huddl
huddl.meLegal

Privacy Policy

Information pursuant to Art. 13 and 14 GDPR.

Note: This privacy policy draft is based on the technical services we use and GDPR requirements. A lawyer review is required before publishing. TODO Lawyer review

1 · Controller

The entity responsible for data processing on this website and in the huddl app is named in the Imprint.

Email for data-protection requests: legal@huddl.me

2 · Overview of processing

We process personal data in the following contexts:

  • Website visit (huddl.me): server logs, analytics
  • App usage (huddl iOS/Android): account, profile, events, chat, media, settings
  • Auth providers: Sign in with Apple or Google
  • Communication: support emails, push notifications, auth emails
  • Monetization (planned for huddl Pro): subscription management via Apple/Google IAP, RevenueCat

3 · Legal bases

  • Art. 6 (1) lit. b GDPR — performance of contract (account, event features, Pro subscription)
  • Art. 6 (1) lit. f GDPR — legitimate interest (stability, security, improvements)
  • Art. 6 (1) lit. a GDPR — consent (analytics, marketing emails, optional features)
  • Art. 6 (1) lit. c GDPR — legal obligation (tax law for Pro subscription)

4 · Processors used

We use the following service providers, each governed by a data processing agreement (DPA) per Art. 28 GDPR:

4.1 Hosting & database — Supabase

Provider: Supabase Inc., USA


Hosting region: EU (Frankfurt am Main, AWS eu-central-1)


Data processed: account data, event content, chat messages, uploaded media


Legal basis: Art. 6 (1) lit. b GDPR (performance of contract)


Privacy: supabase.com/privacy

4.2 Marketing website & edge hosting — Vercel

Provider: Vercel Inc., USA


Data processed: HTTP logs, performance telemetry


Privacy: vercel.com/legal/privacy-policy

4.3 DNS & CDN — Cloudflare

Provider: Cloudflare Inc., USA


Data processed: IP address, HTTP headers


Privacy: cloudflare.com/privacypolicy

4.4 Push notifications — OneSignal

Provider: OneSignal Inc., USA


Data processed: device token, notification payload, delivery/read status


Legal basis: Art. 6 (1) lit. a GDPR (consent via OS push opt-in)


Privacy: onesignal.com/privacy_policy

4.5 Subscription management — RevenueCat

Provider: RevenueCat Inc., USA


Data processed: pseudonymous user ID, subscription status, platform (iOS/Android)


Legal basis: Art. 6 (1) lit. b GDPR (for huddl Pro)


Privacy: revenuecat.com/privacy

4.6 Error tracking — Sentry

Provider: Functional Software, Inc. (Sentry), USA


Data processed: anonymized stack traces, device info, app version


Legal basis: Art. 6 (1) lit. f GDPR (stability, bug fixing)


Privacy: sentry.io/privacy

4.7 Product analytics — PostHog

Provider: PostHog Inc., USA — EU hosting


Data processed: anonymized event data (e.g. "login", "event created"), no IP storage


Legal basis: Art. 6 (1) lit. a GDPR (consent via cookie banner)


Privacy: posthog.com/privacy

4.8 Maps & address search — Google Maps

Provider: Google Ireland Limited, Ireland


Data processed: when actively using address search: queries, approximate location


Privacy: policies.google.com/privacy

4.9 Authentication — Apple / Google Sign In

Optionally, huddl supports sign-in with Apple ID or Google. Only the data needed for sign-in is transferred (Apple: anonymized email available; Google: name, email).

4.10 Transactional emails — Resend

Provider: Resend Inc., USA


Data processed: email address, content of confirmation or reset emails


Legal basis: Art. 6 (1) lit. b GDPR (account verification)


Privacy: resend.com/legal/privacy-policy

5 · Cookies and similar technologies

Details in the Cookie Notice. Short version:

  • Strictly necessary: NEXT_LOCALE (remember language)
  • Optional, consent-based: PostHog tracking (only after clicking "Accept" in the banner)

6 · Third-country transfers

Some services (Supabase, Vercel, Cloudflare, OneSignal, RevenueCat, Sentry, PostHog, Apple, Google) have US parent companies. Most processing happens in the EU. Where data is transferred to the US, this is based on:

  • EU Standard Contractual Clauses (Art. 46 (2) lit. c GDPR)
  • EU-US Data Privacy Framework (for certified providers)

7 · Retention periods

| Data category | Retention | |---|---| | Account data | Until account deletion | | Event content | Up to 90 days after event end or account deletion | | Chat messages | Same as event content | | Push tokens | Until logout or uninstall | | Server logs | 30 days | | Tax-relevant data (Pro subscription) | 10 years (§ 147 AO) |

8 · Your rights

You have the right at any time to:

  • Access your stored data (Art. 15 GDPR)
  • Rectification of incorrect data (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR) — in-app under Settings → Delete account
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Withdraw consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights: legal@huddl.me

9 · Right to lodge a complaint

You have the right to lodge a complaint with a data-protection authority. The relevant authority is typically the one in your federal state of residence or our place of business.

For our place of business in [STATE]: [STATE DATA PROTECTION AUTHORITY] TODO

10 · Changes to this policy

We may update this notice when introducing new features or services. We'll communicate material changes by email and/or in-app.

Last updated: May 2026