Privacy Policy / Datenschutzerklärung

Tribitat Platform

Last Updated / Letzte Aktualisierung: December 19, 2025

1. Introduction

Welcome to Tribitat ("we," "our," or "us"). We are committed to protecting your privacy and ensuring your personal data is handled in compliance with applicable data protection laws, including:

  • EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • German Federal Data Protection Act (BDSG) - Bundesdatenschutzgesetz
  • Austrian Data Protection Act (DSG) - Datenschutzgesetz
  • Swiss Federal Act on Data Protection (FADP) - Bundesgesetz über den Datenschutz (revDSG/nDSG)

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at tribitat.com (the "Platform," "Site") and use our services, including reading stories and submitting your own content.

Important: Please read this Privacy Policy carefully. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller and Contact Information

2.1 Data Controller

The data controller responsible for the processing of your personal data is:

Email: privacy@tribitat.com Website: https://www.tribitat.com

2.2 Data Protection Officer

We have not appointed a Data Protection Officer as we are not legally required to do so. For data protection inquiries, please contact privacy@tribitat.com.

3. Scope and Applicability

3.1 What This Policy Covers

This Privacy Policy applies to:

  • Personal data collected through tribitat.com
  • Data collected when you create an account
  • Data collected when you submit stories or other content
  • Data collected when you subscribe to our newsletter
  • Data collected through cookies and similar technologies
  • Data you provide when contacting us

3.2 What This Policy Does Not Cover

This Privacy Policy does not apply to:

  • Third-party websites linked from our Platform (see Section 12)
  • User-generated content published by other users
  • Data processing by third parties acting independently

4. Categories of Personal Data We Collect

4.1 Data You Provide Directly

Newsletter Subscription: When you subscribe to our newsletter, we collect:

  • Email address
  • Date and time of subscription
  • Subscription preferences

Story Submissions: When you submit a story, we collect:

  • Name or pseudonym (your choice)
  • Email address
  • Story content (text and/or images)
  • Submission date and time
  • Account credentials (if you create an account)

Account Creation: If you create an account, we collect:

  • Username or pseudonym
  • Email address
  • Password (stored in encrypted form)
  • Account creation date
  • Profile information (optional)

Contact and Support: If you contact us directly, we may collect:

  • Name
  • Email address
  • Phone number (if provided)
  • Message contents
  • Correspondence history

Comments and Feedback: If we offer commenting features, we collect:

  • Name or pseudonym
  • Email address
  • Comment content
  • Date and time of comment

4.2 Data Collected Automatically

Technical and Usage Data: When you visit and use the Platform, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and identifiers
  • Language preferences
  • Referring/exit pages and URLs
  • Pages viewed and time spent on pages
  • Date and time stamps
  • Clickstream data

Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect:

  • Session identifiers
  • User preferences
  • Analytics data
  • Authentication tokens

See our Cookie Policy for detailed information about our use of cookies.

4.3 Data from Third Parties

Authentication Services: If we offer social login (e.g., Google, Facebook), we may receive:

  • Profile information from the authentication provider
  • Email address
  • Public profile data

Analytics Providers: We may receive aggregated, anonymized statistics from analytics services.

4.4 Special Categories of Personal Data

Generally Not Processed: We do not intentionally collect "special categories" of personal data (sensitive data) as defined under Article 9 GDPR, including:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for identification purposes
  • Health data
  • Sex life or sexual orientation

User-Generated Content Exception: However, users may voluntarily include sensitive information in their story submissions. By publishing such content, you explicitly consent to its public disclosure. We strongly recommend NOT including sensitive personal data in your stories unless you explicitly wish it to be publicly accessible worldwide.

4.5 Pseudonymous and Anonymous Data

Pseudonymous Submissions: You may use a pseudonym or pen name when submitting stories. Even when you use a pseudonym, data associated with your account (email address, IP address) remains personal data subject to data protection laws.

Legal Clarification: Under GDPR Recital 26 and EDPB Guidelines, pseudonymous data is still personal data if it can be linked to an identifiable person using additional information (such as account credentials or IP addresses).

5. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases:

5.1 Service Provision and Contract Performance

Legal Basis: Article 6(1)(b) GDPR / Article 6(2)(a) FADP - Performance of contract

Purposes:

  • Creating and managing your user account
  • Publishing your submitted stories on the Platform
  • Delivering content you request
  • Enabling you to read stories
  • Authenticating your identity
  • Processing and responding to your inquiries

Data Processed: Username, email address, submitted content, account credentials, correspondence

Retention Period: Duration of your account + 2 years for contract documentation

5.2 Newsletter and Marketing Communications

Legal Basis: Article 6(1)(a) GDPR - Consent / Article 6(2)(a) FADP - Consent

Purposes:

  • Sending you our newsletter
  • Notifying you about new features
  • Sharing curated content recommendations
  • Marketing communications (with your consent)

Data Processed: Email address, subscription preferences, engagement data (opens, clicks)

Retention Period: Until you unsubscribe or withdraw consent + 3 years for consent documentation

Withdrawal: You may withdraw consent and unsubscribe at any time using the unsubscribe link in every email or by contacting privacy@tribitat.com.

5.3 Platform Security and Fraud Prevention

Legal Basis: Article 6(1)(f) GDPR - Legitimate Interest / Article 6(2)(f) FADP - Legitimate Interest

Purposes:

  • Detecting and preventing fraud, abuse, and malicious activity
  • Protecting the Platform from security threats
  • Enforcing our Terms of Service
  • Preventing spam and automated abuse
  • Investigating violations of our policies

Legitimate Interests: Protecting the security and integrity of our Platform, protecting our legal interests, protecting other users from harm

Data Processed: IP addresses, device information, usage patterns, account activity logs, submitted content flagged as suspicious

Retention Period:

  • Server logs: 14 days
  • Security incident records: 3 years
  • Banned user data: 5 years

Balancing Test: Our legitimate interest in Platform security outweighs the limited impact on your privacy from processing technical data for security purposes. You have the right to object (see Section 9.6).

5.4 Legal Compliance and Legal Claims

Legal Basis: Article 6(1)(c) GDPR - Legal Obligation / Article 6(1)(f) GDPR - Legitimate Interest / Article 6(2)(b-c) FADP - Legal Obligation/Legitimate Interest

Purposes:

  • Complying with legal obligations (e.g., tax law, commercial law)
  • Responding to lawful requests from authorities
  • Establishing, exercising, or defending legal claims
  • Complying with court orders and regulatory requirements

Data Processed: All data categories as necessary for compliance

Retention Period: As required by applicable law (typically 6-10 years for commercial records under German HGB/AO)

5.5 Analytics and Platform Improvement

Legal Basis: Article 6(1)(a) GDPR - Consent (for non-essential analytics) / Article 6(1)(f) GDPR - Legitimate Interest (for essential analytics)

Purposes:

  • Understanding how users interact with the Platform
  • Identifying technical issues and bugs
  • Improving user experience
  • Developing new features
  • Generating aggregate statistics

Legitimate Interests: Improving our service quality, understanding user needs, optimizing Platform performance

Data Processed: Usage data, technical data, aggregated/anonymized statistics

Retention Period: Raw analytics data: 26 months; Aggregated data: indefinitely

Balancing Test: Our legitimate interest in improving the Platform is balanced against minimal privacy impact through data minimization and anonymization where possible.

Opt-Out: You may opt out of non-essential analytics by adjusting your cookie preferences (see Cookie Policy).

5.6 Content Moderation and Compliance

Legal Basis: Article 6(1)(c) GDPR - Legal Obligation / Article 6(1)(f) GDPR - Legitimate Interest

Purposes:

  • Moderating user-submitted content for legal compliance
  • Responding to notices of illegal content (DSA Article 16)
  • Removing content that violates our Terms of Service
  • Preventing illegal activity on the Platform
  • Maintaining records for transparency reporting

Legitimate Interests: Complying with Digital Services Act obligations, preventing illegal content distribution, protecting user safety

Data Processed: Submitted content, user identifiers, moderation decisions, complaint records, notices received

Retention Period: 3 years for moderation records (DSA compliance)

6. Recipients and Disclosure of Personal Data

6.1 Internal Access

Personal data is accessed internally only by employees and contractors who need it to perform their duties, including:

  • Technical staff for Platform operation and maintenance
  • Content moderators for compliance review
  • Customer support for responding to inquiries

All personnel are bound by confidentiality obligations.

