1 · Controller
The entity responsible for data processing on this website and in the huddl app is named in the Imprint.
Email for data-protection requests: legal@huddl.me
2 · Overview of processing
We process personal data in the following contexts:
- Website visit (huddl.me): server logs
- App usage (huddl iOS/Android): account, profile, events, chat, media, settings
- Auth providers: Sign in with Apple or Google
- Communication: support emails, push notifications, auth emails
3 · Legal bases
- Art. 6 (1) lit. b GDPR — performance of contract (account, event features)
- Art. 6 (1) lit. f GDPR — legitimate interest (stability, security, improvements, product analytics)
- Art. 6 (1) lit. a GDPR — consent (push notifications, marketing emails, optional features)
4 · Processors used
We use the following service providers, each governed by a data processing agreement (DPA) per Art. 28 GDPR:
4.1 Hosting & database — Supabase
Provider: Supabase Inc., USA
Hosting region: EU (Frankfurt am Main, AWS eu-central-1)
Data processed: account data, event content, chat messages, uploaded media
Legal basis: Art. 6 (1) lit. b GDPR (performance of contract)
Privacy: supabase.com/privacy
4.2 Marketing website & edge hosting — Vercel
Provider: Vercel Inc., USA
Data processed: HTTP logs, performance telemetry
Privacy: vercel.com/legal/privacy-policy
4.3 DNS & CDN — Cloudflare
Provider: Cloudflare Inc., USA
Data processed: IP address, HTTP headers
Privacy: cloudflare.com/privacypolicy
4.4 Push notifications — OneSignal
Provider: OneSignal Inc., USA
Data processed: device token, notification payload, delivery/read status
Legal basis: Art. 6 (1) lit. a GDPR (consent via OS push opt-in)
Privacy: onesignal.com/privacy_policy
4.5 Error tracking — Sentry
Provider: Functional Software, Inc. (Sentry), USA
Data processed: anonymized stack traces, device info, app version
Legal basis: Art. 6 (1) lit. f GDPR (stability, bug fixing)
Privacy: sentry.io/privacy
4.6 Product analytics — PostHog
Provider: PostHog Inc., USA — EU hosting
Data processed: pseudonymous event data (e.g. "login", "event created"), only UUIDs/enums/booleans, no message content, names, or email addresses, no IP storage
Used: only in the huddl app (not on the website)
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in product improvement); enabled by default with the option to disable at any time in the app under Settings → Privacy (opt-out)
Privacy: posthog.com/privacy
4.7 Maps & address search — Google Maps
Provider: Google Ireland Limited, Ireland
Data processed: when actively using address search: queries, approximate location
Privacy: policies.google.com/privacy
4.8 Authentication — Apple / Google Sign In
Optionally, huddl supports sign-in with Apple ID or Google. Only the data needed for sign-in is transferred (Apple: anonymized email available; Google: name, email).
4.9 Transactional emails — Resend
Provider: Resend Inc., USA
Data processed: email address, content of confirmation or reset emails
Legal basis: Art. 6 (1) lit. b GDPR (account verification)
Privacy: resend.com/legal/privacy-policy
5 · Cookies and similar technologies
Details in the Cookie Notice. Short version:
- Strictly necessary (website):
NEXT_LOCALEstores your language choice; your theme setting (light/dark) is kept in your browser'slocalStorage. Both are required for operation and exempt from consent (§ 25 (2) TDDDG). - We set no tracking, analytics, or marketing cookies on the website. A cookie banner is therefore not required.
- Product analytics in the app (PostHog) is pseudonymous, enabled by default, and can be disabled at any time under Settings → Privacy (opt-out).
6 · Third-country transfers
Some services (Supabase, Vercel, Cloudflare, OneSignal, Sentry, PostHog, Apple, Google) have US parent companies. Most processing happens in the EU. Where data is transferred to the US, this is based on:
- EU Standard Contractual Clauses (Art. 46 (2) lit. c GDPR)
- EU-US Data Privacy Framework (for certified providers)
7 · Retention periods
| Data category | Retention |
|---|---|
| Account data | Until account deletion |
| Event content | Up to 90 days after event end or account deletion |
| Chat messages | Same as event content |
| Push tokens | Until logout or uninstall |
| Server logs | 30 days |
8 · Your rights
You have the right at any time to:
- Access your stored data (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure (Art. 17 GDPR) — in-app under Settings → Delete account
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing based on legitimate interests (Art. 21 GDPR)
- Withdraw consent with effect for the future (Art. 7 (3) GDPR)
To exercise your rights: legal@huddl.me
9 · Right to lodge a complaint
You have the right to lodge a complaint with a data-protection authority. The relevant authority is typically the one in your federal state of residence or our place of business.
For our place of business in Hesse, this is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Postfach 3163, 65021 Wiesbaden, Germany
Email: poststelle@datenschutz.hessen.de
10 · Changes to this policy
We may update this notice when introducing new features or services. We'll communicate material changes by email and/or in-app.
Last updated: July 2026