Skip to content
kieldawnpatrol.cc

Privacy Policy

As of: 1 April 2026

Note: This English version is provided for informational purposes only. In the event of any discrepancy between the German and English versions, the German version shall prevail.

---

1. Data Controller (Verantwortlicher)

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR / DSGVO) is:

Kiel Dawn Patrol e. V.
c/o Velostyle
Grasweg 8
24118 Kiel
Germany

Represented by the board of directors (Vorstand): Robin Feder, Marie-Luise Stamm, Jann Tegge

Email: moin@kieldawnpatrol.cc

---

2. Subject of this Privacy Policy

This Privacy Policy applies to the app "kieldawnpatrol.cc" (hereinafter "App"), which serves as a community platform for the organisation and management of group cycling rides. It serves the Verein in particular as a tool for maintaining participant lists for insurance purposes.

Use of the App does not constitute membership in the Verein. The App is open to both Verein members and guest riders alike.

The App is intended for persons who have reached the age of 16. For minors under the age of 16, the consent of a parent or legal guardian is required pursuant to Art. 8(1) GDPR.

This Privacy Policy informs you about which personal data we collect, for what purposes we process it, to whom it may be disclosed, and what rights you have.

---

3. What Data We Collect

3.1 Profile Data (upon registration)

Authentication is passwordless via one-time links or one-time codes (Magic Link / OTP). No passwords are stored.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

3.2 Participation Data (upon registering for rides)

  • First and last name
  • Date and name of the ride
  • Participation status (registered / cancelled) — temporary only, during the active planning phase

The participation status serves solely for organisational purposes before and during the ride. No later than the end of the event day, the data is archived. Upon archiving, only the data of registered participants is retained (first and last name and date of the ride). Data of cancelled participants is not carried over to the archive and is therefore deleted.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest of the Verein in documenting insurance coverage).

3.3 Social Connections (Friend Feature)

  • Connection status between two users (mutual confirmation required)

Legal basis: Art. 6(1)(a) GDPR (consent through mutual confirmation of the friend request).

3.4 Ride Statistics

A personal ride statistics record is generated from the participation data, which is accessible exclusively to you. The Verein does not disclose this data to third parties. You may share your statistics with third parties at your own discretion.

3.5 Profile Picture (optional)

Users may voluntarily upload a profile picture. Uploading a profile picture is not mandatory.

The visibility of the profile picture depends on the user's role:

  • Users: The profile picture is only visible to persons with whom a confirmed friend connection exists (see Section 3.3).
  • Guides: In addition to the visibility for friends, the profile picture is visible to all registered users who participate in a ride to which the person is assigned as Guide.

Legal basis: Art. 6(1)(a) GDPR (consent through the active upload of the image). Consent may be withdrawn at any time by removing the profile picture in the App settings.

3.7 Push Subscription Data (upon enabling push notifications)

When you enable push notifications, the following data is stored per device or browser:

  • Endpoint URL (a unique address generated by the browser for message delivery)
  • Cryptographic keys (p256dh and auth — for encrypting push messages)
  • Time of registration

Additionally, your language preference (German/English) is stored in your user preferences so that notifications are sent in your chosen language.

Multiple push subscriptions may exist per user (one per device/browser).

Legal basis: Art. 6(1)(a) GDPR (consent through active enablement of the push feature). Consent may be withdrawn at any time by disabling push notifications in the App settings or in your device settings.

3.8 Technical Data

The following technical data is automatically collected when using the App:

  • IP address (for securing the connection, deleted after no more than 7 days)
  • Device type and operating system
  • Time of access

This data is not linked to your user profile and is used exclusively for the technical provision and security of the App. Personal technical data (in particular IP addresses) is deleted after no more than 7 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure provision of the App).

---

4. Visibility of Your Data (Who Sees What?)

Data typeVisible toPurpose
Profile data (name, email)Only you and AdministratorsAccount management
Participant list of a rideAdministrators, the assigned Guide of the rideSafety, coordination, insurance
Friend status & friends' participationOnly mutually connected usersSocial interaction
Profile picture (User)Only mutually connected users (friends)Social interaction
Profile picture (Guide)All participants of the respective rideGuide identification
Ride statisticsOnly youPersonal analysis
Name of a ride's GuideAll participants of the respective rideTransparency

All Guides and Administrators are contractually bound to data confidentiality (see Section 8).

---

5. Retention Period and Deletion

5.1 Profile Data

Your profile data (email address, other profile information) will be immediately and completely deleted upon deletion of your account.

