Privacy Policy

1. Data Controller

Bernhard Götzendorfer
Rittingergasse 15/11
1210 Wien, Österreich / Austria
Email: office@gotzendorfer.at

2. Overview of Data Processing

We process personal data only to the extent necessary for providing our services. Processing is carried out on the basis of the GDPR (General Data Protection Regulation) and the Austrian DSG (Data Protection Act).

3. Data Collected

3.1 When Using the Website

When you visit our website, the following technical data is automatically collected: IP address, browser type, operating system, referrer URL, time of access. This data is necessary for the technical operation of the website (legal basis: Art. 6(1)(f) GDPR — legitimate interest).

3.2 When Registering

When creating an account we collect: email address, and optionally your name (when signing in via Google or Apple). Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

3.3 When Using the Service (Photo Uploads)

When photos are uploaded, we process: image files, upload timestamp, event association, and optionally the uploader's name (max. 100 characters). GPS location data from EXIF metadata is automatically stripped on upload (privacy protection measure). Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

3.4 When Making Payments

Payment data is processed directly by our payment service provider Stripe. We do not receive complete credit card numbers. We store: payment status, invoice data, selected plan, Stripe payment ID. Available payment methods include credit card, SEPA direct debit, EPS, and Klarna (via Stripe Automatic Payment Methods). Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

3.5 Photo Reports

When a photo is reported by a user, we collect: reason for the report, optional description, reporter's IP address, timestamp, and the associated photo/event reference. The event owner is notified by email.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in protecting users from inappropriate content and maintaining platform integrity. Report data is retained for the duration of the event plus 30 days.

3.6 Co-Admin Invitations

When a co-admin is invited to manage an event, we collect: invited person's email address, invitation token (UUID), invitation status (pending/accepted), date of invitation, and the inviting user's reference.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (enabling collaborative event management as part of the service). Invitation tokens expire automatically after 7 days. Co-admin memberships are retained until the event is deleted.

3.7 Plan Upgrades

When a plan upgrade is performed, we create an audit record in theplan_changestable containing: event reference, previous plan, new plan, price paid, Stripe payment ID, and timestamp.

Legal basis: Art. 6(1)(c) GDPR — legal obligation. This data is part of our accounting records and must be retained for 7 years in accordance with the Austrian Federal Fiscal Code (§ 132 BAO).

3.8 Commission Data

If you participate in the commission program as an event helper, we process the following data:

• Helper ID and event assignment
• Commission amount, product type, and status
• Payment reference (payment audit ID)
• Creation and status change timestamps

Legal basis:Art. 6(1)(b) GDPR — performance of the commission program contract.

Retention:7 years pursuant to § 132 BAO (Austrian Federal Fiscal Code) for tax-relevant records.

3.9 Partner Data

If you apply for the EventDrop Partner Program, we process the following data:

• Partner name and website
• Motivation / application text
• Partner code and referral tracking (cookie-based, 30-day attribution)
• Payout details (IBAN, BIC) upon request
• Commission amounts and payout history

Legal basis:Art. 6(1)(b) GDPR — performance of the partner program contract.

Retention:Financial records (commission amounts, payouts, IBAN/BIC) are retained for 7 years pursuant to § 132 BAO (Austrian Federal Fiscal Code). Non-financial data (name, website, motivation) is deleted upon partner account closure or program termination.

3.10 Error Monitoring (Sentry)

We use Sentry (Functional Software, Inc., San Francisco, USA) for error monitoring to ensure the stability and security of our application. When an error occurs, the following technical data is automatically transmitted:

• Error message and stack trace
• Browser type and version, operating system
• Page URL where the error occurred
• Timestamp of the error

No personal data is collected: IP addresses are not transmitted (sendDefaultPii: false), no cookies are read, and no session replays are recorded during normal usage.

Legal basis:Art. 6(1)(f) GDPR — legitimate interest in maintaining application security and stability. Error monitoring is essential for detecting and resolving technical issues that affect all users.

Retention:Error data is automatically deleted after 90 days by Sentry.

Data transfer: Data may be processed in the USA. Sentry participates in the EU-U.S. Data Privacy Framework.

4. Cookies

We use cookies to ensure the basic functions of the website and to improve your user experience. The legal basis for the use of technically necessary cookies is § 165 TKG 2021 (Austrian Telecommunications Act). For non-essential cookies (analytics), we obtain your prior consent in accordance with § 165(3) TKG 2021 and Art. 6(1)(a) GDPR.

Cookie categories:

• Essential:Strictly necessary for the operation of the website (e.g., session cookies, authentication, language preferences, cookie consent setting). Legal basis: § 165(1) TKG 2021.
• Analytics:Help us understand and improve website usage (Vercel Analytics, Vercel Speed Insights). These cookies are only set with your explicit consent. Legal basis: Art. 6(1)(a) GDPR.

5. Data Processors & Third-Country Transfers

We work with the following service providers. All listed US-based providers either participate in the EU-US Data Privacy Framework (DPF) or have signed EU Standard Contractual Clauses (SCCs) as a supplementary safeguard. Where DPF certification is the primary basis, SCCs are maintained as a backup mechanism.

