Privacy Policy
Last updated: 10 May 2026
This Privacy Policy explains how Enrico Leonardo Berardone ("we", "us") processes your personal data when you visit hiddensteps.app or sign up for the HiddenSteps Culture Fest. We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
Enrico Leonardo Berardone, Lange Straße 52, 72525 Münsingen, Germany — enrico@hiddensteps.app. There is no statutory obligation to appoint a Data Protection Officer.
2. What we collect
Landing page signup: email address and language preference. Event signup form: first name, joining situation (solo / partner / friend / family), group composition, activity preferences and prioritisation, day budget, accommodation status (and an approximate map pin if you place one), allergies and free-text notes, email address, WhatsApp phone number, consent to these terms, language. Server logs: when you visit the site, our hosting provider automatically processes technical data such as IP address, user agent and timestamps for security and stability purposes (legitimate interest, Art. 6(1)(f) GDPR).
3. Why we process it & legal basis
Performing the registration and organising the event you signed up for — Art. 6(1)(b) GDPR (pre-contractual / contractual measures). Sending you event-related information by email or WhatsApp — Art. 6(1)(b) GDPR for transactional messages and Art. 6(1)(a) GDPR (your consent) for the WhatsApp Community invitation. Photos taken at the event — Art. 6(1)(f) GDPR (legitimate interest in documenting the event); you can object at any time. Compliance with legal obligations — Art. 6(1)(c) GDPR.
4. Hosting & backend (processor)
The website and our database run on Lovable Cloud, which is powered by Supabase (Supabase Inc., infrastructure hosted in the EU). A Data Processing Agreement (DPA) under Art. 28 GDPR is in place. Data is stored on EU servers.
5. WhatsApp Community
After your registration we may invite you to a WhatsApp Community to coordinate the event. Joining is voluntary and based on your consent. The service is operated by WhatsApp Ireland Limited, part of the Meta group. By joining, your phone number and any messages you send become visible to WhatsApp and to other members of the community according to WhatsApp's settings. See WhatsApp's privacy policy: https://www.whatsapp.com/legal/privacy-policy-eea. You can leave the community at any time.
6. Email
We currently send transactional emails (registration confirmation, event updates) manually or via a standard email-sending service. If we add a dedicated provider (e.g. Resend, Mailchimp), we will update this policy and ensure a DPA and — where applicable — EU Standard Contractual Clauses are in place.
7. Analytics & cookies
We currently do not use any third-party analytics or tracking tools and only set cookies that are strictly necessary for the site to function. If we introduce a privacy-friendly analytics tool (e.g. Plausible) or any tool that requires consent, we will update this policy and, where required, ask for your consent via a banner before any non-essential cookie is set.
8. Recipients & transfers outside the EU
Personal data is not sold and not shared with third parties for their own purposes. The only recipients are processors acting on our instructions (hosting, email delivery, WhatsApp). Data is processed within the EU/EEA. If a processor transfers data to a third country (e.g. WhatsApp / Meta), the transfer is based on EU Standard Contractual Clauses or another GDPR transfer mechanism.
9. Retention
Signup data is kept until 12 months after the event for follow-up communication and legal documentation, then deleted, unless a longer retention is required by law (e.g. tax law, up to 10 years where applicable). You can request earlier deletion at any time.
10. Your rights
Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and to object to processing (Art. 21). Where processing is based on your consent, you may withdraw it at any time with effect for the future (Art. 7(3)). To exercise your rights, contact enrico@hiddensteps.app.
11. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our location is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Königstraße 10a, 70173 Stuttgart, Germany.
12. Changes to this policy
We may update this Privacy Policy when our processing changes. The version date above always reflects the current version.