6.2 Service Providers and Processors

We share personal data with third-party service providers who process data on our behalf:

Hosting and Infrastructure:

  • Provider: Cloudflare
  • Service: Web hosting, database, file storage
  • Location: United States, European Union
  • Data Processed: All data categories
  • Safeguards: Data Processing Agreement, Standard Contractual Clauses (if outside EU)

Email Services:

  • Provider: Cloudflare
  • Service: Newsletter delivery, transactional emails
  • Location: United States, European Union
  • Data Processed: Email addresses, names, engagement data

Analytics Services:

  • Provider: Google Analytics, Cloudflare Analytics
  • Service: Website analytics
  • Location: United States, European Union
  • Data Processed: IP addresses (anonymized), usage data, technical data
  • Safeguards: IP anonymization, Data Processing Agreement, cookie consent

Content Delivery Network (CDN):

  • Provider: Cloudflare
  • Service: Content delivery, DDoS protection
  • Location: Worldwide
  • Data Processed: IP addresses, request data
  • Safeguards: Data Processing Agreement

All service providers are contractually bound to:

  • Process data only according to our instructions
  • Implement appropriate security measures
  • Maintain confidentiality
  • Assist with data subject rights requests
  • Delete or return data when services end

6.3 Legal Disclosures

We may disclose personal data to:

Law Enforcement and Authorities: When required by law or legal process, including:

  • Court orders and subpoenas
  • Regulatory investigations
  • Law enforcement requests (when legally valid)
  • National security requests (where applicable)

Legal Actions: When necessary to:

  • Establish, exercise, or defend legal claims
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of others
  • Prevent fraud or illegal activity

Public Authorities: We may report content to authorities as required under the Digital Services Act, including:

  • Suspected criminal offenses
  • Threats to public security
  • Child sexual abuse material (CSAM)

6.4 Business Transfers

If Tribitat is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your personal data may be transferred to the successor entity. We will:

  • Notify you via email and Platform notice
  • Ensure the successor is bound by this Privacy Policy or an equivalent
  • Provide you the opportunity to delete your data before transfer (subject to legal limitations)

6.5 Public Disclosure

User-Generated Content: Content you submit and publish on the Platform becomes publicly accessible worldwide, including:

  • Story text and titles
  • Images you upload
  • Your chosen name or pseudonym
  • Publication date

Important: Do NOT include personal data in your published stories that you wish to remain private. Published content may be:

  • Viewed by anyone on the internet
  • Indexed by search engines (Google, Bing, etc.)
  • Archived by third parties (Internet Archive, etc.)
  • Shared on social media
  • Republished or quoted by third parties

6.6 No Sale of Personal Data

We do not sell your personal data to third parties. We do not engage in:

  • Sale of email lists
  • Sale of user profiles
  • Data brokerage
  • Selling personal data for advertising purposes

7. International Data Transfers

7.1 EU/EEA Transfers

Intra-EU Transfers: Data transferred within the European Union or EEA benefits from GDPR protections in all member states. No additional safeguards are required.

7.2 Transfers to the United States

EU-US Data Privacy Framework: For transfers to US service providers, we rely on the EU-US Data Privacy Framework (adequacy decision adopted July 10, 2023) for companies certified under the Framework.

Verification: You can verify certifications at https://www.dataprivacyframework.gov/list

Standard Contractual Clauses: For US service providers not covered by the DPF, we use EU Standard Contractual Clauses (2021 modules) adopted by the European Commission Decision 2021/914.

Transfer Impact Assessment: We have conducted Transfer Impact Assessments (TIAs) for all non-adequacy transfers, evaluating:

  • Laws in the recipient country
  • Technical and organizational safeguards
  • Additional protective measures
  • Practical access to data by authorities

7.3 Transfers to Switzerland

Swiss-US Data Privacy Framework: For transfers from Switzerland to the US, we rely on the Swiss-US Data Privacy Framework (adequacy recognized by Switzerland effective September 15, 2024) for certified companies.

Standard Contractual Clauses: For transfers not covered by adequacy, we use Swiss Standard Contractual Clauses or EU Standard Contractual Clauses recognized by Swiss authorities.

