en flag
en flag

Privacy Policy

Data Controller:
Boris Arapovic
Veilchenweg 3, 4531 Kematen an der Krems, Austria
Email: contact@wanderstones.net

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects.

Types of data processed:

  1. Personal data (e.g., email address, year of birth, gender, country, username, language, IP addresses)

  2. Content-related data (e.g., information about stones such as name, location found, uploaded images)

  3. Community interactions (e.g., comments, likes)

Categories of data subjects:
Users

Purposes of processing:

  • Communication

  • Security measures

  • Feedback

  • Provision of our online services and ensuring user-friendliness

  • Information technology infrastructure

Recipients of Personal Data

In the course of our business activities, we work with various external service providers. This may require the transfer of personal data to these external parties. We only share personal data when this is necessary, when we are legally obligated to do so (e.g., transmission of data to tax authorities), when there is a legitimate interest pursuant to Art. 6(1)(f) DSGVO, or when another legal basis permits such transfer.

When using processors, we only share personal data based on a valid data processing agreement. In cases of joint processing, a joint processing agreement is concluded.

Who has access to personal data and with whom is it shared?

IT Hosting Provider:
This website and its backend are externally hosted. The personal data collected through this website are stored on the host’s servers. This may include IP addresses, metadata, communication data, usernames, email addresses, and content data. External hosting is used for the secure, fast, and efficient provision of our online services by a professional provider (Art. 6(1)(f) DSGVO).
If consent has been requested, processing is carried out solely on the basis of Art. 6(1)(a) DSGVO. Our hosting provider(s) will process your data only to the extent necessary to fulfill their contractual obligations and will follow our instructions.

Provider: Hostinger (Lithuania)
Privacy Policy: https://www.hostinger.com/de/legal/datenschutz-bestimmungen

CDN Provider:
We use a Content Delivery Network (CDN) service to deliver stone and profile images more securely and quickly via regionally distributed servers.
Legal basis: Legitimate interests (Art. 6(1)(f) DSGVO).

Provider: Bunny.net (formerly BunnyCDN), Slovenia
Privacy Policy: https://bunny.net/privacy/

Google Services (including Firebase):
Used for email login and push notifications regarding stone discoveries.
Provider: Google LLC, California, USA
Privacy Policy: https://policies.google.com/privacy?hl=en

OpenStreetMap:
We integrate maps from “OpenStreetMap,” offered under the Open Data Commons Open Database License (ODbL) by the OpenStreetMap Foundation (OSMF). User data are used solely for displaying map functions and storing user settings. Such data may include IP addresses and location data, but only with the user's consent (typically via device or browser settings).
Provider: OpenStreetMap Foundation (OSMF)
Legal basis: Legitimate interests (Art. 6(1)(f) DSGVO)
Website: https://www.openstreetmap.de
Privacy Policy: https://osmfoundation.org/wiki/Privacy_Policy

Legal Bases under the GDPR

Below is an overview of the GDPR legal bases for processing personal data. Please note that national data protection laws may also apply in your or our country of residence. If more specific legal bases apply in certain cases, we will inform you in this privacy policy.

  • Consent (Art. 6(1)(a) DSGVO): The data subject has given consent for specific purposes.

  • Contract performance or pre-contractual measures (Art. 6(1)(b) DSGVO): Processing is necessary to fulfill a contract or respond to pre-contractual requests.

  • Legitimate interests (Art. 6(1)(f) DSGVO): Processing is necessary for the legitimate interests of the controller or a third party, provided such interests are not overridden by the data subject’s rights and freedoms.

International Data Transfers

Processing in Third Countries:
Where we transfer data to countries outside the European Union (EU) or the European Economic Area (EEA), such transfers are carried out in compliance with legal requirements.

For data transfers to the USA, we rely primarily on the EU–U.S. Data Privacy Framework (DPF), recognized by the EU Commission on 10 July 2023 as providing an adequate level of protection. In addition, we have concluded Standard Contractual Clauses (SCCs) with our service providers as an additional safeguard.

This dual protection ensures a high level of data security: the DPF serves as the primary protection layer, while the SCCs provide a fallback in case of legal or political changes.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements to ensure a level of protection appropriate to the risk. These include ensuring data confidentiality, integrity, and availability through physical and electronic access controls, encryption, and other security protocols.

Encryption:
We use TLS/SSL encryption (HTTPS) to secure online data transmission. TLS (Transport Layer Security) ensures that information exchanged between the website and the user’s browser is encrypted and protected against unauthorized access. The presence of “HTTPS” in the URL indicates that your connection is secure.

Data Retention and Deletion

We delete personal data in accordance with legal requirements once the purpose of processing no longer applies, consent has been withdrawn, or no other legal basis exists. Exceptions apply when statutory obligations or legitimate interests require longer retention.

Retention periods under Austrian law:

  • 10 years: Accounting records, financial statements, invoices, and related documentation (BAO §132, UGB §§190–212).

  • 6 years: Business correspondence and related documents relevant for taxation.

  • 3 years: Data related to potential warranty or compensation claims (ABGB §§1478, 1480).

Rights of Data Subjects

Under the GDPR (Articles 15–21), you have the following rights:

  • Right to object: You may object at any time to processing based on Art. 6(1)(e) or (f) GDPR, including profiling.

  • Right to withdraw consent: You may withdraw consent at any time.

  • Right of access: You may request confirmation and access to your personal data.

  • Right to rectification: You may request correction or completion of inaccurate or incomplete data.

  • Right to erasure and restriction: You may request deletion or restriction of processing under legal conditions.

  • Right to data portability: You may request your data in a structured, machine-readable format or transfer to another controller.

  • Right to lodge a complaint: You may file a complaint with a supervisory authority, particularly in your country of residence or where a potential violation occurred.

Server Log Files

The hosting provider automatically collects and stores information in server log files that your browser transmits to us. These include:

  • Browser type and version

  • Operating system used

  • Referrer URL

  • Hostname of the accessing computer

  • Time of server request

  • IP address

These data are not merged with other data sources. The collection of these data is based on Art. 6(1)(f) DSGVO.

Enjoy the stone travel

© 2025. All rights reserved.