Privacy Policy

1. Introduction and Data Controller

We are pleased about your interest in the platform "Sunshine". The protection of your personal data and your privacy is very important to us. In the following, we inform you in accordance with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR), about the processing of your personal data in connection with the use of our website, web application and services.

Data Controller

Sole Proprietorship
Felix Eschey

Frühlingstraße 1
Kissing, 86438


E-Mail: hi@sunshinesouls.one

The person responsible within the meaning of the GDPR is the above-mentioned person (hereinafter also referred to as "we" or "us").

2. General Information on Data Processing

This privacy policy is intended to give you an overview of which personal data we collect for which purposes and how we process it. It applies to all pages and features of our platform, including (but not limited to) website visits, registration (login/signup), account management, the newsletter function (weekly event preview), Telegram chat integration, and the ability to create, edit, or delete events.

Please note that "Sunshine" only acts as a platform provider. Events can be published by third parties under their own responsibility. Contracts are concluded directly between event organizers and participants. We assume no liability for content posted by users.

3. Data Protection Officer Contact Details

Currently, we have not appointed an external or internal data protection officer. If you have questions about data protection, please contact the responsible person using the contact details above.

4. Legal Basis

We only process your personal data if there is a legal basis for permission or if you have given us your consent. The relevant legal bases of the GDPR are in particular:

  • Art. 6 Para. 1 lit. a GDPR (Consent): When you give us your express consent to process certain data (e.g., when subscribing to the newsletter).
  • Art. 6 Para. 1 lit. b GDPR (Contract performance): When processing is necessary for the performance of a contract (e.g., use of your account, implementation of events) or for the implementation of pre-contractual measures.
  • Art. 6 Para. 1 lit. c GDPR (Legal obligation): When we are legally obliged to process (e.g., statutory retention periods).
  • Art. 6 Para. 1 lit. f GDPR (Legitimate interests): When we have a legitimate interest in processing that does not outweigh your interests or fundamental rights (e.g., ensuring the operation and security of our website or pursuing legal claims).

5. Data Categories and Purposes of Processing

In the context of using our platform, we collect different categories of personal data for the following purposes:

Registration and Login (Signup/Account Management)

  • Data categories: Name, email address, password (encrypted), other contact details, profile information if applicable.
  • Purpose: Creation and management of your user account, authentication, communication with you.
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance).

Newsletter (Weekly Event Preview)

  • Data categories: Email address (and name if applicable), newsletter settings.
  • Purpose: Sending the weekly event preview and other information about our platform if applicable.
  • Legal basis: Art. 6 Para. 1 lit. a GDPR (consent).

Telegram Chat Integration and Bot Functionality

  • Data categories: Telegram username or ID, metadata (date, time of messages), communication content, event information from bot interactions
  • Purpose:
    • Sending/receiving weekly event previews or notifications via Telegram
    • Webhook processing of event submissions: Automated capture, validation and processing of event information that users submit via our Telegram bot
    • Interactive event submission: Bot-based user guidance for complete capture of all relevant event details
    • Event publication requests: Processing of user requests to publish events on our platform after successful AI-assisted validation
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance for desired event publication) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in efficient, automated event management)
  • Important notes on bot usage:
    • Since Telegram does not provide explicit consent options for bots, using our bot is considered implicit consent to data processing
    • By interacting with our bot and submitting event information, you agree to the processing of this data according to this privacy policy
    • You can stop using the bot at any time by ending interaction with the bot

Event Creation, Editing and Deletion

  • Data categories: Event title, description, images/media content, venue, time, organizer contact details (if provided).
  • Purpose: Display of events, organization, publication, coordination between participants and organizers if applicable.
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance), as this is part of platform use.

Support & Communication

  • Data categories: Inquiries, email address, chat histories (e.g., contact form, email, Telegram).
  • Purpose: Processing inquiries, technical support, customer service.
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance) or lit. f GDPR (legitimate interest in customer service).

Voluntary Financial Contributions

  • Data categories: Name, email address, payment data (depending on payment method), contribution amount, payment timestamp.
  • Purpose: Processing and managing voluntary financial contributions to support the platform.
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance) or lit. a GDPR (consent).
  • Note: These are not donations in the tax law sense. No donation receipts are issued.

6. Services Used

6.1 Hosting (Hatchbox and Hetzner)

We use services from Hatchbox as well as server capacities from Hetzner to host our website and web application. This means that all data transmitted via our website is stored on the servers of these service providers.

  • Purpose: Provision and operation of our website and web application
  • Scope of data: Server log files (e.g., IP address, time of access, requested page), other data transmitted through forms or use
  • Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in secure and efficient provision of our online services)
  • Data processing agreement: Corresponding contracts (Data Processing Agreement) have been concluded with Hatchbox and Hetzner
  • Third country transfer: If server locations outside the EU are used, this is done on the basis of appropriate guarantees (e.g., standard contractual clauses)

6.2 Honeybadger (Error Monitoring)

Honeybadger is a service for error detection (bug tracking) and logging of crashes or code errors in our web application to enable quick and effective problem solving.

