Privacy Policy

1. Data Protection at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to our privacy policy listed below.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the section “Responsible Party” in this privacy policy.

How do we collect your data?

Your data is collected when you provide it to us, e.g. by entering data into a contact form or when registering a user account. Other data is automatically collected or collected with your consent when you visit the website by our IT systems. This is primarily technical data (e.g. internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior. In addition, we process data for payment processing and to provide our services.

What rights do you have regarding your data?

You have the right to receive information about the origin, recipients, and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right, under certain circumstances, to request the restriction of the processing of your personal data and the right to lodge a complaint with the competent supervisory authority.

2. Responsible Party

The responsible party for data processing on this website is:

Hoever & Kirchhartz – Groupies GbR
Thomas Kirchhartz
Auf dem Rott 13
50259 Pulheim, Germany

Email: datenschutz@getgroupies.app

The responsible party is the natural or legal person who, alone or jointly with others, decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).

3. General Information and Mandatory Disclosures

Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations, in particular the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TTDSG), as well as this privacy policy.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) can have security gaps. Complete protection of data against access by third parties is not possible.

Storage Duration

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods); in the latter case, deletion will take place after these reasons cease to apply.

Information on Data Transfers to Third Countries

We use, among other things, tools from companies based in third countries outside the EU, particularly the USA. When these tools are active, your personal data may be transferred to and processed in these third countries. We point out that no level of data protection comparable to that in the EU can be guaranteed in these countries. For the transfer of personal data to the USA, we rely – where available – on the adequacy decision of the EU Commission under the EU-US Data Privacy Framework (DPF) pursuant to Art. 45 GDPR as well as Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR.

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to Object to Data Collection in Special Cases (Art. 21 GDPR)

If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.

Right to Lodge a Complaint with the Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement (Art. 77 GDPR). The right to lodge a complaint exists without prejudice to other administrative or judicial remedies. The competent supervisory authority for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf, Germany
https://www.ldi.nrw.de

Right to Data Portability (Art. 20 GDPR)

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

Access, Correction, and Deletion

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing (Art. 15 GDPR) and, if applicable, a right to correction (Art. 16 GDPR) or deletion (Art. 17 GDPR) of this data. You can contact us at any time regarding this and other questions on the subject of personal data.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data, or you have objected to the processing.

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, such as inquiries you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

4. Hosting

We host the content of our website with the following providers:

Vercel

The provider is Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA (“Vercel”). Vercel is a cloud platform through which we provide our website. When you visit our website, your personal data is processed on Vercel’s servers. In particular, your IP address, browser type, operating system, the page accessed, and the date and time of access may be transmitted to Vercel.

The use of Vercel is based on Art. 6(1)(f) GDPR. We have a legitimate interest in a reliable and performant presentation of our website. If consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TTDSG.

Vercel processes data in the USA, among other places. Data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission pursuant to Art. 46(2)(c) GDPR. Vercel is also certified under the EU-US Data Privacy Framework. Details can be found in Vercel’s privacy policy: https://vercel.com/legal/privacy-policy.

The Data Processing Addendum with Vercel is available at: https://vercel.com/legal/dpa.

Vercel Blob Storage

We use Vercel Blob Storage to store media content (e.g. images) uploaded through our content management system. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in efficient media management).

5. Data Collection on This Website

Server Log Files

The website provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

Browser type and version
Operating system used
Referrer URL
Host name of the accessing computer
IP address
Time of the server request

This data is not merged with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – server log files must be collected for this purpose.

Cookies

Our websites use so-called “cookies.” Cookies are small data packages that do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Persistent cookies remain stored on your device until you delete them yourself or they are automatically deleted by your web browser.

Cookies that are required for the electronic communication process, for the provision of certain functions you have requested (e.g. shopping cart function), or for the optimization of the website (e.g. cookies for measuring web audiences) (necessary cookies) are stored on the basis of Art. 6(1)(f) GDPR and Section 25(2) TTDSG, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services.

If consent to the storage of cookies and comparable recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and Section 25(1) TTDSG); consent can be revoked at any time.

You can set your browser to inform you about the setting of cookies and only allow cookies on a case-by-case basis, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

Registration and User Account

You can create a user account on our website. Registration is carried out via a so-called magic link: you enter your email address and receive a one-time login link by email. As part of the registration and use of the account, we process the following data:

Email address
Time of registration and logins
Usage data related to the creation and editing of film projects

Processing is based on Art. 6(1)(b) GDPR for contract fulfillment or the implementation of pre-contractual measures. Your data is stored as long as your user account exists. When the account is deleted, your data will be deleted unless statutory retention obligations prevent this.

Contact by Email

If you contact us by email, your inquiry including all resulting personal data (name, email address, content of the inquiry) will be stored and processed by us for the purpose of handling your request. We will not pass on this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries directed to us (Art. 6(1)(f) GDPR).

6. Cloud Services and Infrastructure

Amazon Web Services (AWS)

We use various services from Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA (“AWS”) to operate our platform:

Amazon S3 & CloudFront: Storage and delivery of media content (e.g. created videos) via a content delivery network. IP addresses and access data may be processed.
Amazon SES (Simple Email Service): Sending transactional emails, including login links (magic links), reminders, and notifications. Email address, timestamp, and email metadata are processed.
AWS Lambda: Server-side processing of video content as part of our film rendering process.

The servers we use are located in the AWS region eu-central-1 (Frankfurt am Main, Germany). Processing is based on Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(f) GDPR (legitimate interest in secure and efficient operation). Where data processing takes place in the USA, we rely on Standard Contractual Clauses and AWS’s certification under the EU-US Data Privacy Framework.

