← VANITAS

Privacy Policy

1. Controller

Null Editions — Martin Keller
Schützenallee 9
38644 Goslar
Germany
E-Mail: contact@vanitasdigital.art

No data protection officer is appointed.

2. Data We Process

2.1 Landing page (vanitasdigital.art)

This static landing page does not use forms, payment processes, email capture, analytics, or tracking cookies. Typography is served from VANITAS-controlled static files — no external font provider is contacted. Technical access logs (IP address, date, requested URL, HTTP status, referrer, user agent) are processed automatically by the hosting infrastructure (Vercel, Inc.) for operational security.

2.2 Purchase and access flow (app.vanitasdigital.art)

The VANITAS application processes the following data:

  • Email address — provided by you at checkout; used to deliver your access link and for contract fulfilment
  • Payment data — processed exclusively by Stripe, Inc. (PCI-DSS certified); we do not store card numbers or full payment credentials
  • Stripe session ID and event ID — received via Stripe webhook; used for idempotency and fraud prevention
  • Patron number — assigned after payment confirmation; uniquely identifies your access
  • Access token hash — stored as a SHA-256 hash only; the plaintext token is never retained
  • Visit timestamps and counter (ritual_visits, ritual_last_date) — logged to personalise the ritual interface
  • Email delivery log (status, error records) — internal operational data
  • Server access logs — as described under 2.1; applies equally to app.vanitasdigital.art

2.3 Analytics and tracking

We use no analytics tools (Google Analytics, Matomo, or similar), no advertising tracking services, and no third-party tracking cookies.

2.4 Typography

All typefaces (Cormorant Garamond, Inter) are served from VANITAS-controlled servers. No data is transferred to external font providers.

3. Legal Bases (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — purchase processing, patron creation, access delivery, ongoing access management
  • Legal obligation (Art. 6(1)(c)) — retention of purchase records under §147 AO (10 years) and §257 HGB (6 years)
  • Legitimate interest (Art. 6(1)(f)) — server logs for operational security and abuse prevention; processing is limited to what is technically necessary

4. Recipients and Processors

We share data only where necessary for service delivery. Where required, service providers are bound by data processing terms under GDPR Art. 28. We do not sell data.

  • Stripe, Inc. (USA) — payment processing; transfer basis: Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework
  • Resend, Inc. (USA) — transactional email delivery; transfer basis: SCC
  • Render Services, Inc. (USA) — application hosting and database (PostgreSQL); transfer basis: SCC
  • Vercel, Inc. (USA) — landing page hosting (static files; Vercel Analytics disabled); transfer basis: SCC and EU-US Data Privacy Framework

5. Third-Country Transfers

Stripe, Inc., Resend, Inc., Render Services, Inc., and Vercel, Inc. are headquartered in the United States. Data transfers to these providers are made on the basis of Standard Contractual Clauses pursuant to GDPR Art. 46(2)(c), and where applicable on the basis of the EU-US Data Privacy Framework (adequacy decision of the European Commission, July 2023, GDPR Art. 45).

6. Retention Periods

  • Purchase records and transaction data — 10 years (§147 AO)
  • Purchase confirmation emails — 6 years (§257 HGB)
  • Patron access data and ritual counters — duration of active access, plus up to 3 years thereafter (§195 BGB)
  • Server logs — 7–30 days
  • Email delivery logs — up to 90 days after completion

After expiry, data is deleted or anonymised unless a statutory retention obligation applies. Where statutory obligations require retention, data is restricted and processed only for those purposes.

7. Your Rights

You have the following rights under GDPR with respect to your personal data:

  • Access (Art. 15) — what data we hold about you
  • Rectification (Art. 16) — correction of inaccurate data
  • Erasure (Art. 17) — deletion of your data, subject to statutory retention obligations
  • Restriction (Art. 18) — limiting processing in certain cases
  • Portability (Art. 20) — receiving your data in a machine-readable format
  • Objection (Art. 21) — objecting to processing based on legitimate interest

To exercise your rights: contact@vanitasdigital.art

Note: purchase records subject to statutory retention obligations (§147 AO, §257 HGB) cannot be erased before the retention period expires (Art. 17(3)(b) GDPR).

8. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (GDPR Art. 77). An overview of German supervisory authorities is available at the Federal Commissioner for Data Protection and Freedom of Information: bfdi.bund.de — Supervisory Authorities

9. No Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of GDPR Art. 22.

Contact

E-Mail: contact@vanitasdigital.art