1 — Data controller
The data controller within the meaning of the GDPR is FoolMoon UG (haftungsbeschränkt), a company under German law in the process of incorporation, with its registered office in Rheinau, Baden-Württemberg, Germany.
Data protection officer (DPO) contact: [email address to be added after registration]
2 — Data collected
As part of the FoolMoon service, the following categories of data are processed:
- Mobile phone number — identification of the organiser account, authentication via OTP code, sending SMS invitations to guests.
- First name and surname — personalisation of the SMS messages sent to guests.
- IP address — abuse prevention, platform security, server logs.
- Browsing data — server logs (method, URL, HTTP status, timestamp); retention period of 30 days.
- Calculated risk score — internal abuse-prevention indicator, not disclosed to third parties, not enforceable against the user.
3 — Purposes and legal bases
- Performance of the contract (Art. 6(1)(b) GDPR) — sending SMS invitations, managing guest lists, QR code check-in, post-event photo gallery.
- Legitimate interest (Art. 6(1)(f) GDPR) — detection and prevention of abuse, fraud and uses that do not comply with the terms of use.
- Legal obligation (Art. 6(1)(c) GDPR) — retention of server logs in accordance with applicable legal requirements.
4 — Retention period
- Organiser account data — retained until the account is deleted, or for 2 years in the event of inactivity, then permanently deleted.
- Event photos — automatically deleted 30 days after upload.
- Server logs — retained on a rolling 30-day basis.
- OTP codes — deleted immediately after verification or expiry.
5 — Data recipients
FoolMoon does not resell any personal data. The following processors are involved in the provision of the service and are bound by a GDPR-compliant data processing agreement (DPA):
- Brevo (Sendinblue SAS), Paris, France — sending SMS to guests. DPA signed.
- Twilio Inc., San Francisco, USA — verification (lookup) of the mobile phone number during registration.
- Stripe, Inc., Dublin, Ireland — secure processing of card payments.
- OVH SAS, Roubaix, France — hosting of the application servers and databases.
Transfers outside the EU/EEA (Twilio, Stripe) are governed by the standard contractual clauses (SCCs) approved by the European Commission.
6 — Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure / “right to be forgotten” (Art. 17 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
To exercise these rights, contact us at: [email address to be added]. We will respond within one month in accordance with Art. 12 GDPR.
If the response is unsatisfactory, you may lodge a complaint with the competent supervisory authority in Germany: Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg (LfDI BW), Stuttgart.
7 — Cookies
FoolMoon does not use advertising, tracking or third-party analytics cookies. Only session cookies that are strictly necessary for the operation of the service are placed; these do not require prior consent within the meaning of the ePrivacy Directive.