Privacy.

1. Controller

The data controller responsible for your personal data is [OPERATOR LEGAL NAME], registered address [POSTAL ADDRESS], contact [CONTACT EMAIL].

2. Data we collect and why

We collect only what is strictly necessary to operate the service:

• Display name or alias — submitted voluntarily; used solely to display your entry on the public leaderboard. Providing a name is optional.
• Contribution amount and timestamp — required to record your participation, maintain the collective counter, and comply with our accounting obligations.
• Payment status — returned by our payment processor (Stripe) to confirm that a charge succeeded; we do not receive or store card numbers, CVV codes, or full account details.
• IP address and basic browser data — collected automatically by our server for security, fraud prevention, and abuse detection.
• Server access logs — retained for security monitoring; they include timestamps, request paths, and response codes.

We do not use third-party analytics, tracking pixels, or advertising cookies. We do not build behavioural profiles.

3. Legal bases (GDPR Article 6)

• Art. 6(1)(b) — Performance of a contract: processing your name, payment status, and contribution amount to record your participation as requested.
• Art. 6(1)(c) — Legal obligation: retaining transaction records to comply with applicable tax and accounting law.
• Art. 6(1)(f) — Legitimate interests: processing IP addresses and server logs to prevent fraud, abuse, and unauthorised access. Our interests in maintaining a secure and accurate service do not override your fundamental rights.

4. Data processors and third parties

Stripe Payments Europe, Ltd. acts as our payment processor. Stripe processes card data on our behalf under its own DPA and complies with PCI-DSS. Stripe may transfer data internationally in accordance with Standard Contractual Clauses. For details, see stripe.com/privacy.

We do not sell, rent, or share your personal data with any other third party for commercial purposes.

5. International transfers

Our servers are located in the European Economic Area. Where a processor transfers data outside the EEA, we ensure adequate safeguards are in place (Standard Contractual Clauses or equivalent).

6. Retention periods

• Transaction records (amount, timestamp, payment status): retained for 7 years from the date of the transaction, as required by accounting and tax law in most EU jurisdictions.
• Display names on the leaderboard: retained for the lifetime of the project. You may request removal at any time (see section 7).
• Server access logs: retained for a maximum of 90 days, then deleted automatically.

7. Your rights

Under GDPR you have the right to: access your data (Art. 15); rectify inaccuracies (Art. 16); request erasure where no legal obligation requires retention (Art. 17); restrict processing (Art. 18); data portability (Art. 20); and object to processing based on legitimate interests (Art. 21).

To exercise any right, contact [CONTACT EMAIL]. We will respond within 30 days. Note that transaction records subject to a statutory retention obligation cannot be deleted before the applicable period expires.

You also have the right to lodge a complaint with your national data-protection supervisory authority.