  • Purpose: Error detection and improvement of our platform's stability
  • Scope of data: Possibly IP addresses, device information, time of error, parts of source code, usage data at the moment of error. This data may allow conclusions about the user, but is primarily used for error correction
  • Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in a stable and secure web application)
  • Data processing agreement: We have a data processing agreement with the provider
  • Third country transfer: Honeybadger may be operated in the USA, using appropriate guarantees (e.g., standard contractual clauses)

6.3 Telegram API and Webhook Integration

For Telegram messenger integration and providing our bot functionality, we use the Telegram Bot API with webhook integration.

  • Purpose:
    • Sending automated messages and weekly event previews to Telegram users
    • Webhook reception: Receiving and processing messages that users send to our bot
    • Event validation: Automatic verification of event data before forwarding to AI-assisted validation
    • Interactive bot communication: Providing a user-friendly interface for event submissions
  • Scope of data: Telegram username or ID, message and communication data, event information from bot interactions, message timestamps
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance for desired event publication) or Art. 6 Para. 1 lit. f GDPR (legitimate interest in efficient, automated event management)
  • Webhook security: All incoming webhook data is validated through cryptographic signature verification to ensure authenticity and integrity of messages
  • Data protection in webhook processing: Bot messages are only processed for event creation and validation. Personal communication content that is not event-related is not permanently stored
  • Third country transfer: Telegram is an international service with servers including in Dubai and the Netherlands. Data transmission occurs encrypted via HTTPS
  • Further information: Details about data processing at Telegram can be found at: https://telegram.org/privacy

6.4 ConvertKit (Email Newsletter)

For sending our newsletter, we use ConvertKit.

  • Purpose: Management and sending of email newsletters
  • Scope of data: Email address, name if applicable, newsletter preferences (e.g., topic selection, frequency)
  • Legal basis: Art. 6 Para. 1 lit. a GDPR (consent) for newsletter subscription
  • Data processing agreement: We have concluded a data processing agreement with ConvertKit
  • Third country transfer: ConvertKit is based in the USA. Data transfer only takes place with appropriate guarantees (e.g., standard contractual clauses) and your consent

6.5 Google Single-Sign-On/Omniauth

We offer the possibility to log in via Google Single-Sign-On (SSO) authentication service. The service provider in Europe is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

When logging in with Google, the information stored in the Google profile is transmitted. This usually includes name, email and profile picture if applicable. This data is processed by us for the purpose of authentication and user management. Processing is based on your consent according to Art. 6 Para. 1 lit. a GDPR by pressing the login button.

  • Purpose: Authentication and user management via Google Single-Sign-On
  • Scope of data: Name, email address, profile picture if applicable from Google profile
  • Legal basis: Art. 6 Para. 1 lit. a GDPR (consent by pressing the login button)
  • Third country transfer: Google also processes your data in the USA. Google participates in the EU-US Data Privacy Framework and uses standard contractual clauses to ensure data protection-compliant transfer
  • Revocation: You can revoke your consent at any time via https://adssettings.google.com/authenticated
  • Further information: Further information about processing and the purpose of data collection by Google can be found in Google's privacy policy: https://policies.google.com/privacy?hl=en

6.6 Mistral AI (AI-Assisted Event Validation)

For automated review and validation of event submissions from our Telegram integration, we use the AI service Mistral AI.

  • Purpose: Automated review of event submissions for completeness, plausibility and compliance with our community guidelines before publication on the platform
  • Scope of data: Event title, description, date, time, location, category and other event information provided by users via Telegram. No personal data such as names or contact information is transmitted to Mistral AI.
  • Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in efficient, automated quality assurance of our event content)
  • Data processing agreement: We have concluded a data processing agreement (DPA) according to Art. 28 GDPR with Mistral AI
  • Company: Mistral AI, 15 Rue des Halles, 75001 Paris, France
  • Third country transfer: Mistral AI may also process data outside the EU/EEA. Data transfer is based on EU standard contractual clauses and other appropriate guarantees according to Art. 46 GDPR
  • Data minimization: Only event content necessary for validation is transmitted. Personal information is removed before transmission
  • Storage duration: Event data is immediately deleted or anonymized at Mistral AI after validation
  • Further information: Details about data processing at Mistral AI can be found at: https://mistral.ai/privacy/

6.7 Stripe (Payment Processing)

For processing payments, especially for voluntary financial contributions, we use the payment service provider Stripe.

  • Purpose: Secure processing of payment transactions for voluntary financial contributions
  • Scope of data: Payment information (depending on the chosen payment method, e.g., credit card data, bank account), name, email address, billing address, amount, transaction date
  • Legal basis: Art. 6 Para. 1 lit. b GDPR (contract performance) for payment processing
  • Data processing agreement: A data processing agreement exists with Stripe for data protection-compliant processing of your data
  • Third country transfer: Stripe Inc. is headquartered in the USA and also processes data there in part. Transfer is based on EU standard contractual clauses and other appropriate guarantees according to Art. 46 GDPR
  • Further information: Stripe stores, processes and transmits payment data according to applicable PCI-DSS standards. Further information about data protection at Stripe can be found at: https://stripe.com/privacy

6.8 PostHog (Web Analytics and Usage Behavior)

We use PostHog for website usage analysis and platform improvement. PostHog is deployed in cookieless mode to meet the highest data protection standards.

  • Purpose: Website usage analysis, user experience improvement, functionality testing, error analysis
  • Scope of data:
    • Anonymous usage data (visited pages, clicks, page views)
    • Technical information (browser, operating system, screen resolution)
    • Session recordings (anonymized)
    • No cookies or persistent storage - all data is only temporarily stored in memory
  • Legal basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in analyzing and optimizing our platform)
  • GDPR-compliant implementation:
    • Cookieless mode: No cookies or local storage are used
    • Memory persistence: All tracking data is only stored in browser memory
    • No cookie banner required: As no persistent storage occurs
    • EU servers: Hosted on European servers (eu.i.posthog.com)
  • Data protection guarantees:
    • No personalized profiles or cross-site tracking possible
    • Session data is automatically deleted when browser is closed
    • Complete anonymization of all collected data
  • Third country transfer: PostHog is hosted on EU servers. Should data nevertheless be processed outside the EU, this is done on the basis of EU standard contractual clauses
  • Data processing agreement: We have concluded a data processing agreement according to Art. 28 GDPR with PostHog
  • Further information: Details about data processing at PostHog can be found at: https://posthog.com/privacy

7. Storage Duration and Deletion

We process and store your personal data only as long as it is necessary for the fulfillment of the respective purpose or for compliance with statutory retention periods. After the purpose ceases or statutory periods expire, the data is deleted or blocked.

  • Contract data (account data, event data) is stored at least for the duration of the contractual relationship.
  • Newsletter data is deleted as soon as you unsubscribe from the newsletter or revoke your consent (unless other retention periods apply).
  • Log files are usually anonymized or deleted after 7 days at the latest, unless longer storage is required for security reasons (e.g., to investigate abuse cases).

8. Data Subject Rights

According to Art. 15 ff. GDPR, you as a data subject always have the right to:

  • Information about your stored personal data (Art. 15 GDPR).
  • Rectification of inaccurate or completion of incomplete data (Art. 16 GDPR).
  • Erasure of your data (Art. 17 GDPR), if the prerequisites are met (e.g., if the data is no longer needed for the original purpose).
  • Restriction of processing (Art. 18 GDPR).
  • Objection to processing (Art. 21 GDPR), especially if this is based on legitimate interests.
  • Data portability (Art. 20 GDPR), if you have provided us with the data based on consent or a contract.

To exercise your rights, you can contact us at any time (see data controller). You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your data.

9. Consent and Revocation

Insofar as we process your data on the basis of your consent (Art. 6 Para. 1 lit. a GDPR), you can revoke this consent at any time for the future. The lawfulness of processing carried out until revocation remains unaffected.

A typical use case for consent is newsletter subscription. You can unsubscribe from the newsletter at any time (e.g., via the unsubscribe link contained in every newsletter email or by email to hi@sunshinesouls.one).

10. Data Security

We take appropriate technical and organizational measures to protect your personal data from loss, unauthorized access, manipulation or disclosure. Our website uses state-of-the-art encryption (e.g., SSL/TLS), recognizable by "https://" in the address bar of your browser and a lock symbol in the browser bar.

11. Cookies and Similar Technologies

Our website uses cookies to provide certain functions and improve your user experience. Cookies are small text files that are stored on your device.

Types of Cookies

  • Necessary cookies: These are required for the operation of the website (e.g., session cookie). Without these cookies, the use of certain functions is not possible.

Legal Basis

Insofar as cookies are technically necessary for the provision of our services, processing is based on Art. 6 Para. 1 lit. f GDPR (legitimate interest). In all other cases (e.g., for statistical, analysis or marketing purposes), we obtain your consent if legally required (Art. 6 Para. 1 lit. a GDPR).

Cookie Management

You can disable or delete cookies in your browser at any time. However, this may lead to restrictions in functionality.

12. Changes and Updates

We reserve the right to update or change this privacy policy as needed to adapt it to changed legal situations or technical developments. We will inform you about significant changes on our website.

13. Final Provisions and Contact

This privacy policy does not constitute individual legal advice and cannot replace such advice. For binding legal information, please consult a lawyer or data protection officer.

If you have questions about data protection or want to exercise your rights, please contact us by email at hi@sunshinesouls.one or write to us at the postal address:

"Sunshine" (A project by Felix Eschey)

Frühlingstraße 1
Kissing, 86438

Last updated on Sunday, August 31