Data Protection Declaration (GDPR)

1. Controller Information

The controller responsible for the processing of personal data on this platform within the meaning of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is: threeb-it GmbH, Große Elbstraße 39, 22767 Hamburg, Germany. Phone: +49 40 123 456 78. Email: privacy@threeb-it.de. Managing Directors: Thimo Buchheister, Thorsten Buchheister. The controller is the entity that alone or jointly with others determines the purposes and means of the processing of personal data. We take the protection of your personal data very seriously and treat it in accordance with the applicable statutory data protection regulations.

2. Data We Collect

We collect and process the following categories of personal data: (a) Account Data: name, email address, password hash, profile picture, and account preferences provided during registration. (b) Content Data: blog posts, media uploads, categories, tags, and comments you create and publish through the Service. (c) Usage Data: IP address, browser type, operating system, pages visited, features used, session timestamps, and interaction patterns collected automatically when you use the Service. (d) Billing Data: payment method details (processed by Stripe -- we do not store full card numbers), billing address, invoice history, and subscription status. (e) Communication Data: messages you send to our support team, responses to surveys, and feedback submissions. (f) Analytics Data: aggregated, anonymized data about how the platform is used, derived from usage data after pseudonymization.

3. Purpose of Processing

We process your personal data for the following purposes: (a) Service Provision: to create and manage your account, operate your blogs, host your content, and provide all platform features. (b) Authentication and Security: to verify your identity, manage sessions, protect against unauthorized access, and detect fraudulent activity. (c) Billing and Payments: to process subscription payments, issue invoices, handle refunds, and manage your subscription lifecycle. (d) Customer Support: to respond to your inquiries, troubleshoot issues, and provide technical assistance. (e) Platform Improvement: to analyze usage patterns, fix bugs, improve performance, and develop new features. (f) Legal Compliance: to meet our obligations under applicable law including tax regulations, data retention requirements, and responses to lawful requests from authorities.

4. Legal Basis

We process your personal data on the following legal bases under Art. 6 GDPR: (a) Contract Performance (Art. 6(1)(b) GDPR): processing necessary to perform our contract with you, covering account management, content hosting, and subscription services. (b) Legitimate Interests (Art. 6(1)(f) GDPR): processing necessary for our legitimate business interests such as platform security, fraud prevention, service quality monitoring, and analytics, provided these interests do not override your fundamental rights. (c) Consent (Art. 6(1)(a) GDPR): where you have given explicit consent for specific activities such as optional analytics cookies or marketing emails. You may withdraw consent at any time without affecting the lawfulness of prior processing. (d) Legal Obligation (Art. 6(1)(c) GDPR): processing necessary to comply with legal obligations such as tax law and mandatory data retention requirements.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Retention periods are as follows: Account and profile data is retained for the duration of your active account and deleted within 30 days of account closure, unless legal obligations require longer retention. Content data (blog posts, media files) is deleted upon your explicit request or upon account closure, with backup copies purged within 90 days. Billing and invoice data is retained for 10 years in accordance with German commercial and tax law (Section 147 AO, Section 257 HGB). Communication and support records are retained for 3 years. Server access logs are retained for 7 days for security monitoring purposes. Analytics data is anonymized within 26 months of collection. After the relevant retention period expires, data is securely and irreversibly deleted.

6. Your Rights

Under the GDPR you have the following rights regarding your personal data: Right of Access (Art. 15): you may request confirmation of whether we process data about you and receive a copy of that data. Right to Rectification (Art. 16): you may request correction of inaccurate or completion of incomplete data. Right to Erasure (Art. 17, "right to be forgotten"): you may request deletion of your data where it is no longer necessary, you withdraw consent, or it was unlawfully processed, subject to legal retention obligations. Right to Restriction (Art. 18): you may request that we limit processing in certain circumstances. Right to Data Portability (Art. 20): you may receive your data in a structured, machine-readable format. Right to Object (Art. 21): you may object to processing based on legitimate interests at any time. Right to Withdraw Consent (Art. 7(3)): you may withdraw any consent at any time. Right to Lodge a Complaint: you may complain to the supervisory authority -- Der Hamburgische Beauftragte fur Datenschutz und Informationsfreiheit, Ludwig-Erhard-Strasse 22, 20459 Hamburg. To exercise your rights contact: privacy@threeb-it.de.

7. Cookies & Tracking

We use cookies and similar tracking technologies on our platform. Essential cookies are required for the Service to function and do not require consent. Optional analytics and functional cookies require your prior consent, which is managed through our cookie consent banner. You can review, modify, or withdraw your cookie preferences at any time via the "Cookie Settings" link in our footer. For a detailed breakdown of the specific cookies we use, their purposes, and retention periods, please refer to our Cookie Policy at postnomic.com/cookies. We do not use advertising or cross-site tracking cookies.

8. Third-Party Services

We engage the following sub-processors who may access personal data in order to provide their services to us: Auth0 (Okta, Inc.): identity and authentication management, with data processed within the EU under a Data Processing Agreement. Microsoft Azure (West Europe): cloud infrastructure, hosting, storage, and Application Insights analytics, all within the EU. Stripe, Inc.: payment processing for subscriptions; Stripe operates under the EU-US Data Privacy Framework and Standard Contractual Clauses. All sub-processors are bound by data processing agreements in accordance with Art. 28 GDPR. Where data is transferred outside the EU/EEA, appropriate safeguards are in place including Standard Contractual Clauses (SCCs) and adequacy decisions issued by the European Commission. A current list of sub-processors is available upon request at privacy@threeb-it.de.

9. Changes & Contact

We may update this Data Protection Declaration periodically to reflect changes in our data processing activities, the services we use, or applicable law. When we make material changes we will notify you by email and update the "Last updated" date on this page. We encourage you to review this declaration regularly. For any questions about data protection, to exercise your rights, or to raise a concern, please contact our data protection team: threeb-it GmbH, Datenschutz, Große Elbstraße 39, 22767 Hamburg, Germany. Email: privacy@threeb-it.de. Phone: +49 40 123 456 78. We will respond to all requests within 30 days as required by the GDPR.