Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

We have not appointed a Data Protection Officer, as we are not legally required to do so under § 38 BDSG. For all data-protection matters, please use the contact details above.

2. Data We Collect

We collect personal data only to the extent necessary to provide the platform. This includes:

• Account data: name, email address, password (stored as a secure hash), date of birth (where required for age-verification or convention eligibility), and any profile information you choose to add.
• Convention registration data: convention organisers may define custom registration fields (e.g., dietary requirements, ward/stake affiliation, emergency contact). We store this data on your behalf. The specific fields depend on each convention.
• Technical/session data: session credentials stored in cookies to keep you logged in, and UI preferences (light/dark mode, dashboard column visibility) stored in cookies or local storage. No analytics or tracking cookies are used.
• Log data: basic server-side access logs (IP address, request path, timestamp) for security and debugging. These are not linked to your account beyond session authentication.
• Security / anti-abuse data: when you log in or register, we use Cloudflare Turnstile (a privacy-friendly CAPTCHA) to tell humans apart from bots. This transmits your IP address and basic browser/device signals to Cloudflare. We also process IP addresses for rate-limiting and abuse prevention.

3. Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): processing your account and registration data is necessary to provide the platform services you have signed up for.
• Legitimate interests (Art. 6(1)(f)): server logs, CAPTCHA (Cloudflare Turnstile), rate-limiting, and abuse detection are kept or used for a limited period to keep the platform secure and to prevent fraud and automated abuse.
• Consent (Art. 6(1)(a)): where convention organisers request special- category data (e.g., dietary needs, religious affiliation), your submission of that registration will contain explicit consent for passing on the data to that convention.

4. Special Category Data

Some conventions may request data that falls under GDPR Article 9 “special category” data (e.g., religious affiliation, dietary restrictions related to health). Such data is only collected when explicitly requested by the convention organiser and only with your explicit consent given at the time of registration. You may withdraw that consent at any time by contacting us or the relevant convention organiser.

5. How We Use Your Data

• To create and manage your account.
• To register you for conventions and share your registration data with the relevant convention organiser.
• To send essential transactional emails (e.g., registration confirmation, password reset).
• To maintain platform security and prevent abuse.
• We do not sell, rent, or share your data with third parties for marketing purposes.
• We do not use your data for profiling or for automated decisions that produce legal or similarly significant effects on you (Art. 22 GDPR). Automated security measures such as rate-limiting, bot detection (Cloudflare Turnstile), and temporary IP blocking are used solely to protect the platform.

6. Data Sharing and Third Parties

We do not share your personal data with third parties except in the following cases:

• Convention organisers: when you register for a convention, your registration data is accessible to the organisers of that convention for participant management purposes.
• Hosting providers: our infrastructure provider processes data on our behalf under a data processing agreement (DPA).
• Cloudflare, Inc.: we use Cloudflare Turnstile (bot protection on the login and registration pages) and Cloudflare R2 (storage of uploaded images such as avatars and convention logos). Cloudflare processes this data on our behalf under a DPA.
• Amazon Web Services (Amazon SES): transactional emails (e.g., email verification and password-reset messages) are delivered via Amazon SES, with email processing in the EU (Frankfurt) region, under a DPA.
• Map & address services: when a convention page shows a location map or you use address autocomplete, your browser contacts OpenStreetMap(map tiles) and Photon / Komoot (address suggestions), and our server queries OpenStreetMap Nominatim to turn an address into map coordinates. These providers receive the address or location being looked up; the in-browser requests also expose your IP address to them. They are based in the EU/UK.
• Legal obligation: we may disclose data if required by law or in response to a lawful request from a public authority.

7. Cookies and Local Storage

We use only technically necessary cookies and browser storage. No tracking, advertising, or analytics cookies are used. The data stored includes:

• Login related data — required to keep you logged in.
• Theme preference (light/dark) — stores your display preference.
• Dashboard UI state — stores your column and tab preferences in the dashboard for convenience.
• Convention setup wizard draftstemporary cookies used by the convention setup wizard to preserve unsaved form data when navigating between steps.
• Cloudflare Turnstile — our bot-protection provider may set a strictly necessary cookie on the login and registration pages to confirm you are human. It is used only for security and not for tracking.

You can clear these at any time by clearing your browser cookies and site data. Doing so will log you out and reset your preferences. Wizard draft cookies can also be discarded individually via the “Discard” button in the wizard’s unsaved-changes banner.

8. Data Retention

• Account data is retained for as long as your account is active, or until you request deletion.
• Convention registration data is retained for the duration of the convention and a reasonable period afterwards (typically 12 months), unless the convention organiser or applicable law requires a different retention period.
• Server logs are retained for a maximum of 30 days.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data (“right to be forgotten”).
• Right to restriction (Art. 18): request that we limit processing of your data.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at admin@risingcon.org. We will respond without undue delay and within one month at the latest, as required by Art. 12(3) GDPR. For complex or numerous requests this period may be extended by up to two further months, in which case we will inform you.

You also have the right to lodge a complaint with your national data protection supervisory authority. Locally, this is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI) (datenschutz.hessen.de).

10. International Data Transfers

Our platform is primarily intended for users in Europe, and we aim to keep personal data within the European Economic Area (EEA) where possible. Some of our processors are US-based companies, so certain data (for example, your IP address transmitted to Cloudflare via Turnstile) may be transferred to the United States. Such transfers are safeguarded by the European Commission’s EU–US Data Privacy Framework adequacy decision and/or Standard Contractual Clauses, in accordance with Chapter V of the GDPR. Both Cloudflare and Amazon Web Services participate in, or rely on, these mechanisms. Our map and address-lookup providers (OpenStreetMap, Photon / Komoot) are located in the EU/UK, which the European Commission recognises as ensuring an adequate level of data protection.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. This includes password hashing, encryption of particularly sensitive fields at rest, HTTPS encryption in transit, and access controls. However, no method of transmission over the internet is 100% secure.

12. Age

RisingCon is intended for users aged 18 to 35. Conventions targeting younger or older audiences are not to be hosted here, at this time. We do not knowingly collect personal data from children under 18.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the platform or by email. The date at the top of this page indicates when the policy was last revised.

14. Contact

For any questions or requests regarding this Privacy Policy or our data processing practices, please contact: