Privacy Policy of Nextcloud

Last updated: January 2026

Scope and Purpose of the Platform

This privacy policy is valid for the Nextcloud which is offered behind the domain nextcloud.gamedevworkshop.org.

The Platform is used exclusively for the organization, communication and collaboration within the GameDev Workshop.

Providing your account data is necessary to participate in the Platform; without this data, you cannot use the workshop collaboration functions.

Contact Details

This Nextcloud instance (“the Platform”) is operated by:

Distant Meadows
Felix Baumgarten Games UG
Schmausengasse 9
90403 Nürnberg, Deutschland

Email: games[at]felixbaumgarten[dot]de
For all questions relating to data protection and to exercise your rights, you can contact us here.

Distant Meadows is the controller within the meaning of Art. 4(7) GDPR and is responsible for the processing of personal data in connection with this Platform.

If a data protection officer is required under Art. 37 GDPR, we will publish the relevant contact details here; currently, no data protection officer is appointed.

1. Purpose and Legal Basis of Processing

The Platform is used exclusively for the organization, communication, and collaboration within the GameDev Workshop.

Personal data are processed on the following bases:

  • Art. 6(1)(b) GDPR – processing necessary for the performance of a contract (user participation in the workshop platform)
  • Art. 6(1)(f) GDPR – legitimate interests in maintaining IT security, ensuring availability, and enabling communication and collaboration
  • Art. 6(1)(a) GDPR – consent, where requested (e.g., for optional notifications)

Where processing is based on consent (Art. 6(1)(a) GDPR), you may withdraw your consent at any time with effect for the future, e.g., via your account settings or by contacting us using the details above.

2. Categories of Personal Data

We process in particular the following categories of personal data when you use the Platform:

  • Account data:
    • Name
    • Username
    • Email address.
  • Communication and collaboration data:
    • Chat and discussion history
    • Shared files and folders
    • Comments, whiteboards, collaborative documents (e.g., Collabora Office).
  • Metadata and log data:
    • IP address
    • Date and time of access (timestamps)
    • Browser type, operating system, device information
    • Technical log entries relevant to security and operation.
  • Usage data:
    • Actions within the Platform (e.g., file creation or editing, participation in talks or whiteboards) to provide the respective functions and, where necessary, for troubleshooting.
  • Email data:
    • Email address, delivery metadata and notification content necessary for the sending of system and transactional messages via Strato AG (Germany).
  • Integration data:
    • Push notification tokens for mobile apps (Google / Apple), which are technical identifiers used to deliver push notifications and do not contain message content
    • Partial, anonymized password hashes transmitted to HaveIBeenPwned for password integrity checks (no plain‑text passwords or directly identifiable data).

Users should not upload or share special categories of personal data within the meaning of Art. 9 GDPR (e.g., health data, data about religious beliefs) on the Platform unless this is absolutely necessary for the workshop purpose.

All personal data processed on this Platform are obtained directly from you; we do not receive personal data about you from third parties.eliefs) on the Platform unless this is absolutely necessary for the workshop purpose.

3. Cookies and Tracking

The Platform uses cookies solely to maintain technical functionality and user sessions.
These cookies are set when you log in and are required to keep you authenticated while using the Platform.

  • Session cookies: Necessary for secure login and system functionality. These are automatically deleted when you log out or close the browser.
  • Preference cookies: May store limited user interface settings (e.g., language or last viewed page).
  • No tracking or analytics cookies are used.

The legal basis for technically necessary and security‑related cookies (in particular session cookies) is Art. 6(1)(f) GDPR (legitimate interest in providing a secure and functional online service).

If preference cookies are not strictly necessary, they are used based on our legitimate interest in user‑friendly configuration of the Platform under Art. 6(1)(f) GDPR; if required by applicable law, any non‑essential cookies are only used after you have given consent via a corresponding setting or prompt.

You can disable or delete cookies at any time via your browser settings; however, this may limit the functionality of the Platform, especially login and session management.

4. Recipients and Data Transfers

For the operation and maintenance of the Platform, we use carefully selected service providers who process personal data on our behalf in accordance with Art. 28 GDPR.

Your personal data are disclosed to the following categories of recipients:

  • Hosting provider:
    The Platform is hosted by Hetzner Online GmbH (Germany). All files and data are stored on servers located within Germany. Hetzner acts as a processor under a GDPR‑compliant data processing agreement and implements appropriate technical and organizational measures to protect your data.
  • Email provider
    Transactional and system emails (e.g., registration confirmations, password reset messages, security and service notifications) are sent via Strato AG (Germany), using only the necessary delivery and content data.
    Strato acts as a processor under a data processing agreement.
  • Push notifications:
    When using the official Nextcloud mobile apps, push notification tokens may be transmitted to Google LLC (USA) or Apple Inc. (USA). These tokens are technical identifiers only and contain no personal message content.
  • Password security check:
    When you set or change your password, a partial anonymized hash is compared via HaveIBeenPwned (Australia) to check whether it appears in known data breaches. No actual passwords or identifiable data are shared.

In addition, authorized personnel of Distant Meadows (administration, support) may access user data to the extent necessary for operating the Platform, troubleshooting, and support requests, and only where required for these purposes.

No further sharing of personal data with third parties takes place unless we are legally obliged to do so (e.g., by court order or public authorities) or you have explicitly consented.

5. Storage Period

Personal data are stored only as long as necessary to operate the Platform or as legally required.
All user accounts and related data will be deleted after the workshop concludes.

Backups: Deleted data may remain in automated backups for up to 12 months for disaster recovery purposes. These backups are access-restricted, encrypted, and not used for active processing. After this period, all backup copies are deleted.

7. Data Security

All data transfers are encrypted via TLS.
Server access is restricted to authorized administrators.
The hosting provider implements industry‑standard technical and organizational measures (TOMs) in accordance with Art. 32 GDPR.
Users are responsible for keeping their passwords confidential.

8. Rights of Data Subjects

In accordance with the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about whether and which personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request the deletion of your data under the conditions of Art. 17 GDPR (“right to be forgotten”).
  • Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing where the conditions of Art. 18 GDPR are met.
  • Right to data portability (Art. 20 GDPR): You can receive the data you have provided in a structured, commonly used and machine‑readable format and transmit them to another controller.
  • Right to object (Art. 21 GDPR): You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR; in such a case, we will no longer process your data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

You can exercise these rights at any time by contacting us at games[at]felixbaumgarten[punkt]de.

We will respond to your request without undue delay and in any event within one month of receipt, as required by Art. 12(3) GDPR; this period may be extended by a further two months in complex cases, in which case you will be informed of the reasons for the delay.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).
For our company, for example, the competent authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Germany.

9. International Data Transfers

Push notifications and related services provided by Google and Apple may involve transmission to the United States.
Both companies participate in the EU–US Data Privacy Framework or rely on Standard Contractual Clauses approved by the European Commission, ensuring an adequate level of data protection.

10. Automated Decision-Making and Profiling

No automated decision‑making within the meaning of Art. 22 GDPR and no profiling take place on this Platform.

In particular, no decisions with legal or similarly significant effects on you are made solely on the basis of automated processing, and no comprehensive behavior profiles are created from your usage data.

11. Updates to This Privacy Policy

This Privacy Policy may be updated to reflect legal, technical, or operational changes.
The current version will always be accessible within the Platform.