Privacy Policy
Partynado – Event Platform • Version: 15.06.2026
This privacy policy informs you about what personal data we collect, for what purposes we process it and what rights you have. The privacy policy is based on the Swiss Data Protection Act (revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Controller
Johannes Nothstein
Bahnhofplatz 2
4133 Pratteln
Switzerland
[email protected]
2. Data Collected
2.1 When Visiting the Website (automatic)
Each time you access our platform, the following data is automatically collected:
- IP address (anonymized)
- Browser type and version
- Operating system
- Pages visited
- Date and time
- Language setting
2.2 During Registration
- Email address (required)
- Password (hashed)
- Name (optional)
- Profile picture (optional)
- Social media links (optional)
2.3 When Creating Events/Venues
- Event details (title, description, date, etc.)
- Venue details (name, address, etc.)
- Images
- Contact information (optional)
- Location coordinates
2.4 For Subscription/Payment Transactions
- Stripe customer ID (internal, no access to full card data)
- Subscription status and term
- Invoice information (amount, date, status)
Organizers who use Stripe Connect additionally submit identity and bank data directly to Stripe (in accordance with the Stripe privacy policy).
3. Legal Bases for Processing
| Purpose | DSGVO | revDSG |
|---|---|---|
| Contract fulfillment | Art. 6 Abs. 1 lit. b | Art. 6 Abs. 3 |
| Consent (e.g., cookies) | Art. 6 Abs. 1 lit. a | Art. 6 Abs. 6 |
| Legitimate interest | Art. 6 Abs. 1 lit. f | Art. 6 Abs. 1 |
| Legal obligations | Art. 6 Abs. 1 lit. c | Art. 6 Abs. 3 |
Note: The revised Swiss Data Protection Act (revDSG) does not have a conclusive catalog of legal bases like the GDPR. Processing is permissible if it is proportionate and the principles under Art. 6 revDSG are observed.
4. Cookies
Cookies are small text files stored on your device that enable recognition.
Necessary Cookies
| Cookie | Purpose | Storage Duration |
|---|---|---|
| authjs.session-token | Login session | Session / 30 days |
Analytics Cookies (only with consent)
| Cookie | Purpose | Storage Duration |
|---|---|---|
| _ga | User differentiation | 2 years |
| _ga_* | Session tracking | 2 years |
Important: Google Tag Manager and the analytics tools loaded through it are only activated if you have given explicit consent in the cookie banner. Without your consent, no analytics cookies are set.
5. Third-Party Providers and Data Transfer
Hetzner Online GmbH (Hosting & Speicher)
We use Hetzner Online GmbH (Gunzenhausen, Germany) for web hosting (VPS) and object storage. All servers and storage services are located in the EU (Nuremberg data centre). No data transfer to third countries takes place. Privacy information: hetzner.com/legal/privacy-policy
Google Tag Manager / Google Analytics
We use Google Tag Manager (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, USA) to manage analytics tags. GTM itself does not set a tracking cookie; the tags loaded via GTM are only activated after your explicit consent (Consent Mode v2).
- IP anonymization enabled
- No data shared with Google for advertising purposes
- Activation only after explicit consent (Google Consent Mode v2)
Opt-Out: tools.google.com/dlpage/gaoptout
Google Places API / Google Maps
We use the Google Places API and Google Maps Static API (Google LLC, USA) to search for and display venues. Search queries and IP addresses are transmitted to Google. Legal basis: legitimate interest in providing the location feature. Data transfer based on SCCs.
Resend (Email Delivery)
We use Resend, Inc. (USA) to send transactional emails (verification, notifications). Data transfer based on SCCs.
Stripe (Zahlungsabwicklung)
We use Stripe, Inc. (USA) and Stripe Payments Europe, Ltd. (Ireland) to process payments for paid subscriptions and ticket sales. During payment, payment data is transmitted directly to Stripe; we do not store complete card data. Organizers selling tickets via the Platform are onboarded via Stripe Connect. Data transfer based on SCCs. Privacy policy: stripe.com/privacy
Spotify API
We use the Spotify Web API (Spotify AB, Sweden) for artist information. Only public artist data is retrieved; no user data is transmitted.
Push-Benachrichtigungen
If you enable push notifications, we store the push endpoint generated by your browser (an anonymous browser URL) in our database on Hetzner servers in Germany. Processing is based on your explicit consent. You can disable push notifications at any time in your browser or in your account settings.
Note on Third-Country Transfers (USA)
For US service providers (Google, Stripe, Resend) we have carried out a Transfer Impact Assessment. We additionally apply the following safeguards:
- Encryption of data in transit and at rest (TLS 1.3, AES-256)
- Pseudonymization where technically possible
- Limitation of transmitted data to the necessary minimum
- Contractual assurances by providers regarding government requests (EU SCCs)
6. Retention Period
| Data Type | Retention Period |
|---|---|
| User account | Until deletion + 6 months |
| Events | Until deletion by organizer or admin |
| Venue claims | 3 years after completion |
| Server logs | 90 days |
| Analytics data | 26 months (via Google Tag Manager / Google Analytics) |
7. Your Rights
- Right of Access: You can request information about what personal data we have stored about you.
- Right to Rectification: You can request correction of inaccurate data.
- Right to Erasure: You can request deletion of your data, provided no legal retention obligations apply.
- Restriction of Processing: You can request restriction of processing.
- Data Portability: You can request that we provide your data in a structured, commonly used and machine-readable format.
- Right to Object: You can object to processing of your data when based on legitimate interest.
- Withdrawal of Consent: Granted consents can be revoked at any time with effect for the future.
- Right to Complain: You have the right to complain to the competent data protection supervisory authority.
To exercise your rights, please contact: [email protected]
Exercising Your Rights
You can exercise your rights as follows:
- View and edit profile and account data directly in your account settings
- Permanently delete your account yourself via the profile page ("Delete account" section)
- For requests for access, rectification and data portability as well as for objection and withdrawal of consent, please contact our data protection email address: [email protected]
We generally respond to requests within 30 days. To verify your identity, confirmation via your registered email address may be required.
8. Data Security
- SSL/TLS encryption of data transmission
- Passwords are stored hashed (bcrypt)
- Role-based data access
- Regular software updates
9. Minors
The platform is not intended for persons under 16 years of age. We do not knowingly collect data from minors under 16.
10. Changes to Privacy Policy
We reserve the right to adapt this privacy policy as needed. For material changes, we will inform registered users by email. Material changes take effect no earlier than 14 days after notification.
11. Supervisory Authority
For complaints, you can contact the competent data protection supervisory authority:
Eidgenoessischer Datenschutz- und Oeffentlichkeitsbeauftragter (EDOEB)
Feldeggweg 1
3003 Bern
Switzerland
www.edoeb.admin.ch
Privacy Contact
Johannes Nothstein
[email protected]
Version: 15.06.2026