Legal basis: Art. 6(1)(b) GDPR (carrying out pre-contractual measures at your request)

Retention period: Until booking, removal from the waiting list, or end of the respective event; at the latest in accordance with the organiser's retention periods.

IX. Organisation and Team Invitations

Organisers can invite staff members to their organisation by email and assign roles.

Data processed:

• Email address of the invited person
• Name (if provided), assigned role and organisation
• Invitation status, time of sending and acceptance
• Invitation token (valid for a limited period)

Purpose: Setting up and managing team access within organisations

Legal basis: Art. 6(1)(b) GDPR (contract performance with the organiser); for recipients without an existing account Art. 6(1)(f) GDPR (legitimate interest in efficient team management)

Retention period: Until acceptance or revocation of the invitation; after acceptance, data is continued in user and organisation administration.

X. Media Uploads

Organisers and users can upload images and other media (e.g. profile pictures, logos, event photos, ticket designs).

Data processed:

• Uploaded files (images, metadata such as resolution or EXIF where contained in the file)
• File name, upload time, association with organisation or event
• IP address and user ID of the upload (logging)

Purpose: Provision of event and brand content, personalisation of tickets and shop appearance

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Retention period: For as long as the associated organisation, event, or user profile exists; deletion upon request of the organiser or upon account deletion.

XI. Public Help Centre and Support Tickets

On our public help centre (help.orbance.com) you can view help articles. As a guest or signed-in user, you can create support requests (tickets).

Data processed:

• Name, email address, subject and message text
• Organisation reference (where discernible from context or provided)
• Ticket status, communication history, timestamps
• IP address and technical access data when visiting the help centre

Purpose: Handling support requests, improving our help content, customer service

Legal basis: Art. 6(1)(b) GDPR (contract performance or pre-contractual enquiries); Art. 6(1)(f) GDPR (legitimate interest in efficient support)

Retention period: Support tickets and associated communication are stored for processing and follow-up and deleted after completion of the request or in accordance with internal retention periods (generally up to 3 years), unless statutory retention obligations apply.

XII. Cookies and Consents

We use cookies and similar technologies to technically provide the platform, store your settings, and — where you consent — enable optional features. On your first visit, you can set your preferences via a cookie banner.

Data processed:

• Technically necessary cookies (e.g. session cookies for sign-in, language setting NEXT_LOCALE)
• Cookie consent status (which categories you have accepted or declined)
• Optional cookies only after your consent (e.g. for extended features or analytics, where enabled)

Purpose: Provision and security of the platform, storage of language and display settings, compliance with your cookie preferences

Legal basis: Art. 6(1)(f) GDPR (technically necessary cookies); Art. 6(1)(a) GDPR or Section 25(1) TTDSG (German Telecommunications-Telemedia Data Protection Act) (optional cookies only with consent)

Retention period: Session cookies until the browser is closed; persistent settings and consent cookies in accordance with the duration stated in the banner (generally up to 12 months, then renewed request).

I. Web Hosting by Hetzner Online GmbH

Our SaaS platform app.orbance.com is hosted by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen.

Data processed:

• IP address (anonymised)
• Access time, browser, operating system, referrer

Purpose: Provision of the SaaS platform, security

Legal basis: Art. 6(1)(f) GDPR

Retention period: Max. 7 days

II. Customer Data Hosting at Hetzner Online GmbH

All customer data of the "Orbance" SaaS platform is hosted and processed exclusively at Hetzner Online GmbH in Germany.

Server location: Germany (various data centres)

Purpose: Operation of the SaaS platform, user administration, storage of event data

Legal basis: Art. 6(1)(b) GDPR, Art. 28 GDPR

Data security: Encrypted transmission, access control, data processing agreement in place

III. Payment Processing by Stripe (incl. Stripe Connect)

For online payments in the ticket shop, SaaS platform subscriptions, and platform fees, we use the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe"). Organisers can link their Stripe account with Orbance via Stripe Connect; payments from end customers are then processed via the organiser's Stripe account, while Orbance acts technically as the platform.

Depending on the organiser's configuration, the following payment methods are available in the ticket shop via Stripe, among others (not every method is available for every organiser or country):

• Credit and debit cards
• Apple Pay and Google Pay (via Stripe Checkout)
• PayPal (via Stripe)
• Klarna (buy now pay later / instalments, depending on offer)
• SEPA direct debit
• iDEAL, EPS, Bancontact, Revolut Pay, Amazon Pay

Data processed:

• Payment information (e.g. card number, IBAN — exclusively at Stripe, not on our servers)
• Name, email address, billing and delivery address
• Transaction data (amount, currency, date, status, selected payment method)
• Stripe customer and Connect account identifiers (IDs, no full access to payment instruments)
• IP address, device information, fraud prevention data

Purpose: Processing of ticket purchases, SaaS subscriptions, and platform fees; payouts to organisers via Stripe Connect; fraud prevention

Legal basis: Art. 6(1)(b) GDPR (contract performance); for Stripe Connect additionally Art. 28 GDPR (processing on behalf of the organiser)

Data security: Stripe is PCI-DSS certified. Full payment data (e.g. card numbers) is not stored on our servers.

