This is an English translation of the German "Datenschutzerklärung" provided for informational purposes. The German version is legally binding; in case of discrepancies between the language versions, the German version prevails (see §17 below).
As of: 2026-04-27
The controller within the meaning of Art. 4 No. 7 GDPR is:
Melvin Ciurletti, operating as a sole proprietor under the name FAER
Stäudach 154
72074 Tübingen
Germany
Email: hello@faer.app
Web: https://www.faer.app
A data protection officer has not been appointed, as the legal thresholds for such an appointment (Art. 37 GDPR, § 38 BDSG (German Federal Data Protection Act)) are not met.
(1) We process personal data exclusively for the purposes described in this Privacy Policy and on the respective legal basis indicated there.
(2) The relevant legal bases in particular are:
(3) Personal data will be erased as soon as the purpose of processing no longer applies and no statutory retention obligations require continued storage. The specific storage periods are indicated for each individual processing activity.
(4) Transmission between end device and server takes place exclusively via encrypted connections (TLS). Authentication is carried out exclusively via time-limited magic-link tokens; persistent passwords are not used. In addition, we take appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect personal data against loss, manipulation and unauthorised access.
With respect to personal data concerning you, you have the following rights vis-à-vis the controller:
An informal message to hello@faer.app is sufficient to exercise your rights. We may request additional information to verify your identity if there is reasonable doubt as to the identity of the requesting person (Art. 12 (6) GDPR).
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority competent for the controller is:
State Commissioner for Data Protection and Freedom of Information, Baden-Württemberg (LfDI BW)
Office address: Heilbronner Straße 35, 70191 Stuttgart
Postal address: Postfach 10 29 32, 70025 Stuttgart
Phone: +49 (0)711 615541-0
Web: https://www.baden-wuerttemberg.datenschutz.de
(1) The platform is operated on the infrastructure of the following providers:
(2) On every access to the platform, the above-named providers record the following data in server log files:
(3) Legal basis: Art. 6 (1) lit. f GDPR. The legitimate interest consists in providing the platform and in its stable and secure operation.
(4) Storage period: Server log files are deleted after 30 days at the latest, unless they are required for the investigation of a specific security incident.
(5) Third-country transfer: Vercel and Cloudflare are certified under the EU-US Data Privacy Framework. In addition, data processing agreements pursuant to Art. 28 GDPR have been concluded with all the above-named providers; in the case of Vercel and Cloudflare, these include the Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR.
(1) We use exclusively strictly necessary cookies:
visitor_session and exhibitor_session — authentication of login sessions. Storage period: 7 days.anon_id — enables products to be saved in a guest Briefcase before a visitor account has been created. Storage period: up to 12 months.NEXT_LOCALE — stores the language you have selected. Storage period: up to 12 months.(2) In the session storage of your browser (sessionStorage), we store exclusively short-lived, functionally required entries that are automatically removed when the browser tab is closed (in particular a notice of an expired login session and a duplicate-protection measure for page-view counting).
(3) localStorage is not used.
(4) We do not use any tracking, analytics or marketing cookies, and we do not integrate any third-party services for analytics or advertising purposes (e.g. Google Analytics, Meta Pixel). The evaluation of usage signals (such as page-view counts for individual product pages) is performed exclusively server-side and without any persistent identifier on your device.
(5) Legal basis: § 25 (2) no. 2 TDDDG (strictly necessary storage) in conjunction with Art. 6 (1) lit. b GDPR (performance of the user agreement) and Art. 6 (1) lit. f GDPR (legitimate interest in the functional and secure operation of the platform).
(1) To detect and remedy technical errors, we use the service Sentry (Functional Software Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA).
(2) Sentry is operated in the EU data region Frankfurt. Event data is stored exclusively within the EU. Transfers to the USA in the context of group-internal administration or support processes cannot be completely excluded; the contractual bases set out in para. 6 apply to such transfers.
(3) Data processed: error type, stack trace, timestamp, application and runtime context. The following settings are hard-coded in the source and ensure that no personal data is transmitted to Sentry: no transmission of IP addresses or request headers (sendDefaultPii: false), no recording of session replays (replaysSessionSampleRate: 0, replaysOnErrorSampleRate: 0), no performance traces (tracesSampleRate: 0). Sensitive field names (passwords, tokens, session IDs) are removed before storage by automatic data-scrubbing rules. In addition, email addresses appearing in event payloads, breadcrumbs and log messages are redacted prior to transmission by a server-side before_send hook (backend) and a client-side beforeSend hook (frontend).
(4) Legal basis: Art. 6 (1) lit. f GDPR. The legitimate interest consists in the stability, security and reliability of the platform.
(5) Storage period: Event data is automatically deleted at Sentry after 30 days.
(6) A data processing agreement pursuant to Art. 28 GDPR exists with Sentry, including the Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR; Sentry is additionally certified under the EU-US Data Privacy Framework.
(1) The following mandatory data is collected for the registration of an Exhibitor account:
(2) In the Exhibitor profile, a contact email address and a website may optionally be entered. Both entries are displayed publicly on the Exhibitor's event and product pages.
