Privacy Policy

Partynado – Event PlatformVersion: 15.06.2026

This privacy policy informs you about what personal data we collect, for what purposes we process it and what rights you have. The privacy policy is based on the Swiss Data Protection Act (revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Controller

Johannes Nothstein
Bahnhofplatz 2
4133 Pratteln
Switzerland

[email protected]

2. Data Collected

2.1 When Visiting the Website (automatic)

Each time you access our platform, the following data is automatically collected:

  • IP address (anonymized)
  • Browser type and version
  • Operating system
  • Pages visited
  • Date and time
  • Language setting

2.2 During Registration

  • Email address (required)
  • Password (hashed)
  • Name (optional)
  • Profile picture (optional)
  • Social media links (optional)

2.3 When Creating Events/Venues

  • Event details (title, description, date, etc.)
  • Venue details (name, address, etc.)
  • Images
  • Contact information (optional)
  • Location coordinates

2.4 For Subscription/Payment Transactions

  • Stripe customer ID (internal, no access to full card data)
  • Subscription status and term
  • Invoice information (amount, date, status)

Organizers who use Stripe Connect additionally submit identity and bank data directly to Stripe (in accordance with the Stripe privacy policy).

3. Legal Bases for Processing

PurposeDSGVOrevDSG
Contract fulfillmentArt. 6 Abs. 1 lit. bArt. 6 Abs. 3
Consent (e.g., cookies)Art. 6 Abs. 1 lit. aArt. 6 Abs. 6
Legitimate interestArt. 6 Abs. 1 lit. fArt. 6 Abs. 1
Legal obligationsArt. 6 Abs. 1 lit. cArt. 6 Abs. 3

Note: The revised Swiss Data Protection Act (revDSG) does not have a conclusive catalog of legal bases like the GDPR. Processing is permissible if it is proportionate and the principles under Art. 6 revDSG are observed.

4. Cookies

Cookies are small text files stored on your device that enable recognition.

Necessary Cookies

CookiePurposeStorage Duration
authjs.session-tokenLogin sessionSession / 30 days

Analytics Cookies (only with consent)

CookiePurposeStorage Duration
_gaUser differentiation2 years
_ga_*Session tracking2 years

Important: Google Tag Manager and the analytics tools loaded through it are only activated if you have given explicit consent in the cookie banner. Without your consent, no analytics cookies are set.

5. Third-Party Providers and Data Transfer

Hetzner Online GmbH (Hosting & Speicher)

We use Hetzner Online GmbH (Gunzenhausen, Germany) for web hosting (VPS) and object storage. All servers and storage services are located in the EU (Nuremberg data centre). No data transfer to third countries takes place. Privacy information: hetzner.com/legal/privacy-policy

Google Tag Manager / Google Analytics

We use Google Tag Manager (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, USA) to manage analytics tags. GTM itself does not set a tracking cookie; the tags loaded via GTM are only activated after your explicit consent (Consent Mode v2).

  • IP anonymization enabled
  • No data shared with Google for advertising purposes
  • Activation only after explicit consent (Google Consent Mode v2)

Opt-Out: tools.google.com/dlpage/gaoptout

Google Places API / Google Maps

We use the Google Places API and Google Maps Static API (Google LLC, USA) to search for and display venues. Search queries and IP addresses are transmitted to Google. Legal basis: legitimate interest in providing the location feature. Data transfer based on SCCs.

Resend (Email Delivery)

We use Resend, Inc. (USA) to send transactional emails (verification, notifications). Data transfer based on SCCs.

Stripe (Zahlungsabwicklung)

We use Stripe, Inc. (USA) and Stripe Payments Europe, Ltd. (Ireland) to process payments for paid subscriptions and ticket sales. During payment, payment data is transmitted directly to Stripe; we do not store complete card data. Organizers selling tickets via the Platform are onboarded via Stripe Connect. Data transfer based on SCCs. Privacy policy: stripe.com/privacy

Spotify API

We use the Spotify Web API (Spotify AB, Sweden) for artist information. Only public artist data is retrieved; no user data is transmitted.

Push-Benachrichtigungen

If you enable push notifications, we store the push endpoint generated by your browser (an anonymous browser URL) in our database on Hetzner servers in Germany. Processing is based on your explicit consent. You can disable push notifications at any time in your browser or in your account settings.

Note on Third-Country Transfers (USA)

For US service providers (Google, Stripe, Resend) we have carried out a Transfer Impact Assessment. We additionally apply the following safeguards:

  • Encryption of data in transit and at rest (TLS 1.3, AES-256)
  • Pseudonymization where technically possible
  • Limitation of transmitted data to the necessary minimum
  • Contractual assurances by providers regarding government requests (EU SCCs)

6. Retention Period

Data TypeRetention Period
User accountUntil deletion + 6 months
EventsUntil deletion by organizer or admin
Venue claims3 years after completion
Server logs90 days
Analytics data26 months (via Google Tag Manager / Google Analytics)

7. Your Rights

  • Right of Access: You can request information about what personal data we have stored about you.
  • Right to Rectification: You can request correction of inaccurate data.
  • Right to Erasure: You can request deletion of your data, provided no legal retention obligations apply.
  • Restriction of Processing: You can request restriction of processing.
  • Data Portability: You can request that we provide your data in a structured, commonly used and machine-readable format.
  • Right to Object: You can object to processing of your data when based on legitimate interest.
  • Withdrawal of Consent: Granted consents can be revoked at any time with effect for the future.
  • Right to Complain: You have the right to complain to the competent data protection supervisory authority.

To exercise your rights, please contact: [email protected]

Exercising Your Rights

You can exercise your rights as follows:

We generally respond to requests within 30 days. To verify your identity, confirmation via your registered email address may be required.

8. Data Security

  • SSL/TLS encryption of data transmission
  • Passwords are stored hashed (bcrypt)
  • Role-based data access
  • Regular software updates

9. Minors

The platform is not intended for persons under 16 years of age. We do not knowingly collect data from minors under 16.

10. Changes to Privacy Policy

We reserve the right to adapt this privacy policy as needed. For material changes, we will inform registered users by email. Material changes take effect no earlier than 14 days after notification.

11. Supervisory Authority

For complaints, you can contact the competent data protection supervisory authority:

Eidgenoessischer Datenschutz- und Oeffentlichkeitsbeauftragter (EDOEB)
Feldeggweg 1
3003 Bern
Switzerland
www.edoeb.admin.ch

Privacy Contact

Johannes Nothstein
[email protected]

Version: 15.06.2026