7.4 Transfers to Other Countries

For transfers to countries without an adequacy decision, we implement appropriate safeguards:

Standard Contractual Clauses:

  • EU Standard Contractual Clauses (2021)
  • Supplementary measures identified through Transfer Impact Assessments

Binding Corporate Rules: [If applicable to your service providers]

Certified Codes of Conduct or Certification Mechanisms: [If applicable]

7.5 Your Rights Regarding Transfers

You have the right to:

  • Obtain information about safeguards in place for transfers
  • Request a copy of Standard Contractual Clauses
  • Object to transfers to specific countries

Contact privacy@tribitat.com to exercise these rights.

8. Data Security

8.1 Technical and Organizational Measures

We implement appropriate technical and organizational security measures to protect personal data against:

  • Unauthorized access
  • Accidental loss
  • Destruction or damage
  • Unauthorized disclosure
  • Alteration

Technical Measures:

  • Encryption in transit (TLS/SSL)
  • Encryption at rest for sensitive data
  • Secure password storage (hashing and salting)
  • Regular security updates and patches
  • Firewall and intrusion detection systems
  • Access controls and authentication
  • Regular backups with encryption
  • Secure development practices

Organizational Measures:

  • Access restricted to authorized personnel only
  • Confidentiality agreements for all staff
  • Security awareness training
  • Incident response procedures
  • Regular security audits
  • Data minimization principles
  • Privacy by design and by default

8.2 Data Breach Notification

GDPR Obligations (Articles 33-34): In the event of a personal data breach likely to result in a risk to your rights and freedoms:

  • We will notify the competent supervisory authority within 72 hours of becoming aware of the breach
  • We will notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms

Swiss FADP Obligations: Under Swiss law, we will notify the Federal Data Protection and Information Commissioner (FDPIC) of data breaches "as soon as possible" when they are likely to result in a high risk.

Notification Contents: Breach notifications will include:

  • Nature of the breach
  • Categories and approximate number of affected individuals
  • Likely consequences
  • Measures taken or proposed to mitigate harm
  • Contact point for further information

8.3 Limitation of Security

While we strive to protect your personal data, no method of transmission or storage is 100% secure. The internet has inherent security risks that we cannot fully eliminate. You use the Platform at your own risk.

Your Responsibilities:

  • Keep your account credentials confidential
  • Use strong, unique passwords
  • Log out after using shared devices
  • Report suspicious activity immediately
  • Do not share sensitive information in public content

9. Your Data Protection Rights

9.1 Overview of Rights

Under GDPR, BDSG, DSG, and FADP, you have the following rights regarding your personal data:

  • Right to Information - Right to be informed about data processing - Article 13-14 GDPR
  • Right of Access - Right to obtain confirmation and copies of your data - Article 15 GDPR / Article 25 FADP
  • Right to Rectification - Right to correct inaccurate data - Article 16 GDPR / Article 32 FADP
  • Right to Erasure - Right to deletion ("right to be forgotten") - Article 17 GDPR / Article 32 FADP
  • Right to Restriction - Right to limit processing - Article 18 GDPR
  • Right to Data Portability - Right to receive data in structured format - Article 20 GDPR / Article 28 FADP
  • Right to Object - Right to object to processing - Article 21 GDPR / Article 30 FADP
  • Rights Related to Automated Decision-Making - Right not to be subject to solely automated decisions - Article 22 GDPR / Article 21 FADP

9.2 Right of Access (Article 15 GDPR / Article 25 FADP)

You have the right to obtain:

  • Confirmation of whether we process your personal data
  • Access to your personal data
  • Information about processing purposes, categories, recipients, retention periods, and your rights

How to Exercise: Submit a request to privacy@tribitat.com with the subject line "Data Access Request."

Response Time:

  • GDPR: Within 1 month (extendable by 2 months for complex requests)
  • Swiss FADP: Within 30 days (extendable by 30 days)

Format: We will provide data in a commonly used electronic format (PDF or CSV).

Cost: The first copy is free. We may charge a reasonable fee for additional copies or manifestly unfounded/excessive requests.

Verification: We may request additional information to verify your identity before providing access.

9.3 Right to Rectification (Article 16 GDPR / Article 32 FADP)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data

How to Exercise:

  • Update your account information directly in your account settings
  • Contact privacy@tribitat.com for data you cannot update yourself

Response Time: Within 1 month of receiving your request.

