Back

Privacy Policy

Last updated: February 2026

This privacy policy explains how ondaia ("we", "us", "our") collects, uses, and protects your personal data when you use our web application. We take the protection of your personal data very seriously and treat it confidentially in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

Thomas Feddersen
Vielister Bogen 5
24988 Oeversee
Germany

Email: ondaia@icloud.com

2. Data We Collect

We collect and process the following categories of personal data:

a) Registration and Account Data

When you create an account, we collect your email address and, optionally, a display name and profile picture. This data is necessary to provide you with access to the app and its features. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

b) Usage Data

When you use the app, we store the content you create, including events, RSVPs, group memberships, availability information, and your personal settings. This data is necessary to provide the core functionality of the app. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

c) Server Log Files

When you access our app, our hosting provider automatically collects technical data in server log files. This includes your IP address, browser type and version, operating system, the referring URL, the pages accessed, and the date and time of the request. This data is processed to ensure the stability and security of our systems. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure operation of our service). Log files are automatically deleted after 30 days.

d) Email Communication

We use your email address to send you login codes (one-time passwords) and, where applicable, event invitation notifications. These emails are strictly transactional and necessary for the operation of the service. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). We do not send marketing emails.

3. Service Providers (Data Processors)

We use the following third-party service providers to operate our app. We have entered into data processing agreements (Art. 28 GDPR) with each provider:

a) Vercel Inc.

Vercel provides hosting and deployment infrastructure for our app. When you access ondaia, your IP address and request metadata are transmitted to Vercel's servers. Vercel Inc. is based in the United States and is certified under the EU-US Data Privacy Framework.

Privacy Policy

b) Supabase Inc.

Supabase provides our database and authentication infrastructure. All user data (account information, events, groups, etc.) is stored on Supabase-managed servers located in Frankfurt, Germany (EU). Supabase Inc. is based in the United States, but your data remains within the European Union.

Privacy Policy

c) Brevo (Sendinblue GmbH)

Brevo handles the delivery of transactional emails, such as login codes and event invitations. For this purpose, your email address and the email content are transmitted to Brevo. Brevo's servers are located in Germany (EU).

Privacy Policy

4. Data Transfers to Third Countries

Your personal data may be transferred to the United States in connection with the following services:

  • Vercel Inc. (USA): Hosting and deployment of the app. Vercel is certified under the EU-US Data Privacy Framework. The transfer is based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR.
  • Supabase Inc. (USA): While your data is stored on EU-based servers (Frankfurt), Supabase Inc. is a US-based company and may have limited access to data for support and infrastructure maintenance. Data processing agreements and standard contractual clauses are in place.

5. Cookies and Local Storage

ondaia uses technically necessary cookies and local storage to maintain your login session. You can manage optional analytics and marketing cookies at any time.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Account data (email, display name, profile): stored until you delete your account.
  • Usage data (events, RSVPs, groups, settings): stored until you delete the respective content or your account.
  • Server log files: automatically deleted after 30 days.
  • Email delivery logs: retained by Brevo for up to 30 days.

When you delete your account, all associated personal data will be permanently removed from our systems within 30 days.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You can request information about the personal data we store about you.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate personal data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your personal data. You can also delete your account directly within the app.
  • Right to restriction of processing (Art. 18 GDPR): You can request that we restrict the processing of your data under certain conditions.
  • Right to data portability (Art. 20 GDPR): You can request to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to the processing of your personal data where we rely on legitimate interests as the legal basis.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at: ondaia@icloud.com

8. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The supervisory authority responsible for us is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98, 24103 Kiel, Germany
www.datenschutzzentrum.de

9. Obligation to Provide Data

You are not legally obligated to provide personal data. However, your email address is required to create an account and use the app. Without it, we cannot provide our service. All other information (display name, profile picture, etc.) is voluntary.

10. Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

11. SSL/TLS Encryption

All data transmitted between your browser and our servers is encrypted using SSL/TLS. You can identify an encrypted connection by the lock icon in your browser's address bar and the "https://" prefix in the URL.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our data processing practices or legal requirements. The date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

ondaiaLegal Notice