Privacy Policy

1. Data Controller

The data controller responsible for data processing on this website is Klubwerk GmbH, Musterstrasse 42, 10115 Berlin, Germany. Email: calvin@klubwerk.com. Phone: +41 76 424 3553. The data controller determines the purposes and means of processing personal data.

2. Types of Data Collected

We collect the following categories of personal data: contact information (name, email address, phone number), account data (username, encrypted password), usage data (pages visited, time spent, browser type, device information), payment data (bank details for SEPA direct debit, processed by our payment provider), and communication data (messages sent through our platform). We do not collect sensitive personal data such as health information, religious beliefs, or political opinions unless explicitly required for club operations and consented to by the member.

3. Legal Basis for Processing

We process personal data based on the following legal grounds under Article 6 GDPR: consent (Article 6(1)(a)) for marketing communications and optional data collection; contract fulfillment (Article 6(1)(b)) for providing our services and managing your account; legal obligation (Article 6(1)(c)) for tax records and regulatory compliance; legitimate interest (Article 6(1)(f)) for fraud prevention, service improvement, and security.

4. Cookies and Tracking

We use strictly necessary cookies to operate our website and application. These include session cookies for authentication and preference cookies for language settings. We do not use advertising or tracking cookies. Our website analytics use privacy-friendly tools that do not track individual users across websites and do not require cookie consent under GDPR. You can configure your browser to reject cookies, though this may limit functionality.

5. Third-Party Services

We use the following third-party services: Vercel (hosting, based in the US, EU Standard Contractual Clauses in place), Google Cloud Platform (data storage, EU data centers), and our payment processing partner for SEPA transactions. All third-party processors are bound by data processing agreements that ensure GDPR compliance. We do not sell personal data to third parties.

6. Your Rights as a Data Subject

Under GDPR, you have the right to: access your personal data (Article 15), rectify inaccurate data (Article 16), erase your data (Article 17, "right to be forgotten"), restrict processing (Article 18), data portability (Article 20), and object to processing (Article 21). To exercise any of these rights, contact us at calvin@klubwerk.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.3) and at rest, regular security audits, access controls based on the principle of least privilege, and automated backups. Despite these measures, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Account data is deleted within 30 days of account closure, unless retention is required by law. Financial records are retained for 10 years as required by German tax law (Section 147 AO). Usage logs are anonymized after 90 days. This policy was last updated on April 1, 2026.