Skip to contentSkip to navigationSkip to footer

Privacy Policy

Last updated: March 18, 2026

1. Data Controller

The data controller for the SunUp application is:

Haukel GbR
Am Barenbach 11
74541 Vellberg, Germany
Email:

2. Data Protection Officer

We are not required to appoint a Data Protection Officer pursuant to Art. 37 GDPR in conjunction with § 38 BDSG, as fewer than 20 persons are regularly involved in automated processing of personal data. For data protection inquiries, please contact us at .

3. Data We Collect

We collect the following types of data:

a) Account Data

When you create an account (via email, Google, or Apple sign-in), we collect: email address, display name, authentication provider identifier, and session tokens.

b) Guest Data

When you join an event as a guest without registration, we generate and store a random unique identifier and your chosen display name.

c) User Content

Photos and media you upload to event galleries, including associated metadata (upload timestamp, file size, MIME type).

d) Event Data

Event names, event dates, six-character join codes, and participant lists (linking user identifiers to events).

e) Device Data

Device type (e.g., smartphone model), operating system and version, app version, and screen resolution for debugging and compatibility purposes.

f) Usage Data

Feature usage patterns including screens visited within the app, button interactions, session duration, and error logs to improve the Service.

4. Server Log Files

When you access our website or use our API, our servers automatically collect the following data in log files:

  • IP address (anonymized after processing)
  • Date and time of the request
  • HTTP request method and requested URL
  • HTTP status code
  • Referrer URL
  • Browser type and version
  • Operating system
  • Transferred data volume

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is ensuring the stability, security, and functionality of the Service. Server log files are automatically deleted after 14 days unless retention is required for security investigations.

5. Purpose & Legal Basis

We process your data for the following purposes:

  • Service delivery (Art. 6(1)(b) GDPR): To provide the core functionality of event creation, photo sharing, and gallery management
  • Account management (Art. 6(1)(b) GDPR): To create and maintain your account and authenticate your identity
  • Service improvement (Art. 6(1)(f) GDPR): To analyze usage patterns and improve the app experience. Our legitimate interest is optimizing the Service for all users.
  • Security and fraud prevention (Art. 6(1)(f) GDPR): To detect and prevent misuse, unauthorized access, and security threats
  • Legal compliance (Art. 6(1)(c) GDPR): To comply with applicable laws and regulations
  • Consent-based processing (Art. 6(1)(a) GDPR): Where you have given express consent, for example when using third-party authentication providers

6. Data Storage & Security

Your photos and media are stored on Cloudflare R2 (S3-compatible object storage) with industry-standard encryption at rest. Account data is stored in a secured database with access controls. We use HTTPS/TLS encryption for all data in transit and employ role-based access controls to protect data at rest.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States. We ensure appropriate safeguards are in place for such transfers:

  • Cloudflare, Inc. (USA): Stores photos and media on Cloudflare R2. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF), providing an adequate level of data protection as recognized by the European Commission. Additionally, Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR are in place.
  • Google LLC (USA): Processes authentication data when you sign in with Google. Google is certified under the EU-U.S. Data Privacy Framework.
  • Apple Inc. (USA): Processes authentication data when you sign in with Apple. Transfers are safeguarded by Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

You may request a copy of the applicable transfer safeguards by contacting us at .

8. Third-Party Services

We use the following third-party services, each acting as a data processor on our behalf pursuant to Art. 28 GDPR, unless otherwise noted:

  • Cloudflare R2 (Cloudflare, Inc.): Cloud storage for photos and media. Data shared: uploaded files and associated metadata. Cloudflare acts as a data processor under a Data Processing Agreement.
  • Google Sign-In (Google LLC): Optional authentication provider. Data shared: authentication token, email address, and display name as provided by Google. Google acts as an independent data controller for its own processing; refer to Google's Privacy Policy.
  • Apple Sign-In (Apple Inc.): Optional authentication provider. Data shared: authentication token, email address (if provided), and display name. Apple acts as an independent data controller for its own processing; refer to Apple's Privacy Policy.

9. Data Retention

We retain your data only as long as necessary for the respective purpose:

  • Account data: For the duration of your account. Deleted within 30 days after account deletion.
  • Guest data: For the duration of the associated event. Deleted when the event is deleted by the host.
  • User content (photos): For the duration of the associated event. Photos may remain available to other event participants after your account deletion until the event host deletes the event.
  • Event data: For the duration of the event as determined by the event host. Deleted when the event is deleted.
  • Server log files: Automatically deleted after 14 days.
  • Device and usage data: Retained in anonymized form for up to 12 months for service improvement purposes.

10. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15 GDPR): Request a copy of your personal data and information about its processing
  • Right to rectification (Art. 16 GDPR): Correct inaccurate or incomplete personal data
  • Right to erasure (Art. 17 GDPR): Request deletion of your personal data where no legal basis for continued processing exists
  • Right to restrict processing (Art. 18 GDPR): Request restriction of processing under certain circumstances
  • Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means
  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, contact us at . We will respond within one month of receiving your request, as required by Art. 12(3) GDPR.

You also have the right to lodge a complaint with the competent supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
Email: [email protected]
Website: www.baden-wuerttemberg.datenschutz.de

11. Data Provision Requirements

Providing your email address is required to create a registered account. Without it, you cannot use the full functionality of the Service, but you may join events as a guest with limited functionality. Uploading photos and media to events is voluntary. If you choose not to provide optional data, the corresponding features may not be available to you.

12. Automated Decision-Making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR. No decisions with legal or similarly significant effects are made about you based solely on automated processing.

13. Cookies & Tracking

The SunUp mobile app does not use cookies. The SunUp website uses only technically necessary cookies that are essential for the functionality of the site (§ 25(2) TDDDG). These cookies do not require consent. We do not use third-party tracking, analytics, or advertising cookies.

14. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by email before the changes take effect. The "Last updated" date at the top indicates the most recent revision. We encourage you to review this policy periodically.

16. Contact

For privacy-related inquiries, contact us at: