You can request deletion of your Dashpoint account through the public account deletion page.
Data protection
Data Privacy Statement – Dashpoint GmbH
Version: July 11, 2026
This data privacy statement explains how Dashpoint GmbH, Freisinger Landstraße 25, 85748 Garching bei München (“Dashpoint”, “we”, “us”) processes personal data when you use our websites, apps and ticketing/event services (the “Services”).
Legal Notice: This is a user-friendly translation. The legally binding version is the German text above. In case of any discrepancies, the German version shall prevail. German law applies.
Controller (Art. 4 No. 7 GDPR)
1. Role Model (Platform / Organizer)
For platform-related data (account, security, billing, fraud prevention), we act as independent controller.
For event and participant data, the respective organizerreceives the information for event execution as independent controller. Dashpoint also processes this data partly as processorof the organizer (Art. 28 GDPR, data processing agreement).
2. Categories of Personal Data
Account Data: Name, email, password hash, organization/access rights, settings
Event/Ticket Data: Orders, categories/seats, discount codes, check-in history, participant information (name, email, phone number, optional form fields)
Payment/Transaction Data: Payment status, amounts, transaction IDs, timestamps from payment service providers (esp.Stripe). We do not store complete card data.
Communication Data: Support requests, chat/email metadata
Location Data: Current location and live location coordinates, accuracy and altitude where you choose to share your location in chats or use location-based map/discovery features. If you grant Always location access, live location sharing in chats may collect location data even when the app is closed or not in use for the duration you choose.
Feedback/Uploads: Texts, screenshots, files, links, device/browser information; optional AI-supported structuring (Google Vertex AI) and transfer to GitHub
Usage/Log Data: IP address, browser/device information, timestamps, interactions (e.g., checkout progress)
Newsletter Data: Email address, optional salutation/name, and consent and double-opt-in logs (timestamp, IP address, version of the consent text) – see section 15
Admin/Security Data: Audit logs, permissions, security events
Note: Special categories of personal data (Art. 9 GDPR) are not actively collected by us. If an organizer requests such data, the responsibility lies with that organizer.
3. Sources of Data
• Directly from you (registration, ticket purchase, support requests)
• From organizer (e.g., guest lists)
• Automatically during use (cookies/SDKs/logs)
• From integrations like Stripe (payment status), Google Firebase/Google Cloud incl. Vertex AI (auth/hosting/DB/analytics/AI), Amazon Web Services (SES) (email sending, EU region), Google Maps (geocoding), Vercel (hosting/CDN), GitHub (issue/feedback management)
4. Purposes & Legal Bases
| Purpose | Legal Basis |
|---|---|
| Provision and operation of services (account, ticketing, check-in, fraud protection) | Art. 6 para. 1 lit. b GDPR |
| Payment processing via Stripe / payouts to organizers | Art. 6 para. 1 lit. b GDPR |
| Organizer tools (event management, communication, analytics) | Art. 6 para. 1 lit. b/f GDPR |
| Support and dispute management | Art. 6 para. 1 lit. b/f GDPR |
| Location-based features and live location sharing in chats, including background updates while active | Art. 6 para. 1 lit. a/b GDPR |
| Product improvement, AI-supported feedback triage | Art. 6 para. 1 lit. f GDPR |
| Security/system notifications | Art. 6 para. 1 lit. b GDPR |
| Marketing/newsletter (with consent) | Art. 6 para. 1 lit. a GDPR |
| Legal obligations (tax, accounting, AML, compliance) | Art. 6 para. 1 lit. c GDPR |
| Law enforcement / abuse prevention | Art. 6 para. 1 lit. f GDPR |
5. Data Sharing
• To organizers: for event execution (own responsibility)
• To chat participants: when you send or share your current/live location in a chat, the location is visible to the people in that chat for the sharing duration. We do not use this location data to provide ads.
