Privacy policy

Eduardo Arturo Sieber Artiles<br/>Heubnerweg 9, 14059 Berlin, Germany<br/>Email: legal@tropixus.com

Given the current size of the project, we are not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR. For any privacy matter, please write to the address above.

We collect the following data depending on the activity:

• Registration/login data: first name, surname, email address, password (hashed, never in plain text), country and postcode. This data is stored in the backend database and in Keycloak (identity manager). Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
• Authentication data: HttpOnly session token (secure cookie), temporary OTP codes for the password recovery process. Legal basis: Art. 6(1)(b) GDPR + Art. 6(1)(f) (account security).
• Rate limiting: to protect login, registration, OTP delivery and password reset forms against automated or brute-force attempts, we count attempts per IP address (and, where applicable, per email address) over short time windows (5–60 minutes). The counters are reset when the window expires. Legal basis: Art. 6.1.f GDPR (legitimate interest in account security).
• Favourites and reminders: the businesses and events you save, and your preference for pre-event notifications. Legal basis: Art. 6.1.b GDPR.
• Reports and feedback messages: the text you send via the “Something wrong?” button or the contact / help / for businesses forms, along with your email address (if provided) and the URL from which you are writing. Legal basis: Art. 6.1.f GDPR (legitimate interest in improving the service).
• Technical browsing data: URL visited, browser type, language, city selected in the selector, date and time. Legal basis: Art. 6.1.f GDPR (legitimate interest in keeping the platform operational and secure).
• Cookie consent record: accepted banner version, date and permitted categories. Legal basis: Art. 7.1 GDPR (burden of proof) + § 25 TTDSG.
• Analytical cookies: anonymous identifiers served by Google Analytics 4 and Microsoft Clarity, only if you give your express consent via the banner. Legal basis: Art. 6(1)(a) GDPR + § 25(1) TTDSG. We do not currently use marketing or advertising cookies; the category exists in the banner but does not load any cookies at present; it is reserved for future campaigns and, should we activate them, they will only be loaded with your consent.

• Operate and maintain the platform and the mobile app.
• Customise content according to your city and language.
• Respond to your requests and reports via the feedback form.
• Comply with legal obligations (invoicing, tax withholding, responses to authorities).
• Improve the product using aggregated analytics (only with your consent).

We share data only with data processors acting on our instructions (Article 28 of the GDPR):

• Vercel Inc., web hosting, Frankfurt region (EU). Hosts the platform and maintains technical access logs.
• Keycloak, identity system (self-hosted in the EU). Stores account credentials, tokens and sessions.
• Neon / PostgreSQL, backend database (EU). Stores profiles, favourites, reminders and feedback reports.
• Resend, transactional email delivery (password recovery OTPs, confirmations). European infrastructure.
• DeepL SE, machine translation of editorial content into German and English (EU). Does not process users’ personal data, only public text from the site.
• Anthropic, PBC, generation of editorial content for city pages (H1 headings, FAQs and SEO descriptions) using the Claude model (US). We do not send personal data to Anthropic, only the city name and prompt templates defined by us. The transfer is carried out under the European Commission’s Standard Contractual Clauses (Art. 46 GDPR).
• Upstash, Inc., a Redis database used to control abusive attempts against the login, registration and password recovery forms (rate limiting). It processes, for short periods (5–60 minutes), an identifier derived from your IP address and, where applicable, a hash of your email address, solely for the purpose of counting attempts. Servers in the EU (Frankfurt). Legal basis: Art. 6.1.f GDPR (legitimate interest in protecting user accounts).
• OpenStreetMap / CartoDB, map tiles in list and detail views (EU).
• Microsoft Clarity and Google Analytics 4, web analytics (US). These are only activated if you accept analytics cookies via the banner. The transfer is carried out under the EU-US Data Privacy Framework + Standard Contractual Clauses (Art. 46 GDPR).
• Umami Software, Inc. (US, cloud.umami.is service), aggregated analytics with no cookies or browser fingerprint. No consent required (§ 25(2) TTDSG). Transfer under the EU-US Data Privacy Framework + Standard Contractual Clauses (Art. 46 GDPR).
• Sentry (Functional Software, Inc., US), monitoring of unhandled errors and slow transactions. Receives only the error stack trace and the URL (no bodies, headers or cookies); session replays are activated only with your analytics consent and mask all text and form inputs by default. Transfer under the EU-US Data Privacy Framework + Standard Contractual Clauses (Art. 46 GDPR).
• Better Stack, Inc. (US), centralised server logs and uptime monitoring. Receives only server-side events with no PII in cleartext (user identifiers are passed through an FNV-1a hash before leaving our infrastructure). Transfer under the EU-US Data Privacy Framework + Standard Contractual Clauses (Art. 46 GDPR).

We do not sell personal data or share it with advertisers outside the service. We do not currently work with any marketing or advertising providers (e.g. retargeting pixels); should we do so in the future, we would add this here and it would only be activated with your express consent.

• Account data: whilst the account is active, plus 12 months after closure for legal and security purposes.
• OTPs and session tokens: 15 minutes (OTP) and up to 30 days (session).
• Favourites and reminders: until you delete them or close your account.
• Server/access logs: 30 days.
• Feedback reports: 12 months, then anonymised (the content of the report is retained without being linked to a user).
• Consent records: 3 years (burden of proof, Art. 7.1 GDPR).

• Session stored in an HttpOnly + Secure cookie (not accessible from JavaScript) signed in JWE format.
• Security HTTP headers: HSTS, CSP with per-request nonce, COOP / CORP, restrictive Permissions-Policy.
• Passwords stored using bcrypt hashing in Keycloak, never in plain text.
• End-to-end encrypted traffic using TLS 1.3.
• Database access restricted to the backend VPC; no public internet access.

You have the following rights:

• Access (Art. 15 GDPR): to obtain a copy of your data.
• Rectification (Art. 16 GDPR): to have inaccurate data corrected.
• Erasure (Art. 17 GDPR — "right to be forgotten"): to have your account and associated data deleted.
• Portability (Art. 20 GDPR): to receive your data in a machine-readable format.
• Objection (Art. 21 GDPR): to object to processing carried out on the basis of legitimate interest.
• Restriction (Art. 18 GDPR): to restrict processing while a dispute is being resolved.

To exercise any of these rights, write to us at legal@tropixus.com. We respond within 30 days at the latest. You can also change your cookie preferences and download or delete your data at any time from Account > Privacy.

You have the right to lodge a complaint with the relevant supervisory authority: the Berlin Commissioner for Data Protection and Freedom of Information (Friedrichstr. 219, 10969 Berlin) or the supervisory authority in the federal state where you live.