This privacy policy explains how we process personal data when you use our website, apply for membership, use the member dashboard, register for events, or make payments. The legal framework includes the GDPR and, for cookies/tracking in Germany, Section 25 TDDDG.
1. Controller
Frankfurt International Alumni Association e.V. (FIAA)
Ludwig-Dürr-Straße 14, 63263 Neu-Isenburg, Germany
Email: FIAA2026@yahoo.com
2. Categories of Personal Data
Depending on your use of the platform, we process the following categories:
- Identity data (for example name, email, and in some cases date of birth/nationality)
- Contact and profile data (address, phone, company, position, LinkedIn, bio)
- Membership and association data (membership type, status, voluntary preferences)
- Event and registration data (registration status, attendance, payment status)
- Payment-related data (payment method, status, references, transaction IDs)
- SEPA/bank data where provided and where relevant features are enabled
- Communication data (contact form submissions, newsletter subscription state)
- Public profile data (where enabled by the member: profile slug, headline, city/country, avatar)
- Media-related data (event photos and, where applicable, portrait photo consent records)
- Technical data (IP address, timestamps, security and rate-limit related data)
3. Purposes and Legal Bases
We process personal data for the following purposes:
- Website operation and IT security (sessions, abuse prevention, rate-limiting), based on Art. 6(1)(f) GDPR.
- Registration, login, password reset and account management, based on Art. 6(1)(b) GDPR.
- Membership application and membership administration, based on Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(c) GDPR.
- Member profile and public profile display where enabled by the member, based on Art. 6(1)(a) GDPR (consent) and/or Art. 6(1)(b) GDPR.
- Event management and event registrations (including capacity and cancellation logic), based on Art. 6(1)(b) GDPR.
- Payment processing for paid services via bank transfer and, where enabled, via Stripe, based on Art. 6(1)(b) GDPR and Art. 6(1)(c) GDPR.
- Contact requests via our contact form, based on Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR.
- Newsletter communications, based on Art. 6(1)(a) GDPR (consent, revocable at any time for the future).
- Event photos and documentation: General event documentation, group shots, and atmosphere photos for association public relations on the website and social media, based on Art. 6(1)(f) GDPR (legitimate interest). Portrait-style close-ups, highlighted individual features, or specifically staged individual photos only with separate explicit consent under Art. 6(1)(a) GDPR. You may object before, during, and after the event.
- Administrative accountability and security logging (audit logs), based on Art. 6(1)(f) GDPR.
4. Cookies, Local Storage and Consent Management
We use technically necessary storage mechanisms for authentication and session handling (for example Supabase session cookies).
Your cookie choice is stored locally (fiaa-cookie-consent in local storage and cookie fiaa_cookie_consent).
Optional measurement services (Vercel Analytics and Vercel Speed Insights) are only activated after your consent ("Accept all"). Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. Necessary technologies rely on Section 25(2) no. 2 TDDDG.
5. Recipients and Processors
We use service providers that process data on our behalf, in particular:
- Supabase (database, authentication, storage) – primary location: Frankfurt (eu-central-1)
- Vercel (hosting, serverless functions) – primary location: Frankfurt (fra1), optional analytics/performance measurement
- Stripe (only where online payment is enabled)
Bank transfers are handled through your bank and the association's bank account. Banks act as independent controllers for their own processing operations.
6. International Data Transfers
Primary data processing is configured in the EU (Supabase in Frankfurt, Vercel Functions in Frankfurt). Where providers process data outside the EU/EEA, transfers are carried out only under the conditions of Chapter V GDPR, in particular on the basis of adequacy decisions (Art. 45 GDPR) and/or Standard Contractual Clauses (Art. 46 GDPR).
7. Retention
We keep personal data only as long as necessary for the relevant purpose. Key criteria include contractual relationship duration, association needs, security, and legal retention obligations.
- Account/profile data: generally for the duration of membership/use
- Contact submissions: until final handling, then deletion/anonymization as appropriate
- Newsletter data: until unsubscribe/withdrawal
- Payment/accounting data: according to statutory retention periods (typically 6/8/10 years under German commercial/tax law, depending on record type)
- Rate-limit and security-related data: typically short-term and purpose-bound
8. Your Rights
You have the following rights under the GDPR:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object where processing is based on Art. 6(1)(e) or (f) GDPR (Art. 21 GDPR)
- Right to withdraw consent at any time for future processing (Art. 7(3) GDPR)
To exercise your rights, contact us at: FIAA2026@yahoo.com
You may also request a data export or deletion through our website. We use a two-phase email verification process to confirm the identity of the requester.
9. Right to Lodge a Complaint
You may lodge a complaint with a supervisory authority, in particular with the authority responsible in Hesse, Germany:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden, Germany
Email: poststelle@datenschutz.hessen.de
Website: https://datenschutz.hessen.de
10. Requirement to Provide Data
Certain data is required for account creation, membership administration, event registration, and payment allocation. Without such data, we may be unable to provide specific services.
11. Automated Decision-Making
We do not carry out solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR.
12. Changes to this Privacy Policy
We update this privacy policy when legal, technical, or organizational conditions change.