• To processors: hosting/CDN (Vercel), auth/DB/storage/functions/analytics/AI (Firebase/Google Cloud, Google Vertex AI), email sending (Amazon Web Services/SES, EU region), geocoding (Google Maps), payments (Stripe), feedback/issue management (GitHub), further IT/support/monitoring service providers – each with DPA/SCC
• To authorities or claimants: if legally required or for legal defense
• In anonymized/aggregated form: for statistics without personal reference
Important: We do not sell personal data.
6. International Data Transfers
Some of our service providers have locations outside the EEA (e.g., Stripe, Google Firebase, Vercel). Transfers are based on Standard Contractual Clauses (SCC) and additional protective measures.
Example: Firebase Authentication is operated from US data centers; we take additional measures for this. Email sending via Amazon Web Services (SES) takes place in an EU region (Frankfurt). AI processing via Google Vertex AI may, depending on the feature, take place in EU or US data centers; transfers are based on SCC and additional measures.
7. Storage Duration
• Account data: during use + up to 3 years after closure (claims/defense)
• Ticket/transaction data: usually 10 years (commercial and tax law)
• Feedback/support: up to 5 years
• Logs/analytics: typically up to 24 months
• Live location: live updates stop when the timer ends or you stop sharing. The resulting chat message follows chat/channel retention.
• Longer storage: as long as legal claims exist or legally required.
8. Security
We use encryption (transport/rest), role-based access, secret management, logging, vulnerability management and regular access controls.
No system is absolutely secure; please use secure passwords and enable security features.
9. Cookies & Similar Technologies
We use essential cookies (e.g., session, checkout).
Non-essential cookies/tracking are only set with your consent (§ 25 TDDDG). You can manage/revoke consents in the consent banner.
Analytics includes Firebase Analytics and Google Analytics 4 for product measurement. Organisers may configure advertising pixels from Meta, Google, X, and TikTok for their public organiser pages, event pages, and checkout. These provider pixels are loaded only when marketing consent is allowed. Organisers remain responsible for their own campaign purposes and controller obligations.
Provider processing may involve international transfers. Where required, we rely on consent, contractual safeguards, and provider transfer mechanisms. You can withdraw non-essential analytics and marketing consent at any time under Settings → Privacy settings.
10. Your Rights
You have the following rights under GDPR:
• Access, rectification, erasure, restriction, data portability
• Objection (Art. 21 GDPR)
• Withdrawal of given consents
• Complaint to a supervisory authority, e.g.:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach, Germany
11. Children
Our services are not directed at persons under 16 years of age. If we detect corresponding use, we delete the data and may block access.
12. Automated Decisions
No exclusively automated decisions with legal effect. Fraud/risk assessments may be automated, with human review.
13. Third-Party Services/Links
For external services (e.g., Stripe Checkout, form services), their privacy notices apply.
14. Changes
We adapt this statement when legal or organizational framework conditions change. We inform about material changes in advance.
15. Newsletter, Double-Opt-In & Existing-Customer Advertising
When you sign up for the newsletter of an organisation/organizer or of Dashpoint, we process your email address and – where provided – salutation and name to send the respective emails.
Double-Opt-In (DOI): Sign-up generally uses the double-opt-in procedure. After you enter your details, we send you an email with a confirmation link; only after your confirmation do we add you to the distribution list. If confirmation is not provided, the entry is deleted after a reasonable period.
Proof of consent (logging): To meet our accountability obligations (Art. 5(2), Art. 7(1) GDPR) we log the sign-up and confirmation time, the IP address used, and the version of the consent text shown at the time of consent.
Legal basis: Your consent (Art. 6(1)(a) GDPR). For advertising to existing customers for our own similar goods/services, processing may additionally be based on § 7(3) UWG in conjunction with Art. 6(1)(f) GDPR.
Roles: For an organizer newsletter, the organizer is the independent controller for content and sending purpose; Dashpoint provides the technical sending and consent infrastructure and acts as processor in this respect (Art. 28 GDPR).
Withdrawal/unsubscribe: You can withdraw receipt at any time for the future – via the unsubscribe link at the end of each email or by message to support@dashpoint.app. We document the withdrawal and retain it for evidence purposes. The lawfulness of processing carried out until withdrawal remains unaffected.