5.2 Participation Data (Insurance Archive)

Your participation data (first and last name and date of the ride) will be retained for insurance purposes for a period of 3 years from the date of the respective ride. After expiry of this period, the data will be automatically and irreversibly deleted.

This retention applies even if you delete your account prematurely. The legal basis for this is Art. 17(3)(b) GDPR (compliance with a legal obligation) in conjunction with the legitimate interest of the Verein in documenting insurance coverage.

In the event of a deleted account, the archived participation data will be restricted — it may only be used for the purpose of verifying insurance coverage.

5.3 Profile Picture

Your profile picture can be removed at any time in the App settings and will be immediately and completely deleted upon deletion of your account.

5.4 Ride Statistics

Your personal ride statistics will be removed immediately upon deletion of your account. After deletion, access to the statistics via the App is no longer possible.

5.5 Friend Connections

These are deleted immediately upon account deletion or upon dissolution of the friendship.

5.6 Push Subscriptions and Delivery Logs

Push subscription data (endpoint URL, cryptographic keys) is deleted when:

  • you disable push notifications in the App,
  • the browser push service reports that the subscription is no longer valid (e.g. upon browser uninstallation or revocation of notification permissions), or
  • you delete your account (automatic deletion).

Delivery logs (sent_notifications) serve solely to prevent duplicate notifications and are automatically deleted upon account deletion. They do not contain message content.

5.7 Technical Backups

To safeguard against data loss (e.g. due to technical failures), automated daily backups of the database are created. The backups are stored in encrypted form in an S3-compatible storage service provided by IONOS SE (the same data processor as the hosting, see Section 6.1) within the European Union.

Backups are automatically deleted after no more than 14 days (rotation). This means that if you delete your account or rectify data, this data may persist in existing backups for up to 14 days until the respective backup is overwritten as part of the regular rotation cycle. Backups serve exclusively for disaster recovery and are not used for any other purpose. Individual deletion within backups is technically not feasible and, in accordance with the established practice of data protection supervisory authorities, is not required provided the retention period is proportionate.

In the exceptional event that a restoration from a backup is required, all account deletions that occurred between the time of the backup and the incident will be promptly re-executed based on deletion logs.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the availability and integrity of data pursuant to Art. 32(1)(c) GDPR).

---

6. Recipients and Data Processors (Auftragsverarbeiter)

6.1 Hosting

The App is hosted by IONOS SE (Montabaur, Germany). IONOS processes the data on our behalf on servers within the European Union. A Data Processing Agreement (Auftragsverarbeitungsvertrag / AVV) pursuant to Art. 28 GDPR has been concluded.

6.2 Email Delivery

For sending emails (e.g. one-time login links, confirmations) we use the email service provided by IONOS SE (the same data processor as the hosting, see Section 6.1). Processing takes place on servers within the European Union. No transfer to third countries takes place.

6.3 No Disclosure to Other Third Parties

Your data will not be disclosed to other third parties unless this is strictly necessary for the settlement of an insurance claim or we are legally obliged to do so (e.g. by order of a public authority).

6.4 External Links (in particular Komoot)

The App contains links to external websites and services, in particular to route suggestions on Komoot (Komoot GmbH, Potsdam, Germany). When you click on such a link, you leave the Verein's area of responsibility. The Verein does not transmit any personal data to the respective third-party provider. However, your browser will by default send data to the operator of the external site upon access (in particular your IP address and the referrer header).

The operators of external sites are solely responsible for data processing on their platforms. Please review the respective privacy policies before use, e.g.:

The Verein has no influence on the nature and scope of data processing by external providers and assumes no responsibility for it.

---

7. Push Notifications

The App may send you push notifications. Activation requires your explicit consent via your operating system's permission prompt and enablement in the App settings.

7.1 Notification Types

The App distinguishes three notification types, each of which you can individually enable or disable in the App settings:

  • Ride cancelled: You will be notified when a ride you have registered for is cancelled.
  • Reminder: You will receive a reminder approximately 30 minutes before the start of a ride.
  • Announcements: General communications from the Verein.

All three types are enabled by default upon activation and can be individually disabled.

7.2 Technical Implementation (Web Push / VAPID)

Notifications are sent via the standardised Web Push Protocol (RFC 8030) with VAPID authentication (RFC 8292). The composition, encryption, and orchestration of messages is handled entirely on our own server. We do not use any third-party services such as Firebase Cloud Messaging (FCM) or OneSignal for the orchestration or analysis of push notifications.

