1. Introduction

At SANTA.LY, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Secret Santa organizing service. We are committed to protecting your personal data and respecting your privacy rights. This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Robin Bauer An der Alten Zündholzfabrik 36 55246 Mainz-Kostheim Germany Email: kontakt@santa.ly

3. Information We Collect

3.1 Information You Provide

When you use SANTA.LY, we collect the following information that you provide directly:

• Account Information: Email address, display name (optional)
• Event Information: Event name, description, date, budget limits
• Participant Information: Names and email addresses of Secret Santa participants
• Wishlist Information: Gift wishes, descriptions, links, and estimated prices

3.2 Automatically Collected Information

We automatically collect certain information when you use our service:

• Usage Data: Pages visited, features used, time spent on the platform
• Device Information: Browser type, operating system, device type
• Technical Data: IP address, cookies, session data

4. How We Use Your Information

We use your information for the following purposes:

• Service Provision: To create and manage Secret Santa events, assign participants, and manage wishlists
• Communication: To send event notifications, updates, and important service information
• Security: To protect against fraud, abuse, and unauthorized access
• Improvement: To analyze usage patterns and improve our service
• Legal Compliance: To comply with applicable laws and regulations

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Secret Santa service (Art. 6(1)(b) GDPR)
• Legitimate Interests: For service improvement and security (Art. 6(1)(f) GDPR)
• Consent: Where you have given explicit consent for specific purposes (Art. 6(1)(a) GDPR)
• Legal Obligation: To comply with legal requirements (Art. 6(1)(c) GDPR)

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

• Service Providers: With trusted third-party service providers who help us operate our service (e.g., hosting, authentication, email delivery)
• Event Participants: Within your Secret Santa event, certain information (name, wishlist) is shared with other participants as necessary for the Secret Santa functionality
• Legal Requirements: When required by law, court order, or government regulation
• Security: To protect the rights, property, or safety of SANTA.LY, our users, or others

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Account Data: Until you delete your account or request data deletion
• Event Data: For the duration of the event and up to 90 days after completion, unless deleted earlier
• Technical Data: Typically retained for 90 days for security and analytical purposes

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, please contact us using the information provided in Section 2.

9. Cookies and Tracking

We use essential cookies and similar technologies to make our service work properly. These include:

• Essential Cookies: Required for authentication and basic functionality
• Session Cookies: To maintain your login state and preferences

We do not use advertising cookies or third-party tracking cookies. You can control cookies through your browser settings, but disabling essential cookies may affect service functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: Encryption: Data transmission is encrypted using SSL/TLS Authentication: Secure passkey-based authentication system Access Controls: Limited access to personal data on a need-to-know basis Regular Audits: Periodic security assessments and updates However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. International Data Transfers

Your data is primarily stored and processed within the European Union. If we transfer data outside the EU, we ensure appropriate safeguards are in place, such as: - Standard Contractual Clauses approved by the European Commission - Transfers to countries with adequate data protection levels - Your explicit consent where required Our primary service providers (Neon Database, Stack Auth) are GDPR-compliant and process data within the EU.

12. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13, we will delete it immediately. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by: - Posting the new Privacy Policy on this page - Updating the "Last Updated" date - Sending an email notification for significant changes We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: Robin Bauer An der Alten Zündholzfabrik 36 55246 Mainz-Kostheim Germany Email: kontakt@santa.ly We will respond to your inquiry within 30 days.

15. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority: The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate Postfach 3040 55020 Mainz Phone: 06131 208-2449 Email: poststelle@datenschutz.rlp.de