Privacy Policy

1. Controller

The controller under the GDPR and other applicable data protection laws is Digitalmindsoft Publishing e.K., owner Christian Kramer, Hörvelsinger Weg 51, 89081 Ulm, Germany. You can contact us at info@digitalmindsoft.eu.

2. General information on data processing

We process personal data only where this is necessary to provide a functional website, our content and services, or where you have given consent. The legal bases include Art. 6(1)(a), (b) and (f) GDPR.

This website does not use profiling, advertising trackers, third-party advertising or social plugins that transmit data before consent. External content such as the Spotify player is loaded only after your explicit consent through the consent screen or privacy settings in the footer.

3. Hosting and delivery of the website

This website is hosted on the edge platform of Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. When the page is accessed, Vercel processes technically necessary connection data such as IP address, user agent, referrer URL and timestamp in server logs to secure operations and deliver content.

The legal basis is Art. 6(1)(f) GDPR: our legitimate interest in technically reliable, fast and secure delivery. We have a data processing agreement with Vercel, including standard contractual clauses. More information: https://vercel.com/legal/privacy-policy.

4. Reach measurement

If you consent to the statistics category, we use Vercel Web Analytics and Vercel Speed Insights. These services work without cookies and without transferring IP addresses to third parties. They collect pseudonymous reach and performance metrics such as page views, load times and Core Web Vitals as first-party beacons on our behalf.

The legal basis is your consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You can withdraw consent at any time using the privacy settings link in the footer; processing before withdrawal remains lawful.

5. Embedded third-party content (Spotify)

In the Music chapter we may embed the official Spotify player for the artist profile Kira Tigerprinzessin. The provider is Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. The embedded player is loaded only if you enable the External Media category. Only then may Spotify set cookies and identifiers and link the connection to your Spotify account if you are signed in there.

Until you consent, we show a static placeholder with a direct link to https://open.spotify.com/. The legal basis is your consent under Art. 6(1)(a) GDPR and Section 25(1) TDDDG. Spotify privacy information: https://www.spotify.com/de/legal/privacy-policy/.

6. Sign-in and profile (Supabase)

If you sign in or create a profile, we process your email address and, where applicable, display name and avatar. The authentication backend is Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992, with data processing in the EU region Frankfurt.

For magic-link sign-in, we process the email address, authentication tokens stored in cookies such as sb-...-auth-token and the time of the last sign-in. For OAuth sign-in through Google, Apple, Discord or X/Twitter, only if selected by you, we process the OAuth profile data transmitted by that provider, such as email, name, avatar and an internal user key.

For profiles, we process display name, avatar URL and, where applicable, newsletter consent in the profiles and newsletter_subscriptions tables. Optional two-factor authentication (TOTP) and recovery codes are stored as cryptographic factor secrets, hashed in Supabase Auth.

The legal basis is Art. 6(1)(b) GDPR for account services and Art. 6(1)(f) GDPR for account security features such as 2FA. We have a data processing agreement with Supabase. More information: https://supabase.com/privacy.

7. Email delivery (Resend)

Magic-link emails and account-related notifications are sent through Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend processes your email address, email content and delivery metadata only to deliver the message.

The legal basis is Art. 6(1)(b) GDPR, because the message is needed for the sign-in process you initiated. We have a data processing agreement with Resend; transfers to third countries are based on EU standard contractual clauses. More information: https://resend.com/legal/privacy-policy.

8. Cookies and comparable technologies

We use necessary Supabase session and authentication cookies such as sb-...-auth-token and sb-...-refresh-token, a language cookie from next-intl, and local browser preferences such as kira:consent-v1 for your privacy choice and kira:audio-muted for audio mute state. These are technically necessary under Section 25(2)(2) TDDDG.

Statistics consist of Vercel Web Analytics and Speed Insights as cookieless first-party beacons and are active only with consent. External media cookies and identifiers from Spotify are active only with consent. You can change or withdraw consent at any time through the privacy settings in the footer.

9. Server logs

When the website is accessed, Vercel server logs collect technical connection data: anonymised IP address, date and time of the request, requested resource, HTTP status code, transferred data volume, browser type and version, operating system and referrer URL. These data are not combined with other data sources and are deleted or anonymised after no more than 30 days.

The legal basis is Art. 6(1)(f) GDPR: our legitimate interest in stable and secure operation.

10. Recipients and third-country transfers

We do not transfer your personal data to recipients beyond the processors described above. Transfers to third countries, especially the USA, take place only to providers that are certified under the EU-US Data Privacy Framework or with whom we have concluded EU standard contractual clauses.

11. Retention periods

We store personal data only as long as required for the relevant purpose: server logs for a maximum of 30 days; account and profile data until account deletion; email delivery metadata at Resend according to Resend's retention rules, typically 30 days; and local consent status in your browser until you change it or clear browser storage.

12. Your rights

You have the rights of access under Art. 15 GDPR, rectification under Art. 16 GDPR, erasure under Art. 17 GDPR, restriction of processing under Art. 18 GDPR, objection under Art. 21 GDPR, data portability under Art. 20 GDPR, and withdrawal of consent with future effect under Art. 7(3) GDPR.

To exercise these rights, contact us informally at info@digitalmindsoft.eu. We will process your request promptly and no later than within one month.

13. Right to lodge a complaint with a supervisory authority

You have the right to complain to a data protection supervisory authority about our processing of your personal data. The competent authority is Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany, phone +49 711 615541-0, email poststelle@lfdi.bwl.de.

14. Changes to this privacy policy

We reserve the right to update this privacy policy so that it continues to meet current legal requirements or to reflect changes to our services. In the case of substantial changes, especially the integration of a new third-party provider, we increase the internal version number of your consent so that you are asked for a choice again on your next visit.