Privacy Policy

Controller
Peter Behler (PumasBeats)
Aegidiistraße 64, 48143 Münster, Germany
E-mail: peter@pumasbeats.de

Scope
This notice explains the types, scope and purposes of processing personal data on PumasBeats.de (website, RSS feeds, embeds/widgets) and your rights under the GDPR/TTDSG.

1. Hosting / Root Server (Austria)
   The website runs on a dedicated root server in a data center in Austria (EU/EEA). Infrastructure is provided by netcup GmbH; server administration is performed by us. We have concluded a data processing agreement (Art. 28 GDPR) with netcup.
   Processed data (server logs): IP address, date/time, requested resource, referrer, user agent, status code, transferred data volume.
   Purpose/legal basis: operation, security and error analysis (Art. 6(1)(f) GDPR).
   Retention: max. 14 days, then deletion/anonymization.
   International transfers: none; processing takes place within the EU/EEA.
   Security measures: TLS encryption, firewall/Fail2Ban, regular updates/backups.
2. Cookies & similar technologies
   We use technically necessary cookies. Non-essential cookies/trackers are set only with your consent via our consent banner.
   Legal bases: Sec. 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR (consent); necessary cookies based on Art. 6(1)(f) GDPR.
   Withdrawal: you can change your choice at any time via the link “Cookie settings”:
   You have loaded the Cookie Policy without javascript support. On AMP, you can use the manage consent button on the bottom of the page.
   
   Do Not Track & Global Privacy Control: we respect DNT/GPC signals. If your browser sends such signals, we load only essential content; non-essential embeds are blocked until you consent.
3. Web fonts (Google Fonts)
   To avoid connections to external servers, we host used web fonts locally on our server. No IP addresses are transmitted to Google in this context.
4. User accounts/registration (if used)
   Data: name, e-mail, password (hashed), optional profile information.
   Purpose/legal basis: provision of accounts/community features (Art. 6(1)(b) GDPR).
   Retention: until the account is deleted; statutory obligations remain unaffected.
5. Song submissions
   Data: artist name, e-mail, files/links (e.g., Spotify/Apple Music), further details (bio, social links).
   Purpose/legal basis: review, editorial selection and possible publication on website/playlist (Art. 6(1)(a) GDPR — consent; communications Art. 6(1)(b)/(f)).
   Note: published information (e.g., artist name, cover, links) becomes publicly visible. Consent can be withdrawn at any time.
   Retention: until review is completed; if published, until withdrawal/end of publication.
6. Embedded third-party content (Spotify/Apple Music/YouTube, etc.)
   We embed third-party players/widgets (e.g., Spotify, Apple Music, YouTube). When loaded, these providers may process their own data (IP address, browser data, cookies/tracking).
   Legal basis: consent via the banner (Art. 6(1)(a) GDPR; Sec. 25(1) TTDSG).
   Note: this may involve data transfers to third countries. See the providers’ privacy notices.
7. Communication via e-mail
   When you contact us, we process your details to reply.
   Legal bases: Art. 6(1)(b) GDPR (pre-/contractual) or Art. 6(1)(f) GDPR (legitimate interest in handling enquiries).
8. RSS feeds & embedding widget
   We provide shortened RSS feeds and an embeddable widget (iframe). Using them involves processing of technically necessary data. Backlinks/source attribution is required (/rss-nutzungsbedingungen/).
   Legal basis: Art. 6(1)(f) GDPR (operation/distribution of our content); consent may apply where third-party resources are loaded.
9. Recipients / processors / further services
   We use service providers for operation, e-mail delivery, consent management and optional CDN/cache. Data processing agreements (Art. 28 GDPR) are in place where required.
   Current providers:

• netcup GmbH (hosting/root server, data center in Austria, EU/EEA)
• Consent management: Complianz (plugin, local processing; no independent data transfer to the vendor)
• E-mail/SMTP: own mail server on the root server (if used); otherwise an external provider per their privacy notice
• CDN/cache (if used): [insert provider]

1. Retention periods
   We process personal data only as long as necessary for the respective purposes. Statutory retention periods and our needs (e.g., security, evidence) apply.
2. Your rights
   You have the rights of access, rectification, erasure, restriction, data portability (Art. 15–20 GDPR) and to object to processing based on Art. 6(1)(e)/(f) (Art. 21 GDPR). You can withdraw consent at any time with future effect (Art. 7(3) GDPR).
   Right to lodge a complaint: e.g., LDI NRW, 40213 Düsseldorf, www.ldi.nrw.de; Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna — www.dsb.gv.at
3. Minors
   Our services are not directed at children under 16. Persons under 16 may give consent only with parental/guardian approval (Art. 8 GDPR).
4. Security
   We protect data with appropriate technical and organizational measures (TLS, system hardening, access restrictions, backups).
5. Changes
   We may update this policy as needed. Status: 23/08/2025