Data transfer: Data is transferred to Stripe in Ireland (EU); for certain payment methods, further Stripe partners (e.g. Klarna, PayPal) may be involved.

Retention period: Stripe stores data in accordance with its own privacy provisions. Booking and billing data stored by us is subject to statutory retention obligations (up to 10 years).

Further information: https://stripe.com/de/privacy

IV. Payment Processing by PayPal (Partner Service)

Alternatively or in addition to Stripe, organisers can link their PayPal Business account with Orbance via the PayPal Commerce Platform (Powered by PayPal). End customers can then pay via PayPal in the ticket shop; payment is made directly via PayPal to the organiser.

Data processed:

• PayPal account identifiers of the organiser (merchant ID, connection status)
• Transaction and order references (amount, status, time)
• Name and email address of the buyer (to the extent transmitted to us by PayPal)
• IP address and technical metadata of the checkout session

Purpose: Processing of ticket payments via PayPal; collection of the Orbance platform fee at checkout

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 28 GDPR (processing on behalf of the organiser)

Data transfer: Data is transferred to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg.

Retention period: Connection and transaction references with us in accordance with statutory retention obligations; payment data at PayPal in accordance with PayPal privacy policy.

Further information: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

V. Map and Location Services via Apple Maps

For displaying maps and location services, we use Apple Maps (MapKit JS), a service of Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA.

Data processed:

• Search queries for addresses and places (anonymised with random identifiers, not linked to Apple ID)
• Approximate location data (via IP address to determine approximate position, anonymised)
• Map data and geodata

Purpose: Provision of map and location services, display of event venues, route planning

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing location services)

Privacy: Apple Maps is designed with privacy in mind. The data collected is processed in anonymised form and is not linked to your Apple ID or other personal identifiers. Search queries are linked to random identifiers that are regularly reset. Location data is "fuzzed" (made less precise) after 24 hours, and Apple does not store search history.

Data transfer: Data is transferred to Apple Inc. in the USA. Apple is certified under the EU-US Data Privacy Framework. Apple does not collect or store personal data in connection with Maps use via MapKit JS.

Retention period: Apple does not store search history. Anonymised data is processed in accordance with Apple's privacy provisions.

Further information can be found in Apple's privacy policy: https://www.apple.com/de/privacy/

VI. Apple Wallet and Google Wallet (E-Ticket Passes)

Ticket holders can save e-tickets as digital passes in Apple Wallet and Google Wallet. Appropriate wallet data is generated and transmitted to the respective wallet services.

Data processed:

• Name of ticket holder, event name, date, venue, seat/ticket information
• Ticket or booking reference, barcode or QR code data
• Device identifiers for push notifications on pass updates (Apple Push Notification Service, APNS)
• Technical metadata for pass generation and updates

Purpose: Provision of digital wallet tickets, updating pass content (e.g. upon changes), improved user experience on the day of the event

Legal basis: Art. 6(1)(b) GDPR (contract performance — provision of the booked ticket)

Data transfer: Apple Wallet: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA (EU-US Data Privacy Framework); Google Wallet: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Retention period: Pass data with us for as long as the booking exists; wallet data on the end device and at Apple/Google in accordance with their policies.

Further information: Apple Privacy · Google Privacy

VII. Email Delivery (SMTP)

Transactional emails (e.g. booking confirmations, tickets, magic links, invitations, waiting list notifications, support replies) are sent via SMTP — either via an email service operated by us or via SMTP servers optionally configured by the organiser. Technical delivery may be carried out on behalf of the organiser via their configuration; the organiser or our platform customer remains the legal controller for sender, content, and legal basis of the messages, to the extent they determine the content.

Data processed:

• Recipient email address, sender name and address
• Subject and content of the message (incl. personalised ticket or booking data)
• Time of sending, delivery status, and technical SMTP log data
• For customer SMTP: server access credentials stored by the organiser (stored encrypted); the organiser is responsible for the lawfulness of SMTP use

Purpose: Delivery of contract-relevant and service-related communications on behalf of the organiser or for platform use

Legal basis: Art. 6(1)(b) GDPR (contract performance); for marketing emails Art. 6(1)(a) GDPR (consent), where applicable

Retention period: Delivery logs for a limited period for error analysis; content of transactional emails not permanently stored by us, unless required for legal reasons.

VIII. PDF Generation (Internal Service)

For creating ticket PDFs, receipts, or other documents, we use an internal PDF generation service operated on our infrastructure at Hetzner.

Data processed:

• Booking and ticket data incorporated into the PDF (name, event, price, QR code)
• Organisation and layout information (logo, texts)
• Technical request metadata (time, internal job ID)

Purpose: Provision of printable and archivable ticket and receipt documents

Legal basis: Art. 6(1)(b) GDPR (contract performance)

Retention period: PDFs are provided for download and are not permanently retained on the PDF service; stored booking data is subject to our regular retention periods.