Privacy Policy

Last updated: February 2026

1. Introduction and Controller

This privacy policy informs you pursuant to Art. 13 of the General Data Protection Regulation (GDPR) about the processing of your personal data when using the web application ondaia.

The controller responsible for data processing within the meaning of Art. 4(7) GDPR is:

Thomas Feddersen
Vielister Bogen 5
24988 Oeversee
Germany

Email: info@ondaia.app

2. Security and Encryption

We employ state-of-the-art technical and organizational security measures to protect your data against manipulation, loss, destruction, or unauthorized access by third parties (Art. 32 GDPR).

Our app uses SSL/TLS encryption. You can recognize this by the browser address bar changing from "http://" to "https://" and the lock icon in your browser bar. When SSL encryption is active, data you transmit to us cannot be read by third parties.

3. Collection and Storage of Personal Data and Purpose of Use

a) When Visiting the Website (Server Log Files & CDN)

When accessing our web application, your browser automatically sends information to our website's server. This information is temporarily stored in so-called log files.

The following information is collected automatically without any action on your part:

  • IP address of the requesting device,
  • date and time of access,
  • name and URL of the requested file,
  • website from which access was made (referrer URL),
  • browser used and, where applicable, your operating system and access provider.

Purposes of processing:

  • ensuring a smooth connection to the website,
  • ensuring a comfortable use of our website,
  • evaluating system security and stability (e.g., defense against DDoS attacks).

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes listed above.

b) Registration and Use of the App (Account Creation)

When you create a user account, we process the following data:

  • Required data: Email address (for authentication via magic link/OTP).
  • Optional data: Display name, profile picture.
  • Content data: Events, appointments, RSVPs, group memberships, and personal settings created by you.

Purposes of processing:

  • identification as a user,
  • providing the contractually agreed features of the app (event planning, group management),
  • contacting you in case of technical problems or security-relevant changes.

Legal basis: Art. 6(1)(b) GDPR. Processing is necessary for the performance of the user agreement and to provide the app.

c) Transactional Emails

We use your email address exclusively for system-relevant messages (e.g., sending login codes/one-time passwords or notifications about invitations). Your email address is not used for advertising purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

4. Data Sharing & Data Processing

Your personal data will not be transferred to third parties for purposes other than those listed below. We use external service providers to operate the app (data processors pursuant to Art. 28 GDPR).

a) Hosting & Content Delivery (Vercel)

We use the platform Vercel (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA) for hosting the application and as a Content Delivery Network (CDN). A CDN reduces loading times by delivering files through a globally distributed server network.

Data: IP addresses, technical log data.

Third-country transfer: Vercel Inc. is certified under the EU-US Data Privacy Framework (DPF). The European Commission has determined that the USA provides an adequate level of data protection for DPF-certified companies (adequacy decision pursuant to Art. 45 GDPR).

Privacy Policy

b) Database & Authentication (Supabase)

Our database and backend infrastructure is provided by Supabase (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992). We have configured the storage region Frankfurt (Germany/EU). Your content data (events, profiles) is physically stored on servers within the EU (hosted by AWS as a sub-processor).

Since Supabase Inc. is legally based in the USA/Singapore, technical access for maintenance and support purposes from a third country cannot be entirely excluded.

Safeguard: We have concluded a Data Processing Agreement (DPA) with Supabase including the EU Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR to ensure an adequate level of data protection.

Privacy Policy

c) Email Delivery (Resend)

For sending login emails, we use Resend (Resend, Inc., 2261 Market Street #4059, San Francisco, CA 94114, USA).

Data: Email address, message content.

Location: Data processing takes place via Amazon SES servers in the EU (eu-west-1).

Privacy Policy

d) Web Fonts (Fontshare)

We use the font "Satoshi" from Fontshare (Indian Type Foundry, Ahmedabad, India). When you access our app, the font is loaded from Fontshare's servers (cdn.fontshare.com). Your IP address is transmitted to the provider in the process.

Data: IP address, technical request data (user agent, referrer).

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR in the consistent visual presentation of our app.

Fontshare Terms

e) Error Monitoring (Sentry)

With your consent, we use Sentry (Functional Software, Inc., San Francisco, USA) for error monitoring and performance analysis. Sentry helps us detect and fix technical issues in our app. When an error occurs, diagnostic data such as the error message, stack trace, browser type, and operating system version are transmitted to Sentry's servers.

Data: Error messages, stack traces, browser/device information, page URL. No personal data such as names or email addresses is collected.

Transfer: Data is processed in the EU (Frankfurt, Germany). Sentry is certified under the EU-US Data Privacy Framework.

Legal basis: Consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time via the cookie settings.

Privacy Policy

5. Cookies and Local Storage

Our app uses cookies and local storage.

We use technically necessary storage technologies as well as optional ones with your consent:

  • Necessary: Session token (login status), CSRF protection, cookie consent preferences.
  • Analytics (with consent): Sentry error monitoring stores session replay data to help us diagnose issues.

You can manage your cookie preferences at any time via the cookie settings in the app.

Legal basis: Necessary cookies are based on § 25(2)(2) TDDDG. Optional cookies (analytics) require your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR.

6. Data Subject Rights

You have the right:

  • pursuant to Art. 15 GDPR, to request information about the personal data we process about you;
  • pursuant to Art. 16 GDPR, to request the immediate rectification of inaccurate or completion of incomplete personal data stored by us;
  • pursuant to Art. 17 GDPR, to request the deletion of your personal data stored by us, unless processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
  • pursuant to Art. 18 GDPR, to request the restriction of processing of your personal data;
  • pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another controller;
  • pursuant to Art. 7(3) GDPR, to revoke your consent at any time. This means we may no longer continue the data processing that was based on this consent in the future;
  • pursuant to Art. 77 GDPR, to lodge a complaint with a supervisory authority. You can typically contact the supervisory authority of your usual place of residence or workplace, or our registered office (ULD Schleswig-Holstein).

7. Right to Object

Where your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right under Art. 21 GDPR to object to the processing of your personal data, provided there are grounds arising from your particular situation. If you wish to exercise your right to revoke or object, an email to the following address is sufficient: info@ondaia.app

8. Storage Duration and Deletion

We adhere to the principles of data avoidance and data minimization. We therefore store your personal data only for as long as is necessary to achieve the purposes stated herein, or as required by the various retention periods provided for by law.

  • Account and content data: Deleted once you delete your account in the settings (complete removal from backups within 30 days).
  • Log files: Automatically overwritten/deleted after 30 days.

9. Updates to This Privacy Policy

This privacy policy is currently valid as of February 2026. Due to the further development of our website and offerings, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy.

ondaiaLegal Notice