Note on delivery: As required by the protocol, the encrypted messages are delivered via the push infrastructure of your browser vendor (e.g. Mozilla Push Service for Firefox, Google Push Service for Chrome, Apple Push Notification service for Safari). These services merely relay the end-to-end encrypted messages and cannot decrypt their content. The browser vendor receives the endpoint URL and metadata (timestamp, message size) but not the plaintext content of the notification.

7.3 Withdrawal and Deactivation

You can disable push notifications at any time:

  • In the App: Via the notification settings in your profile (disables all push notifications and deletes the stored subscription).
  • In the browser/device: Via the notification settings of your browser or operating system.
  • Individual types: Via the type-specific settings in the App (cancellations, reminders, announcements).

Upon deactivation, the push subscription is deleted from our server. No further notifications will be sent to the respective device.

Legal basis: Art. 6(1)(a) GDPR (consent through active enablement). For safety-relevant notifications (in particular ride cancellations), additionally Art. 6(1)(f) GDPR (legitimate interest in informing participants about safety-relevant changes).

---

8. Confidentiality Obligation of Guides and Administrators

Guides and Administrators receive access to personal data of other users (in particular participant lists) as part of their role. All Guides and Administrators are contractually bound to maintain data confidentiality before being granted access rights. This obligation includes in particular:

  • Use of data exclusively for the purpose of organising rides
  • Prohibition of disclosure to unauthorised third parties
  • Prohibition of private storage (screenshots, copies)

---

9. Your Rights

Under the GDPR, you have the following rights:

  • Access (Art. 15 GDPR): You may request information about the data we hold about you.
  • Rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no retention obligations apply (see Section 5.2).
  • Restriction of processing (Art. 18 GDPR): Under certain conditions, you may request the restriction of processing.
  • Data portability (Art. 20 GDPR): You have the right to receive your data (including your ride statistics) in a commonly used, machine-readable format.
  • Objection (Art. 21 GDPR): You may object to the processing of your data on the basis of a legitimate interest.
  • Withdrawal of consent (Art. 7(3) GDPR): Where you have given consent (e.g. friend feature, push notifications), you may withdraw it at any time with effect for the future.

To exercise your rights, please send an email to: moin@kieldawnpatrol.cc

Special Notice on the Right to Object (Art. 21 GDPR)

Where we process your personal data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), you have the right to object to such processing at any time for reasons relating to your particular situation. We will then no longer process the data concerned, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims. To exercise your right to object, please send an email to: moin@kieldawnpatrol.cc

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Postfach 71 16
24171 Kiel
https://www.datenschutzzentrum.de

---

10. Technical and Organisational Measures (TOM)

We implement appropriate technical and organisational measures to protect your data against loss, misuse, and unauthorised access. These include in particular:

  • Encrypted data transmission (TLS/HTTPS)
  • Passwordless authentication (Magic Link / OTP) — no passwords are stored
  • Access control through role and permission management (User, Guide, Administrator)
  • Regular security updates of deployed software
  • Automated deletion routines for expired data
  • Daily encrypted database backups with automatic rotation after 14 days (see Section 5.7)

---

11. Cookies and Local Storage

11.1 Technically Necessary Cookies/Tokens

The App uses exclusively technically necessary cookies or authentication tokens to maintain your login state and ensure the security of your session. Without these technologies, use of the App would not be possible.

This storage is carried out on the basis of § 25(2)(2) TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz — technically strictly necessary) and does not require separate consent.

11.2 Authentication via Email (Magic Link / OTP)

Login is performed via a one-time link or one-time code sent to your registered email address. Delivery is handled via IONOS (see Section 6.2). No cookies are set on your device during this process. After successful authentication, only a session token is stored on your device.

11.3 No Tracking, No Analytics Tools

We do not use any third-party analytics, tracking, or advertising services (no Google Analytics, no Firebase Analytics, no Meta Pixel, or similar). No profiling for advertising purposes takes place. A cookie consent banner is therefore not required.

---

12. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. All decisions affecting you (e.g. role assignment, exclusion from rides) are made exclusively by natural persons.

---

13. Amendments to this Privacy Policy

We reserve the right to amend this Privacy Policy in the event of changes to the legal framework, App features, or the services we use. You will be informed of material changes by email or via an in-app notification. The current version is always available within the App.

---

14. Emergency Safety Notice

To protect your privacy, we do not store emergency contacts in this App. We strongly recommend setting up the SOS emergency features on your smartphone:

  • iOS: Settings → Emergency SOS → Medical ID
  • Android: Settings → Safety & Emergency → Emergency Information

This allows first responders to access your stored contacts in an emergency without needing to unlock your device.