Dashpoint logo

You can request deletion of your Dashpoint account through the public account deletion page.

Data protection

Data Privacy Statement – Dashpoint GmbH

Version: July 11, 2026

This data privacy statement explains how Dashpoint GmbH, Freisinger Landstraße 25, 85748 Garching bei München (“Dashpoint”, “we”, “us”) processes personal data when you use our websites, apps and ticketing/event services (the “Services”).

Legal Notice: This is a user-friendly translation. The legally binding version is the German text above. In case of any discrepancies, the German version shall prevail. German law applies.

Controller (Art. 4 No. 7 GDPR)

Dashpoint GmbH

Freisinger Landstraße 25

85748 Garching bei München

Germany

Email: support@dashpoint.app

1. Role Model (Platform / Organizer)

For platform-related data (account, security, billing, fraud prevention), we act as independent controller.

For event and participant data, the respective organizerreceives the information for event execution as independent controller. Dashpoint also processes this data partly as processorof the organizer (Art. 28 GDPR, data processing agreement).

2. Categories of Personal Data

Account Data: Name, email, password hash, organization/access rights, settings

Event/Ticket Data: Orders, categories/seats, discount codes, check-in history, participant information (name, email, phone number, optional form fields)

Payment/Transaction Data: Payment status, amounts, transaction IDs, timestamps from payment service providers (esp.Stripe). We do not store complete card data.

Communication Data: Support requests, chat/email metadata

Location Data: Current location and live location coordinates, accuracy and altitude where you choose to share your location in chats or use location-based map/discovery features. If you grant Always location access, live location sharing in chats may collect location data even when the app is closed or not in use for the duration you choose.

Feedback/Uploads: Texts, screenshots, files, links, device/browser information; optional AI-supported structuring (Google Vertex AI) and transfer to GitHub

Usage/Log Data: IP address, browser/device information, timestamps, interactions (e.g., checkout progress)

Newsletter Data: Email address, optional salutation/name, and consent and double-opt-in logs (timestamp, IP address, version of the consent text) – see section 15

Admin/Security Data: Audit logs, permissions, security events

Note: Special categories of personal data (Art. 9 GDPR) are not actively collected by us. If an organizer requests such data, the responsibility lies with that organizer.

3. Sources of Data

• Directly from you (registration, ticket purchase, support requests)

• From organizer (e.g., guest lists)

• Automatically during use (cookies/SDKs/logs)

• From integrations like Stripe (payment status), Google Firebase/Google Cloud incl. Vertex AI (auth/hosting/DB/analytics/AI), Amazon Web Services (SES) (email sending, EU region), Google Maps (geocoding), Vercel (hosting/CDN), GitHub (issue/feedback management)

4. Purposes & Legal Bases

PurposeLegal Basis
Provision and operation of services (account, ticketing, check-in, fraud protection)Art. 6 para. 1 lit. b GDPR
Payment processing via Stripe / payouts to organizersArt. 6 para. 1 lit. b GDPR
Organizer tools (event management, communication, analytics)Art. 6 para. 1 lit. b/f GDPR
Support and dispute managementArt. 6 para. 1 lit. b/f GDPR
Location-based features and live location sharing in chats, including background updates while activeArt. 6 para. 1 lit. a/b GDPR
Product improvement, AI-supported feedback triageArt. 6 para. 1 lit. f GDPR
Security/system notificationsArt. 6 para. 1 lit. b GDPR
Marketing/newsletter (with consent)Art. 6 para. 1 lit. a GDPR
Legal obligations (tax, accounting, AML, compliance)Art. 6 para. 1 lit. c GDPR
Law enforcement / abuse preventionArt. 6 para. 1 lit. f GDPR

5. Data Sharing

To organizers: for event execution (own responsibility)

To chat participants: when you send or share your current/live location in a chat, the location is visible to the people in that chat for the sharing duration. We do not use this location data to provide ads.

To processors: hosting/CDN (Vercel), auth/DB/storage/functions/analytics/AI (Firebase/Google Cloud, Google Vertex AI), email sending (Amazon Web Services/SES, EU region), geocoding (Google Maps), payments (Stripe), feedback/issue management (GitHub), further IT/support/monitoring service providers – each with DPA/SCC

To authorities or claimants: if legally required or for legal defense

In anonymized/aggregated form: for statistics without personal reference

Important: We do not sell personal data.

