The Archive of Strangers

Privacy

Privacy Policy

This privacy policy informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as „data") within our online offering and the associated websites, functions and contents as well as external online presences such as our social media profiles (hereinafter jointly referred to as „online offering"). With regard to the terms used, such as „processing" or „controller", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

Tom Fröhlich c/o Archive of Strangers Dortustr. 46 14467 Potsdam Germany Email: mail@thearchiveofstrangers.com

Types of data processed

  • Inventory data (e.g., names, addresses).
  • Contact data (e.g., email, phone numbers).
  • Content data (e.g., text entries, photographs, videos).
  • Usage data (e.g., websites visited, interest in content, access times).
  • Meta / communication data (e.g., device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (hereinafter we collectively refer to the data subjects as „users").

Purpose of processing

  • Provision of the online offering, its functions and content.
  • Responding to contact enquiries and communication with users.
  • Security measures.
  • Reach measurement.

Terms used

„Personal data" means any information relating to an identified or identifiable natural person (hereinafter „data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to that natural person.

„Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.

„Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

„Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal bases for our data processing. Unless the legal basis is mentioned in this privacy policy, the following applies: the legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR; the legal basis for processing to perform our services and carry out contractual measures as well as to respond to enquiries is Art. 6(1)(b) GDPR; the legal basis for processing to fulfil our legal obligations is Art. 6(1)(c) GDPR; and the legal basis for processing to safeguard our legitimate interests is Art. 6(1)(f) GDPR.

Security measures

In accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures include in particular safeguarding the confidentiality, integrity and availability of data by controlling physical and logical access, input, transfer and separation. We also take the protection of personal data into account already during the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

Where in the course of our processing we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this is done only on the basis of legal permission, your consent, a legal obligation, or on the basis of our legitimate interests (e.g. when using web hosts). Where we commission third parties to process data, this is done on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Transfers to third countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this happens in the context of using third-party services, this is only done in order to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests.

For transfers to the United States, since July 2023 we rely on the EU-US Data Privacy Framework (DPF) – adequacy decision of the European Commission of 10 July 2023 – provided that the respective provider is certified under the DPF (DPF list). Where a provider is not DPF-certified, we rely on the Standard Contractual Clauses (SCC) of the European Commission pursuant to Art. 46(2)(c) GDPR as an appropriate safeguard under Art. 44 ff. GDPR. The previously applicable „EU-US Privacy Shield" was declared invalid by the judgment of the CJEU of 16 July 2020 (C-311/18, „Schrems II") and is no longer a basis for transfers.

Rights of data subjects

You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about such data as well as further information and a copy of the data in accordance with Art. 15 GDPR.

You have, in accordance with Art. 16 GDPR, the right to request the completion of data concerning you or the correction of incorrect data concerning you.

You have, in accordance with Art. 17 GDPR, the right to demand that relevant data be deleted without delay, or alternatively, in accordance with Art. 18 GDPR, to demand restriction of the processing of the data.

You have the right to demand that data concerning you which you have provided to us be received in accordance with Art. 20 GDPR and to demand its transmission to other controllers.

You also have, pursuant to Art. 77 GDPR, the right to lodge a complaint with the competent supervisory authority.

Right of withdrawal

You have the right to withdraw consent given in accordance with Art. 7(3) GDPR with effect for the future.

Right to object

You may object to the future processing of data concerning you in accordance with Art. 21 GDPR at any time.

Cookies

We currently do not use any tracking or marketing cookies. Technically necessary cookies may be set when accessing our online offering, to the extent required for the operation of the site (e.g. language preference). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the online offering). You can prevent the storage of cookies through your browser settings; this may lead to functional limitations.

Deletion of data

The data we process is deleted or its processing is restricted in accordance with Art. 17 and 18 GDPR as soon as it is no longer required for its purpose and the deletion does not conflict with statutory retention obligations. Data that must be retained for commercial or tax law reasons is stored in accordance with the statutory retention periods (in particular 10 years pursuant to § 147 AO, § 257 HGB).

Business-related processing

In addition, we process

  • Contract data (e.g., subject of contract, duration, customer category),
  • Payment data (e.g., bank details, payment history)

of our customers, prospective customers and business partners for the purpose of providing contractual services and for customer care.

Contact

When contacting us (e.g. by email or via social media), the user's information is processed for the purpose of handling the contact enquiry and its processing in accordance with Art. 6(1)(b) GDPR. We delete enquiries if they are no longer required; we review the necessity every two years. Statutory archiving obligations also apply.

Hosting via Vercel

Our online offering is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA (hereinafter „Vercel"). When you access our pages, Vercel collects connection data as part of the regular web server log (e.g. IP address, user agent, referrer, time of access). The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and performant operation of the website). We have entered into a data processing agreement with Vercel including Standard Contractual Clauses; Vercel is additionally certified under the EU-US Data Privacy Framework. Further information: https://vercel.com/legal/privacy-policy.

Database hosting via Supabase

The content data of our film catalogue (titles, descriptions, geo coordinates, etc.) is stored and delivered via Supabase Inc., 970 Toa Payoh North, #07-04, Singapore, with infrastructure including in the United States. When accessing catalogue or detail pages, a request is triggered to the Supabase API, in the course of which connection data (in particular IP address) is processed. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the operation of the archive). Transfers to the USA are based on the Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR; where the specific provider is certified under the EU-US Data Privacy Framework, the adequacy decision of 10 July 2023 additionally applies. Further information: https://supabase.com/privacy.

CDN and video streaming via Cloudflare (planned)

For the delivery of static assets and — once activated — for the streaming of digitised films, we plan to use Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. In doing so, Cloudflare processes users' connection data (in particular IP address, user agent, referrer). The legal basis is Art. 6(1)(f) GDPR. Cloudflare is certified under the EU-US Data Privacy Framework; the Standard Contractual Clauses additionally apply. Further information: https://www.cloudflare.com/privacypolicy/.

Integration of third-party services and content

Within our online offering we use map tiles by OpenStreetMap contributors, delivered via https://operations.osmfoundation.org/policies/tiles/. When accessing the map view, connection data (in particular IP address) is transmitted to the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. The legal basis is Art. 6(1)(f) GDPR (provision of a geographical visualisation of the archive). For geocoding (one-time import), we used the https://nominatim.openstreetmap.org/ service of the OpenStreetMap Foundation.