Notification: We will notify recipients of rectifications unless impossible or involving disproportionate effort.

9.4 Right to Erasure / "Right to Be Forgotten" (Article 17 GDPR / Article 32 FADP)

You have the right to request deletion of your personal data when:

  • Data is no longer necessary for the purposes collected
  • You withdraw consent (where consent is the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data has been unlawfully processed
  • Legal obligation requires deletion
  • Data was collected from a child (under 16)

Limitations - We May Refuse Erasure When:

Freedom of Expression and Information (Article 17(3)(a) GDPR): Published stories may qualify as freedom of expression and information. We will conduct a balancing test considering:

  • Public interest in the content
  • Factual accuracy vs. privacy impact
  • Time elapsed since publication
  • Whether you are a public figure
  • Whether you are the author or a third party mentioned in the story

Legal Obligations (Article 17(3)(b) GDPR):

  • Legal retention requirements (e.g., tax law, commercial law)
  • Regulatory compliance obligations

Legal Claims (Article 17(3)(e) GDPR):

  • Data needed to establish, exercise, or defend legal claims

Legitimate Interests (Article 17(3)(f) GDPR):

  • Fraud prevention records
  • Security incident documentation

How to Exercise: Contact privacy@tribitat.com with the subject line "Erasure Request" and specify:

  • The data you wish to delete
  • The reason for your request
  • Whether you are the author of published content or a third party mentioned

Response Time: Within 1 month.

Outcome:

  • If we comply: We will confirm deletion and notify recipients (where feasible)
  • If we refuse: We will explain our grounds for refusal and inform you of your right to complaint and judicial remedy

9.5 Right to Restriction of Processing (Article 18 GDPR)

You have the right to restrict processing when:

  • You contest the accuracy of data (during verification)
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (pending verification of legitimate grounds)

Effect of Restriction: Restricted data will be:

  • Stored but not further processed (except with your consent)
  • Processed only for legal claims
  • Processed only to protect others' rights

How to Exercise: Contact privacy@tribitat.com.

9.6 Right to Object (Article 21 GDPR / Article 30 FADP)

Objection to Legitimate Interest Processing (Article 21(1)): You have the right to object to processing based on legitimate interests (Article 6(1)(f) GDPR).

Effect: We must cease processing unless we demonstrate:

  • Compelling legitimate grounds that override your interests, rights, and freedoms
  • Processing is necessary for legal claims

Objection to Direct Marketing (Article 21(2-3)): You have an absolute right to object to processing for direct marketing purposes. We will immediately cease such processing.

How to Exercise:

  • Direct marketing: Use unsubscribe link in emails
  • Other purposes: Contact privacy@tribitat.com specifying your grounds for objection

9.7 Right to Data Portability (Article 20 GDPR / Article 28 FADP)

You have the right to:

  • Receive personal data you provided to us in a structured, commonly used, machine-readable format (JSON, CSV, XML)
  • Transmit that data to another controller

Conditions:

  • Applies only to data you provided
  • Processing is based on consent or contract
  • Processing is carried out by automated means

How to Exercise: Contact privacy@tribitat.com with the subject line "Data Portability Request."

Format: We will provide data in JSON or CSV format.

9.8 Right to Withdraw Consent

Where processing is based on consent (Article 6(1)(a) GDPR), you have the right to withdraw consent at any time.

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise:

  • Newsletter: Click unsubscribe in any email
  • Cookie consent: Adjust cookie preferences
  • Other consent: Contact privacy@tribitat.com

9.9 Automated Decision-Making and Profiling (Article 22 GDPR / Article 21 FADP)

No Solely Automated Decisions: We do not make decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.