6. International Data Transfers

Some of our service providers have locations outside the EEA (e.g., Stripe, Google Firebase, Vercel). Transfers are based on Standard Contractual Clauses (SCC) and additional protective measures.

Example: Firebase Authentication is operated from US data centers; we take additional measures for this. Email sending via Amazon Web Services (SES) takes place in an EU region (Frankfurt). AI processing via Google Vertex AI may, depending on the feature, take place in EU or US data centers; transfers are based on SCC and additional measures.

7. Storage Duration

Account data: during use + up to 3 years after closure (claims/defense)

Ticket/transaction data: usually 10 years (commercial and tax law)

Feedback/support: up to 5 years

Logs/analytics: typically up to 24 months

Live location: live updates stop when the timer ends or you stop sharing. The resulting chat message follows chat/channel retention.

Longer storage: as long as legal claims exist or legally required.

8. Security

We use encryption (transport/rest), role-based access, secret management, logging, vulnerability management and regular access controls.

No system is absolutely secure; please use secure passwords and enable security features.

9. Cookies & Similar Technologies

We use essential cookies (e.g., session, checkout).

Non-essential cookies/tracking are only set with your consent (§ 25 TDDDG). You can manage/revoke consents in the consent banner.

Analytics includes Firebase Analytics and Google Analytics 4 for product measurement. Organisers may configure advertising pixels from Meta, Google, X, and TikTok for their public organiser pages, event pages, and checkout. These provider pixels are loaded only when marketing consent is allowed. Organisers remain responsible for their own campaign purposes and controller obligations.

Provider processing may involve international transfers. Where required, we rely on consent, contractual safeguards, and provider transfer mechanisms. You can withdraw non-essential analytics and marketing consent at any time under Settings → Privacy settings.

10. Your Rights

You have the following rights under GDPR:

• Access, rectification, erasure, restriction, data portability

• Objection (Art. 21 GDPR)

• Withdrawal of given consents

• Complaint to a supervisory authority, e.g.:

Bavarian State Office for Data Protection Supervision (BayLDA)

Promenade 18, 91522 Ansbach, Germany

www.lda.bayern.de

11. Children

Our services are not directed at persons under 16 years of age. If we detect corresponding use, we delete the data and may block access.

12. Automated Decisions

No exclusively automated decisions with legal effect. Fraud/risk assessments may be automated, with human review.

13. Third-Party Services/Links

For external services (e.g., Stripe Checkout, form services), their privacy notices apply.

14. Changes

We adapt this statement when legal or organizational framework conditions change. We inform about material changes in advance.

15. Newsletter, Double-Opt-In & Existing-Customer Advertising

When you sign up for the newsletter of an organisation/organizer or of Dashpoint, we process your email address and – where provided – salutation and name to send the respective emails.

Double-Opt-In (DOI): Sign-up generally uses the double-opt-in procedure. After you enter your details, we send you an email with a confirmation link; only after your confirmation do we add you to the distribution list. If confirmation is not provided, the entry is deleted after a reasonable period.

Proof of consent (logging): To meet our accountability obligations (Art. 5(2), Art. 7(1) GDPR) we log the sign-up and confirmation time, the IP address used, and the version of the consent text shown at the time of consent.

Legal basis: Your consent (Art. 6(1)(a) GDPR). For advertising to existing customers for our own similar goods/services, processing may additionally be based on § 7(3) UWG in conjunction with Art. 6(1)(f) GDPR.

Roles: For an organizer newsletter, the organizer is the independent controller for content and sending purpose; Dashpoint provides the technical sending and consent infrastructure and acts as processor in this respect (Art. 28 GDPR).

Withdrawal/unsubscribe: You can withdraw receipt at any time for the future – via the unsubscribe link at the end of each email or by message to support@dashpoint.app. We document the withdrawal and retain it for evidence purposes. The lawfulness of processing carried out until withdrawal remains unaffected.

16. Contact

Dashpoint GmbH

Freisinger Landstraße 25

85748 Garching bei München

Germany

Email: support@dashpoint.app

Data Protection Officer:

Erik Lüth

Email: support@dashpoint.app