• Supabase Inc. (San Francisco, USA) – Database, authentication, file storage. Transfer basis: SCCs.
• Stripe Inc. (San Francisco, USA) – Payment processing. DPF-certified. Backup: SCCs.
• Vercel Inc. (San Francisco, USA) – Hosting and content delivery. DPF-certified. Backup: SCCs.
• Resend Inc. (San Francisco, USA) – Transactional email delivery. Data processed: email address, first name. DPF-certified.
• Google LLC (Mountain View, USA) – Automatic image analysis via Vercel AI Gateway (Google Gemini). DPF-certified.
• Anthropic PBC (San Francisco, USA) – AI-powered support chat and event creation suggestions via Vercel AI Gateway (Claude). Data processed: chat messages, event titles. DPF-certified.
• Functional Software Inc. (Sentry) (San Francisco, USA) – Error monitoring and performance tracking. Data processed: IP address, browser information, error contexts. Transfer basis: SCCs.
• Upstash Inc. (San Francisco, USA) – Rate limiting for abuse protection. Data processed: IP address, request counters. Transfer basis: SCCs.

5a. Automated Image Processing (AI)

Uploaded photos are automatically analyzed by artificial intelligence (Google Gemini via Vercel AI Gateway). Purpose of processing:

• Automatic tagging (scene and content recognition)
• Highlight detection (selection of the best photos)
• Generation of automatic photo captions
• Scene type classification (e.g., group photo, dance, ceremony)
• Content moderation (detection of inappropriate content with granular confidence scores)

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in improving user experience and protecting against inappropriate content.

Photos are transmitted to the AI provider only temporarily for analysis. There is no permanent storage by the provider and no profiling. Your photos are not used to train AI models.

No automated individual decision-making (Art. 22 GDPR):The AI processing does not produce decisions with legal or similarly significant effects on users. There is no profiling as defined by Art. 4(4) GDPR. All AI results (tags, highlights, captions, moderation flags) serve solely as suggestions and can be overridden by the event owner.

5b. AI-Powered Support Chat

EventDrop offers an AI-powered support chat (Claude by Anthropic via Vercel AI Gateway) to help users with questions about the platform.

Data processed during chat interactions:

• Chat messages entered by the user
• Event context (share code, plan, status) for event-specific inquiries
• Knowledge base queries (help articles) for answering questions

Escalation: If the AI assistant cannot resolve your inquiry, your conversation summary may be forwarded to our support team (office@gotzendorfer.at) for manual handling.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (providing customer support as part of the service). Chat messages are not permanently stored and are not used to train AI models.

5c. AI-Assisted Event Creation

When creating an event, the entered event title may be transmitted to an AI service (Claude by Anthropic via Vercel AI Gateway) to generate:

• A suggested event description
• A recommended plan based on the event type
• Event type classification (e.g., wedding, birthday, corporate event)

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (assisting event creation as part of the service). The event title is transmitted only temporarily. No permanent storage occurs at the AI provider. Suggestions are optional and can be modified or ignored by the user.

6. Retention Periods

Personal data is deleted as soon as the purpose of processing no longer applies, unless legal retention obligations require longer storage.

7. Your Rights (Data Subject Rights)

You have the following rights under the GDPR:

• Right of access (Art. 15 GDPR): You can request information about your stored data.
• Right to rectification (Art. 16 GDPR): You can request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You can request deletion of your data.
• Right to restriction (Art. 18 GDPR): You can request restriction of processing.
• Notification obligation (Art. 19 GDPR): We will notify all recipients to whom your data has been disclosed of any rectification, erasure, or restriction.
• Right to data portability (Art. 20 GDPR): You can receive your data in a machine-readable format.
• Right to object (Art. 21 GDPR): You can object to the processing of your data.
• Right to withdraw consent (Art. 7(3) GDPR): You can withdraw your consent at any time with effect for the future. The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.

To exercise your rights, please contact: office@gotzendorfer.at

8. Data Portability (EU Data Act)

In addition to your right to data portability under Art. 20 GDPR, Regulation (EU) 2023/2854 (EU Data Act, applicable since September 2025) grants you the right to access and transfer data generated through your use of our digital service. You can export all your data at any time via Settings > Data Export in your account. The export includes your profile, events, uploads, comments, reactions, analytics, plan changes, event members, payment history, photo reports, event extensions, recap videos, commissions, commission payouts, partners, and partner referrals in machine-readable JSON format.

9. Data Protection Officer

The appointment of a data protection officer is not required, as the conditions under Art. 37 GDPR (in conjunction with § 5 DSG) are not met. EventDrop is operated as a small business. There is no core activity consisting of regular and systematic large-scale monitoring of data subjects, nor large-scale processing of special categories of data. For data protection inquiries, please contact office@gotzendorfer.at.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde / Austrian Data Protection Authority
Barichgasse 40-42
1030 Wien
www.dsb.gv.at

Last updated: February 2026