Limited Automated Processing: We may use limited automated tools for:

  • Spam detection
  • Content moderation (supplemented by human review)
  • Analytics (aggregated, non-individualized)

Your Right: If we introduce solely automated decision-making, you will have the right to:

  • Obtain human intervention
  • Express your point of view
  • Contest the decision

9.10 Exercising Your Rights

How to Submit Requests: Email: privacy@tribitat.com Subject Line: [Specify right, e.g., "Access Request," "Erasure Request"] Include:

  • Your name and email address
  • Description of your request
  • Verification information (to confirm your identity)

Response Time:

  • GDPR/German/Austrian law: Within 1 month (extendable by 2 months for complex requests)
  • Swiss FADP: Within 30 days (extendable by 30 days)

No Cost: Exercising your rights is generally free. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Identity Verification: To protect your privacy, we will verify your identity before processing requests. We may ask for:

  • Account credentials
  • Government-issued ID (for sensitive requests)
  • Additional verification information

Language: You may submit requests in English, German, or French.

10. Right to Lodge a Complaint

If you believe we have violated data protection laws, you have the right to lodge a complaint with a supervisory authority.

10.1 EU/EEA Supervisory Authorities

Germany - Federal Commissioner: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Graurheindorfer Str. 153 53117 Bonn, Germany Phone: +49 228 997799-0 Email: poststelle@bfdi.bund.de Website: https://www.bfdi.bund.de

Germany - State Authorities: Depending on your location in Germany, you may also contact your state (Land) data protection authority. A full list is available at: https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html

Austria: Österreichische Datenschutzbehörde (DSB) Barichgasse 40-42 1030 Vienna, Austria Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at Website: https://www.dsb.gv.at

10.2 Swiss Supervisory Authority

Switzerland: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB/FDPIC) Federal Data Protection and Information Commissioner Feldeggweg 1 3003 Bern, Switzerland Phone: +41 58 462 43 95 Email: info@edoeb.admin.ch Website: https://www.edoeb.admin.ch

10.3 Right to Judicial Remedy

In addition to lodging a complaint with a supervisory authority, you have the right to an effective judicial remedy:

  • Against a supervisory authority decision (Article 78 GDPR)
  • Against us for violations of data protection rights (Article 79 GDPR)

You may bring proceedings in the courts of:

  • The EU member state where you habitually reside
  • The EU member state where you work
  • The EU member state where the alleged infringement occurred

11. Data Retention

11.1 General Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is:

  • Required by law
  • Necessary for establishing, exercising, or defending legal claims

11.2 Specific Retention Periods

Active User Accounts:

  • Account data: Duration of account + 2 years after account closure
  • Rationale: Contract performance, legal claims defense

Published User Stories:

  • Story content: User-controlled or indefinite (subject to erasure requests balanced against freedom of expression)
  • Metadata (author, publication date): Linked to story content
  • Rationale: Freedom of expression, legitimate interest in maintaining platform content

Deleted Accounts:

  • Personal data: Deleted within 30 days of account closure request
  • Exception: Data subject to legal retention or legal claims defense
  • Rationale: Data minimization, no further purpose

Newsletter Subscriptions:

  • Active subscribers: Until unsubscribe
  • Unsubscribed users: Deleted immediately, except email address retained on suppression list (to prevent re-subscription)
  • Consent records: 3 years after unsubscribe
  • Rationale: Accountability, proof of consent

Server and Access Logs:

  • Retention: 7-14 days
  • Rationale: Security, debugging, fraud prevention
  • Legal basis: Legitimate interest

Analytics Data:

  • Raw data: 26 months (Google Analytics default)
  • Aggregated data: Indefinitely (fully anonymized)
  • Rationale: Platform improvement, no identifiability after anonymization

Copyright and Content Moderation Records:

  • Retention: 3 years
  • Rationale: DSA transparency obligations, legal claims defense

Commercial Records (if applicable):

  • Invoices, payment records: 10 years (German HGB §257, AO §147)
  • Contracts: 6 years after contract end
  • Rationale: Legal obligation (tax law, commercial law)

Security Incident Records:

  • Retention: 3 years
  • Rationale: Security analysis, legal claims

Banned User Records:

  • Retention: 5 years
  • Rationale: Fraud prevention, Terms enforcement

Deletion Request Records:

  • Retention: 6 years
  • Rationale: Defense of legal claims, proof of compliance

11.3 Deletion After Retention Period

Upon expiration of retention periods:

  • Automated deletion: Data is automatically deleted by system processes
  • Manual review: Some categories may require manual deletion verification
  • Backup deletion: Data is deleted from backups during next backup rotation cycle (typically within 90 days)

11.4 Archival

In exceptional cases, we may archive data beyond standard retention periods when:

  • Required for defense of specific legal proceedings
  • Subject to legal hold or preservation order
  • Essential for establishing legitimate historical record

Archived data is restricted from routine access and processing.

