Privacy Policy

As of: April 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Förderverein Kindergarten St. Kilian e. V.

[Address to be added]

[Postal code + city to be added]

Email: hallo@herzenslauf.de

A data protection officer is not legally required and has therefore not been appointed. For questions regarding data protection, please contact the board directly at the email address above.

2. General information

Protecting your personal data is important to us. We process your data exclusively on the basis of legal provisions — in particular the GDPR and the German Federal Data Protection Act (BDSG).

This privacy policy informs you about the nature, scope and purpose of the processing of personal data on our website www.herzenslauf.de.

3. Hosting and technical provision

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. When you visit our website, the web server automatically collects so-called server log files transmitted by your browser:

IP address of the requesting computer
Date and time of access
Name and URL of the accessed page
Amount of data transferred
Browser type and version
Operating system
Referrer URL (previously visited page)

This data is collected solely to ensure smooth operation of the website and to detect and prevent misuse. No merging with other data sources takes place. Log files are automatically deleted after 14 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure provision of the website).

4. Cookies

Our website uses only technically necessary cookies. We do not use tracking, analytics, or marketing cookies.

| Cookie | Purpose | Duration |

|--------|---------|----------|

| sb-*-auth-token | Login session (protected area) | Session / max. 7 days |

| NEXT_LOCALE | Selected language | 1 year |

Legal basis: Art. 6(1)(f) GDPR (technically necessary).

5. Registration for the Herzenslauf

When you register yourself or your children for the Herzenslauf, we collect the following data:

Parent/Registrant: Name, email address, phone number
Runners: Name, year of birth, jersey size
Emergency contacts: Name and phone number per runner
Cake donation: Number of pledged cakes

This data is necessary for organizing the event — in particular for managing participation, jersey orders, creating runner codes, and for emergencies during the run.

During registration, you will be assigned a unique runner code that supporters can use to assign donations. This code does not contain any personal data.

Legal basis: Art. 6(1)(b) GDPR (contract performance — participation in the event).

6. Support and donations

a) Donation per runner (sponsoring)

When you financially support a runner, we collect: name and optionally email and phone number. If you request a donation receipt, we additionally collect your address.

You can choose whether your name is displayed publicly on the runner's supporter page, only the name is visible, or your donation remains anonymous.

b) General support / corporate sponsoring

For general support, we collect depending on type (private/business): name or company name, contact person, email, optionally phone, amount, and if desired a message. Companies can additionally upload a logo (PDF/SVG).

Legal basis: Art. 6(1)(b) GDPR (contract performance — processing of donation/support).

7. Membership in the Förderverein

When joining the Förderverein with a SEPA direct debit mandate, we collect: name, address, email address, IBAN and account holder. A SEPA direct debit mandate is generated and stored as a PDF document.

Bank details are used for collecting membership fees and are retained for 10 years after the end of membership in accordance with tax retention requirements (§ 147 AO).

Legal basis: Art. 6(1)(b) GDPR (contract performance — membership) in conjunction with Art. 6(1)(c) GDPR (tax retention obligations).

8. Donation receipts

If you request a donation receipt, we store your name, address, donation amount and date. The receipt is generated as a PDF and stored securely.

Donation receipts and associated data are retained for 10 years due to tax regulations (§ 147 AO) and cannot be deleted during this period.

Legal basis: Art. 6(1)(c) GDPR (legal obligation — tax retention requirement).

9. Contact form

When using our contact form, we collect your name, email address and message. The data is used exclusively to process your inquiry and deleted after completion, unless legal retention obligations apply.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

10. Login area (Magic Link)

For access to the protected family and admin area, we use a passwordless login procedure: you enter your email address and receive a one-time login link (Magic Link) by email. No password is stored.

After successful login, a session is maintained using technically necessary cookies (see section 4).

Legal basis: Art. 6(1)(b) GDPR (contract performance — access to personal area).