More information on data protection at AWS can be found at: https://aws.amazon.com/privacy/.

MongoDB Atlas

We use MongoDB Atlas, a database cloud service provided by MongoDB, Inc., 1633 Broadway, 38th Floor, New York, NY 10019, USA, for storing user data and content. The database stores, among other things, user account data, project data, and content.

Processing is based on Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(f) GDPR (legitimate interest). For third-country transfers to the USA, we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework. More information can be found at: https://www.mongodb.com/legal/privacy-policy.

7. Consent Management

Silktide Cookie Consent Manager

We use the Silktide Cookie Consent Manager to obtain and manage your consent for the storage of cookies and similar technologies. The provider is Silktide Ltd., Brunel Parkway, Pride Park, Derby, DE24 8HR, United Kingdom.

When you visit our website, the Silktide Consent Manager is loaded and displays a cookie banner that allows you to grant or deny consent for various cookie categories. The tool stores your consent decision in a cookie on your device so that it can be retrieved on subsequent page visits and your preferences are preserved for the duration of the cookie’s lifetime.

The use of the Silktide Consent Manager is based on Art. 6(1)(c) GDPR (legal obligation) in conjunction with Section 25 TTDSG, as we are legally required to obtain consent for certain cookies and technologies. The consent cookie itself is technically necessary and does not require consent (Section 25(2) TTDSG).

More information can be found in Silktide’s privacy policy: https://www.silktide.com/privacy-policy/.

8. Analytics Tools and Advertising

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform any independent analyses. It only serves to manage and deliver the tools integrated through it. However, Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the USA.

The use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and management of various tools on its website. If consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TTDSG.

Google processes data in the USA, among other places. Google is certified under the EU-US Data Privacy Framework. More information: https://policies.google.com/privacy.

Meta Pixel (Facebook Pixel)

We use the Meta Pixel (formerly Facebook Pixel) on our website. The provider is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (“Meta”). The parent company is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

The Meta Pixel is an analytics tool that allows us to measure the effectiveness of our advertisements on Facebook and Instagram and to improve our offering. The pixel tracks your user behavior on our website (e.g. page views) and transmits this data to Meta. This enables us to:

Measure the reach of our advertising campaigns (conversion tracking)
Define target audiences for advertisements (custom audiences)
Optimize our offering and advertising

The following data is processed through the Meta Pixel:

HTTP header information (IP address, browser type, operating system, language)
Pixel-specific data (pixel ID, Facebook cookie)
Data about clicked buttons and visited pages
Device information

The Meta Pixel is only activated after your explicit consent. The consent manager requests your approval for the “Advertising” category before the pixel is loaded. Without your consent, no data is transmitted to Meta.

Processing is based on Art. 6(1)(a) GDPR (consent) and Section 25(1) TTDSG. You can revoke your consent at any time via the cookie banner (consent manager).

Meta processes data in the USA, among other places. Meta is certified under the EU-US Data Privacy Framework. In addition, Meta uses Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

More information about data protection at Meta can be found at: https://www.facebook.com/privacy/policy/. You can also object to tracking by the Meta Pixel via the Facebook settings: https://www.facebook.com/settings?tab=ads.

9. Payment Providers

For payment processing on our website, we use the payment service provider described below.

Stripe

The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (“Stripe”). The parent company is Stripe, Inc., 354 Oyster Point Blvd., South San Francisco, CA 94080, USA.

When you choose to pay via Stripe, the payment data you enter (e.g. name, card number, amount, currency) is transmitted to Stripe. Stripe processes this data for payment processing and fraud prevention.

Data processing is based on Art. 6(1)(b) GDPR (contract fulfillment). Where Stripe uses cookies for fraud detection, this is based on Art. 6(1)(f) GDPR (legitimate interest in preventing fraud).

Stripe processes data in the USA, among other places. Stripe is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. More information: https://stripe.com/privacy.

10. Email Dispatch

Amazon SES

For sending transactional emails (e.g. login links, reminders, notifications), we use Amazon Simple Email Service (SES), a service of Amazon Web Services, Inc. (see section “Amazon Web Services”). The recipient’s email address as well as the content and metadata of the email are processed.

Processing is based on Art. 6(1)(b) GDPR (contract fulfillment, e.g. sending login links) and Art. 6(1)(f) GDPR (legitimate interest in the reliable dispatch of business-related emails).

11. Social Media

Sharing Functions (Share Buttons)

On our website, we offer the option to share content via social networks (Facebook, X/Twitter, LinkedIn, Facebook Messenger). We use plain share links for this purpose, which only transmit data to the respective social network when you actively click on them. When you simply visit our website, no data is transmitted to the social networks.

Only when you click on one of the share buttons will you be redirected to the respective platform. From that point on, the privacy policy of the respective provider applies.

The integration is based on Art. 6(1)(f) GDPR. We have a legitimate interest in enabling our users to easily share content.

12. Plugins and Tools

Fonts (Local Hosting)

This website uses locally hosted fonts for a uniform display of typefaces. The fonts are installed on our servers. No connection to external servers of font providers (e.g. Google) is established.

13. Data Processing Agreements

We have concluded data processing agreements (DPA) pursuant to Art. 28 GDPR with our service providers (including Vercel, AWS, Stripe, MongoDB). These agreements ensure that the service providers process the personal data of our website visitors and users only according to our instructions and in compliance with the GDPR.

Where we act as a data processor on behalf of our customers, the provisions of our Data Processing Agreement (DPA) apply.

Last updated: April 2026