12. Cookies and Tracking Technologies

12.1 Overview

We use cookies and similar tracking technologies. For comprehensive information about:

  • Types of cookies we use
  • Purposes of each cookie
  • How to manage cookie preferences
  • Third-party cookies

Please see our separate Cookie Policy at [tribitat.com/cookies].

12.2 Legal Basis for Cookies

Essential Cookies:

  • Legal Basis: Article 6(1)(f) GDPR - Legitimate Interest / TTDSG §25(2) exception
  • No Consent Required: Strictly necessary cookies for service provision

Non-Essential Cookies:

  • Legal Basis: Article 6(1)(a) GDPR - Consent / German TTDSG §25(1)
  • Consent Required: Prior explicit consent via cookie banner

12.3 German TTDSG Compliance

Under the German Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz - TTDSG) effective since December 1, 2021:

Section 25 TTDSG - Terminal Equipment:

  • Prior consent required for storing or accessing information on user devices (including cookies), except where strictly necessary
  • Consent must be freely given, specific, informed, and unambiguous
  • "Reject All" must be equally prominent as "Accept All" (Cologne OLG ruling, January 2024)
  • Continued browsing does NOT constitute consent
  • Pre-ticked boxes are prohibited

12.4 Managing Cookies

Cookie Consent Banner: When you first visit our site, a cookie consent banner allows you to:

  • Accept all cookies
  • Reject all non-essential cookies
  • Customize cookie preferences by category

Cookie Preference Center: Access at any time: [tribitat.com/cookies] or footer link "Cookie Settings"

Browser Settings: You may also manage cookies through your browser settings:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Settings > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Privacy > Cookies

Effect of Rejection: Rejecting non-essential cookies may affect:

  • Personalized content recommendations
  • Analytics (we cannot improve user experience)
  • Some functionality (depends on implementation)

13. Third-Party Links and Services

13.1 External Links

The Platform may contain links to third-party websites, services, or resources not operated by Tribitat.

No Responsibility: We are not responsible for:

  • Privacy practices of third-party sites
  • Content of external websites
  • Data processing by third parties

Recommendation: Before providing personal data to third parties, review their privacy policies.

13.2 Social Media Plugins

[If you use social media plugins:] We may use social media plugins (e.g., Facebook Like, Twitter Share). These plugins may:

  • Transmit data to social networks when you visit our pages (even if you don't click)
  • Set cookies
  • Track your browsing behavior

Control: You can prevent this by:

  • Using browser extensions that block social plugins
  • Logging out of social networks before visiting our site
  • Adjusting privacy settings in your social network accounts

13.3 Embedded Content

User stories may contain embedded content from third-party platforms (e.g., YouTube videos, Twitter posts). These embeds:

  • Are controlled by third parties
  • May collect data according to their privacy policies
  • May set cookies

14. Children's Privacy

14.1 Age Restriction

Our Platform is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16.

GDPR Standard: Article 8 GDPR sets age of consent for information society services at 16 (member states may lower to 13).

Our Policy: We require all users to be at least 16 years old.

14.2 Parental Consent

If we become aware that we have collected personal data from a child under 16 without parental consent:

  • We will take steps to delete the information as soon as possible
  • We will terminate the account
  • We will notify the supervisory authority if required

14.3 Reporting

If you believe we have collected data from a child under 16, please contact: privacy@tribitat.com

15. Changes to This Privacy Policy

15.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

  • Changes in applicable laws or regulations
  • Changes in our data processing practices
  • Introduction of new features or services
  • Clarification of existing practices
  • Feedback from supervisory authorities

15.2 Notification of Changes

Material Changes: For material changes that adversely affect your rights, we will notify you by:

  • Email to your registered email address (at least 30 days in advance)
  • Prominent notice on the Platform homepage
  • Pop-up notification upon login

Non-Material Changes: For minor clarifications or non-substantive updates:

  • Updated "Last Updated" date at the top of this policy
  • Notice on the Platform

15.3 Review

We recommend reviewing this Privacy Policy periodically. The "Last Updated" date at the top indicates the most recent revision.