11. Email delivery (Brevo)

For sending transactional emails (registration confirmations, donation confirmations, payment reminders, Magic Links, etc.) we use the service Brevo (formerly Sendinblue), Brevo SAS, 106 Boulevard Haussmann, 75008 Paris, France.

Brevo processes your email address and the content of the respective message on our behalf. Brevo's servers are located in the EU. A data processing agreement (DPA) exists in accordance with Art. 28 GDPR.

Brevo records technical delivery information for transactional emails (delivery, errors/bounces). We store the delivery status in an internal log for quality assurance of email delivery.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery).

12. Newsletter

During registration for the Herzenslauf, you can voluntarily subscribe to our newsletter. We use a double opt-in procedure: after your registration, you receive a confirmation email. Only when you click the link contained therein will you be added to the newsletter distribution list.

The newsletter is sent via Brevo (see section 11). You can unsubscribe from the newsletter at any time — via the unsubscribe link in every newsletter email or by email to hallo@herzenslauf.de.

Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be revoked at any time with effect for the future.

13. Photography at the event

During registration, we ask whether you consent to photographs being taken and published during the event. This consent is voluntary and not a prerequisite for participation.

Photos may be used on our website, social media, and in the local press for reporting on the Herzenslauf.

You can revoke your consent at any time with effect for the future. Already published photos will be removed promptly after revocation, insofar as technically possible.

Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with §§ 22, 23 KunstUrhG.

14. Payment processing

For donations and membership fees, we offer bank transfer and a PayPal.me link. When using PayPal, the privacy policy of PayPal (Europe) S.à r.l. et Cie, S.C.A. applies. We only receive a payment confirmation from PayPal, not your PayPal account details.

For SEPA direct debits, your bank details (IBAN, account holder) are stored directly with us (see section 7).

15. Spam and bot protection

Our forms use a so-called honeypot method to protect against automated submissions (spam bots). An invisible form field is displayed for this purpose. No external services are integrated and no personal data is collected.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protection against misuse).

16. Storage and database

Your data is stored in a Supabase database (Supabase Inc., headquartered in the USA, data processing in the EU). A data processing agreement (DPA) exists in accordance with Art. 28 GDPR.

Uploaded files (logos, SEPA mandates, donation receipts) are stored in encrypted, private storage areas and are only accessible via time-limited access links.

All data processing takes place within the European Union. No transfer to third countries occurs.

17. Your rights as a data subject

Under the GDPR, you have the following rights, which you can exercise at any time informally by email to hallo@herzenslauf.de:

Access (Art. 15 GDPR): You have the right to know what data we have stored about you.
Rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
Erasure (Art. 17 GDPR): You can request the deletion of your data, provided no legal retention obligations apply.
Restriction (Art. 18 GDPR): You can request restricted processing of your data.
Data portability (Art. 20 GDPR): You can request your data in a common, machine-readable format.
Objection (Art. 21 GDPR): You can object to the processing of your data insofar as it is based on legitimate interest.
Withdrawal of consent (Art. 7(3) GDPR): Consents given (newsletter, photos) can be revoked at any time with effect for the future.

18. Right to complain to a supervisory authority

If you believe that the processing of your data violates the GDPR, you have the right to complain to a data protection supervisory authority. The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen

Kavalleriestr. 2–4

40213 Düsseldorf

Website: www.ldi.nrw.de

19. Data processors

We use the following service providers who process personal data on our behalf (Art. 28 GDPR):

| Service provider | Purpose | Location |

|------------------|---------|----------|

| Hetzner Online GmbH | Web hosting | Germany |

| Supabase Inc. | Database, authentication, file storage | EU |

| Brevo SAS | Email delivery, newsletter | France (EU) |

Data processing agreements exist with all processors in accordance with Art. 28 GDPR. All data processing takes place within the EU.

20. Changes to this privacy policy

We reserve the right to adapt this privacy policy as needed to ensure it always complies with current legal requirements or to implement changes to our services. The current version can always be found on this page.