(3) Authentication is carried out exclusively via magic link: on every login without an active session, an email containing a single-use login link is sent to the registered email address. Passwords are neither used nor stored.
(4) B2B confirmation: Before every paid event booking, Exhibitors confirm via checkbox that they are acting as entrepreneurs within the meaning of § 14 BGB (German Civil Code) and are using the platform exclusively for their commercial or self-employed professional activity. To comply with the statutory requirement to demonstrate the B2B character of the contractual relationship, we log, together with this confirmation, the time of confirmation, the wording of the displayed confirmation text, and a cryptographic hash (HMAC-SHA256) of the IP address calculated using an internal key. The IP address is not stored in plain text. Legal basis: Art. 6 (1) lit. b GDPR (the B2B confirmation is a prerequisite for concluding the paid use and event agreement) as well as Art. 6 (1) lit. f GDPR; the legitimate interest consists in compliance with the accountability obligation pursuant to Art. 5 (2) GDPR and in the ability to provide audit-grade evidence of the B2B character of the contractual relationship.
(5) Team members: An Exhibitor account owner can add further persons to the Exhibitor account via email invitation. For team members, only the email address is processed. Team members are entitled to the data-subject rights listed in §3 directly vis-à-vis us. Legal basis: Art. 6 (1) lit. b GDPR (performance of the user agreement with the Exhibitor) as well as Art. 6 (1) lit. f GDPR (legitimate interest in attributing accesses within an Exhibitor account).
(6) Legal basis (paras. 1–3): Art. 6 (1) lit. b GDPR (performance of the user agreement).
(7) Storage period: Until deletion of the Exhibitor account; for team members, until their departure or until deletion of the Exhibitor account. After deletion, the data is also overwritten in the database backups within 30 days. Tax- and invoice-relevant data is retained beyond account deletion within the scope of statutory retention obligations (in particular § 147 AO (German Fiscal Code), § 257 HGB (German Commercial Code), up to 10 years).
(1) For the processing of paid event bookings, we use the payment service provider Lemon Squeezy. The provider is Sold through Link, LLC (f/k/a Lemon Squeezy LLC), 222 South Main Street, Suite 500, Salt Lake City, UT 84101, USA.
(2) Lemon Squeezy acts as the Merchant of Record, i.e. as an independent seller vis-à-vis the Exhibitor and as an independent controller for the payment processing. The privacy provisions of Lemon Squeezy apply supplementarily to the processing of payment data: https://www.lemonsqueezy.com/privacy.
(3) The following data is processed in connection with the payment:
Transmitted from us to Lemon Squeezy (at the start of the checkout): product and quantity details of the booking (variant and number of event days), internal reference IDs for subsequent assignment of the booking (Exhibitor ID, internal event token), and the return URL after completion of the checkout. No transmission of personal data of the Exhibitor (name, email address, billing address, VAT ID) from us to Lemon Squeezy takes place; such information is entered by the Exhibitor exclusively directly on the Lemon Squeezy checkout page.
Transmitted from Lemon Squeezy to us (after successful purchase, via webhook): order ID and invoice number, amount paid and currency, number of days booked, timestamp and status of the order (paid / refunded), tax information, and the billing data entered by the Exhibitor at Lemon Squeezy (name, email address, billing address). This data is used to assign the booking, to archive the invoice, and to fulfil statutory tax record-keeping obligations.
Payment-instrument data (e.g. credit card numbers, IBAN) is collected exclusively by Lemon Squeezy and is at no time transmitted to us.
(4) Legal basis: Art. 6 (1) lit. b GDPR (performance of the contract) and Art. 6 (1) lit. c GDPR (legal obligation regarding invoicing and bookkeeping).
(5) Third-country transfer: The transfer is based on the Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR.
(6) Storage period: The order and invoice data received by us is stored within the scope of the statutory retention obligations for invoices and accounting records (in particular § 147 AO, § 257 HGB, up to 10 years). The storage period of the payment data processed by Lemon Squeezy itself is governed by Lemon Squeezy's own privacy provisions.
(1) For the delivery of transactional emails, we use the service Resend. The provider is Plus Five Five, Inc. (Resend), 2261 Market Street #5039, San Francisco, CA 94114, USA. The messages sent include, in particular:
(2) Data processed: the recipient's email address and the content of the respective message.
(3) Legal basis: Art. 6 (1) lit. b GDPR (performance of the user agreement) and — for consent confirmations with withdrawal link — Art. 6 (1) lit. c GDPR (fulfilment of the obligation under Art. 7 (3) GDPR to make the withdrawal of a consent as easy as its granting).
(4) Storage period: Delivery logs are retained at Resend for a maximum of 30 days.
(5) Third-country transfer: A data processing agreement exists with Resend, including the Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR.
(1) Emails that you send to hello@faer.app or to other addresses under the domain faer.app are processed using Google Workspace. The provider is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, with involvement of infrastructure operated by Google LLC, Mountain View, California, USA.