15.4 Continued Use

Continued use of the Platform after changes become effective constitutes acceptance of the revised Privacy Policy.

Right to Object: If you do not agree with changes, you may:

  • Stop using the Platform
  • Delete your account
  • Exercise your right to erasure (subject to limitations in Section 9.4)

16. Additional Information for Specific Jurisdictions

16.1 EU/EEA Residents (GDPR)

Legal Bases Summary:

  • Contract performance: Article 6(1)(b) GDPR
  • Consent: Article 6(1)(a) GDPR
  • Legitimate interests: Article 6(1)(f) GDPR
  • Legal obligations: Article 6(1)(c) GDPR

EU Representative: [If applicable - see Section 2.3]

Cross-Border Processing: We process data from multiple EU member states. The lead supervisory authority is [specify if known, or state it will be determined based on main establishment].

16.2 German Residents (GDPR + BDSG)

Additional Rights Under BDSG:

  • Right to information about data processing for scientific research (§27 BDSG)
  • Rights regarding automated individual decision-making (§37 BDSG)

Supervisory Authority: BfDI (Federal) or your state authority - see Section 10.1

Language: This Privacy Policy is available in English and German.

16.3 Austrian Residents (GDPR + DSG)

Supervisory Authority: Österreichische Datenschutzbehörde - see Section 10.1

Specific Provisions: Austrian residents benefit from GDPR protections. The Austrian DSG supplements GDPR with specific provisions for Austrian public authorities and certain processing activities.

Language: This Privacy Policy is available in English and German.

16.4 Swiss Residents (FADP)

Applicable Law: Swiss Federal Act on Data Protection (revDSG/nDSG) effective September 1, 2023

Key Differences from GDPR:

  • Legal bases: Processing generally permitted unless it violates personality rights; specific legal basis required only when infringement occurs
  • Data Protection Officer: Voluntary (not mandatory)
  • Breach notification: "As soon as possible" (no fixed 72-hour deadline)
  • Penalties: Criminal fines up to CHF 250,000 against responsible individuals (not companies)
  • Data portability: Right to receive data at no cost (Article 28 FADP)

Supervisory Authority: FDPIC (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter) - see Section 10.2

Swiss Representative: [If applicable - see Section 2.4]

Cross-Border Transfers: Switzerland recognizes:

  • EU/EEA as adequate
  • Countries with EU adequacy decisions (including US under Swiss-US DPF)
  • UK after Brexit transition

For other transfers, we use Standard Contractual Clauses.

Language: This Privacy Policy is available in English, German, and French [if applicable].

17. Contact Us

17.1 Data Protection Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: privacy@tribitat.com Subject Line: "Privacy Inquiry" or specify your request type

17.2 Data Subject Rights Requests

To exercise your data protection rights (access, rectification, erasure, etc.):

Email: privacy@tribitat.com Subject Line: "Access Request," "Erasure Request"

See Section 9 for detailed information about your rights and how to exercise them.

17.3 Security Incidents

To report a security vulnerability or data breach:

Email: legal@tribitat.com Subject Line: "Security Incident Report"

17.4 Response Time

We will respond to your inquiries within:

  • Privacy questions: 5 business days
  • Data subject rights requests: 1 month (GDPR) or 30 days (FADP)
  • Security incidents: 24 hours (acknowledgment)

18. Definitions

Personal Data / Personal Information: Any information relating to an identified or identifiable natural person. Includes name, email address, IP address, pseudonymous identifiers linked to you, and other data that can identify you directly or indirectly.

Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.

Controller: The entity that determines the purposes and means of processing personal data. Tribitat is the controller for data processed through the Platform.

Processor: An entity that processes personal data on behalf of a controller. Our service providers act as processors.

Consent: Any freely given, specific, informed, and unambiguous indication of your wishes by which you signify agreement to processing of your personal data.

Legitimate Interest: A legal basis for processing when necessary for the legitimate interests of the controller or third party, except where overridden by your fundamental rights and freedoms.

Supervisory Authority: An independent public authority established by an EU member state (or Switzerland) to monitor compliance with data protection law.

Data Subject: An identified or identifiable natural person whose personal data is processed.

Last Updated: December 19, 2025 Version: 1.1