(2) Data processed: the sender's email address, the content of the message, and technical metadata (timestamps, IP addresses in the mail headers).
(3) Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in efficient support communication) as well as Art. 6 (1) lit. b GDPR for requests within the scope of existing or prospective contractual relationships.
(4) Storage period: Until the conclusion of the respective communication, plus any applicable statutory retention periods for business correspondence (§ 147 AO, § 257 HGB).
(5) Third-country transfer: Google is certified under the EU-US Data Privacy Framework. In addition, a Data Processing Amendment pursuant to Art. 28 GDPR is in place, including the Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR.
(1) Visitors to the platform may optionally create a personal account in order to save product pages they have visited in a personal area ("Briefcase").
(2) Data processed:
The Briefcase contains exclusively references to the respective product pages, not copies of their content. Authentication is carried out exclusively via magic link; passwords are neither used nor stored.
(3) Legal basis: Art. 6 (1) lit. b GDPR (user agreement for the Visitor account).
(4) Storage period: Until deletion of the Visitor account.
(5) Consequences of account deletion: Upon deletion of the Visitor account, account data and Briefcase entries are irrevocably deleted. At the same time, all consents granted by the Visitor are withdrawn with immediate effect; the corresponding lead records are removed from the live views of the affected Exhibitors (see §14 and §15). The consent log is maintained for evidentiary purposes in accordance with §15 (4).
(1) Exhibitors make product pages available on the platform. Such pages are as a rule publicly accessible. The mere retrieval of a product page does not require the Visitor's consent and does not entail the disclosure of personal data by the Visitor.
(2) Event-related short links and QR codes redirect to the associated product pages. The validity of these short links is tied to the respective booked event period; after its expiry, the short link is no longer active.
(3) Upon retrieval of a product page, only the server log data described in §5 is recorded. No identification of individual Visitors or personalised evaluation of visit or scan behaviour takes place. For statistical evaluation of usage, we collect exclusively aggregated, non-personal usage data (in particular page-view and scan counts) without any persistent identifier on the Visitor's device; these aggregated values may be provided to the Exhibitor as part of the Exhibitor analytics.
(4) On the product page, Visitors may consent by a single click to having the email address stored in their Visitor account passed on to the Exhibitor of the product page. §14 (Lead data) and §15 (Consent management) apply in addition to such transfer.
(1) Visitors may, with express consent, cause the email address stored in their Visitor account to be passed on to the relevant Exhibitor ("Lead") from a product page or after scanning an Exhibitor QR code. The granting of consent is governed by §15.
(2) The controller within the meaning of Art. 4 No. 7 GDPR for the lead data is the relevant Exhibitor, not the operator of the platform. The platform operator processes lead data exclusively as a processor within the meaning of Art. 28 GDPR and on documented instructions of the Exhibitor.
(3) The platform operator does not use the lead data for its own purposes — in particular not for its own marketing, not for cross-Exhibitor profiling, and not for training models on personal data.
(4) The details of the commissioned processing are governed by a separate data processing agreement between the platform operator and the respective Exhibitor, available at https://www.faer.app/en/dpa.
(5) Legal basis (from the Visitor's perspective): Art. 6 (1) lit. a GDPR (consent vis-à-vis the Exhibitor).
(6) Storage period: The storage period of the lead data within the Exhibitor's system is determined by the Exhibitor on its own responsibility. In the event of a withdrawal, the lead data is removed from the live leads accessible to the Exhibitor in accordance with §15 (4).
(1) The collection and processing of lead data by the Exhibitor is based exclusively on an express, actively granted consent by the Visitor (Art. 6 (1) lit. a, Art. 7 GDPR). Pre-selected consents are not used.
(2) For evidentiary purposes pursuant to Art. 7 (1) GDPR, we log the following information for each consent in a consent log:
(3) Withdrawal: Visitors may withdraw a granted consent at any time with effect for the future, without affecting the lawfulness of processing carried out before the withdrawal. The withdrawal must be as easy to perform as the granting of consent (Art. 7 (3) GDPR). The following withdrawal channels are available:
hello@faer.app(4) Upon the withdrawal taking effect, the corresponding lead record is removed from the live leads accessible to the Exhibitor. The withdrawal itself and the originally granted consent remain in the consent log and continue to be documented there for evidentiary purposes.
(5) Legal basis for maintaining the consent log: Art. 6 (1) lit. c GDPR (statutory duty of proof under Art. 7 (1) GDPR) as well as Art. 6 (1) lit. f GDPR (legitimate interest in audit-grade evidence).
We reserve the right to adjust this Privacy Policy in order to take account of changes in legal requirements or changes to our services. The current version is available at the URL assigned to this Privacy Policy. The date of the last update is noted at the beginning of this policy. In the event of material changes, we will additionally inform you in an appropriate manner (e.g. by email to registered users).
This Privacy Policy is provided in a German and an English version. Only the German version is legally binding. The English version is provided for informational purposes only; in the event of discrepancies or differences in interpretation between the language versions, the German version prevails.
As of: 2026-04-27