Data Protection

1. Overview

The protection of your personal data is important to us. This privacy policy explains what data we collect, for what purpose, and how it is handled — in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and applicable German data protection law (BDSG).

2. Controller

Paula Schwalm
Student, University of Applied Sciences Velika Gorica
Zagrebačka Ul. 5
10410 Velika Gorica
Croatia
E-Mail: paula.schwalm@mni.thm.de

3. Hosting — Hetzner Online GmbH

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (Hetzner Privacy Policy).

When you visit the platform, Hetzner automatically collects and stores server log files. These contain:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing device
• Date and time of the server request
• IP address (anonymised where possible)

This data is processed on the basis of Art. 6 (1) lit. f GDPR (legitimate interest in the secure and stable operation of the website). Log files are retained for a maximum of 7 days and then automatically deleted unless a longer retention is required for security investigations.

All data is processed within the European Union (Hetzner data centres in Germany and Finland). A data processing agreement (Art. 28 GDPR) is in place with Hetzner.

4. User Registration and Accounts

When you register on this platform, we collect:

• Name — to identify you within the platform
• E-mail address — for authentication and notifications
• Password — stored as a cryptographic hash (bcrypt); the plaintext password is never stored
• Role — assigned by an administrator (Guest, Editor, Admin)
• Registration timestamp

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract / fulfilment of pre-contractual obligations).

Account data is retained for as long as the account is active. You may request deletion of your account at any time (see Section 11 — Your Rights).

5. E-Mail Verification

After registration, we send a verification e-mail to confirm ownership of the provided address. This e-mail is sent via the SMTP service configured for this platform and contains a one-time verification link that expires after 60 minutes.

Legal basis: Art. 6 (1) lit. b GDPR.

6. Contact Form

When you send a message via our contact form, we process:

• Your name
• Your e-mail address
• Subject and message content

This information is transmitted to us by e-mail and used solely to respond to your enquiry. It is not stored in a database.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in processing incoming enquiries) or Art. 6 (1) lit. b GDPR where the enquiry relates to a pre-contractual relationship.

7. User-Generated Content (Articles, Museums, Categories)

Authenticated users with the Editor or Admin role may publish articles, create museum entries, and manage categories. Published content is publicly visible and associated with the author's displayed name.

Legal basis: Art. 6 (1) lit. b GDPR (user agreement) and Art. 6 (1) lit. f GDPR (legitimate interest in providing the platform).

8. RSS Feeds — Aggregated Third-Party Content

The platform's Discover section aggregates publicly available RSS / Atom feeds from external art-related websites. Feed content (headlines, summaries, links, publication dates) is fetched automatically by a scheduled server-side process.

What data is involved: No personal data is collected through RSS aggregation. Feeds are fetched server-to-server; your IP address is never transmitted to the feed providers.

Content responsibility: The platform is not responsible for the content of external RSS feeds. Feed items are reproduced as published by their respective sources. See our Terms and Conditions, Section 7, for the full disclaimer on third-party feed content.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in providing curated art news to authenticated users).

Feed items are retained for up to 30 days and then automatically removed by a scheduled cleanup process.

9. Third-Party APIs

The platform communicates with the following external APIs on behalf of authenticated users. These requests are made server-side; your IP address may be included in the outgoing request headers.

Service	Data sent	Purpose	Privacy Policy
Art Institute of Chicago API	Search keywords, server IP	Artwork search & discovery	artic.edu/terms
Metropolitan Museum of Art API	Search keywords, server IP	Artwork search & discovery	metmuseum.org
Nominatim (OpenStreetMap)	Museum address strings, server IP	Geocoding museum addresses for the map	osmfoundation.org
OpenStreetMap Tiles	Tile coordinates, browser IP	Map tile images rendered in the Museum Map (client-side)	osmfoundation.org

All external API calls use HTTPS. No authentication credentials or personal user data (name, email) are transmitted to these services.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in providing functional artwork search and mapping features).

10. Third-Party Libraries (Client-Side)

The following open-source libraries are loaded from our own server (bundled via Vite) and do not make independent network requests or set cookies:

• Leaflet.js — interactive map rendering. Map tile images are loaded directly from OpenStreetMap servers (see above).
• Font Awesome Free — icon font, served locally. No external CDN requests.
• Alpine.js — lightweight JavaScript framework for UI interactions.
• Livewire — reactive server-side rendering framework (Laravel).

11. Cookies and Sessions

This website uses technically necessary cookies only:

• Session cookie (laravel_session) — maintains your login state. Deleted when you close your browser or log out.
• CSRF token cookie (XSRF-TOKEN) — protects against cross-site request forgery attacks. Session-scoped.
• Remember-me cookie — set only if you explicitly activate "Stay logged in". Expires after 7 days.

No tracking cookies, analytics cookies, or advertising cookies are used. No cookie consent banner is required because only technically necessary cookies are placed (§ 25 Abs. 2 Nr. 2 TTDSG).

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in providing a functional and secure website).

12. No Analytics or Third-Party Tracking

This platform does not integrate any analytics services (e.g. Google Analytics, Matomo), advertising networks, social media tracking pixels, or other third-party data collection tools. No data is shared with third parties for marketing purposes.

13. Data Retention

Data Category	Retention Period
Server log files	Max. 7 days
User account data	Until account deletion
Contact form messages	Until the enquiry is resolved; max. 3 months
Published articles & museum entries	Until deleted by an editor or admin
RSS feed items	Max. 30 days (automatic cleanup)
Session cookies	Session-scoped (or 7 days for remember-me)

14. Your Rights under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — obtain a copy of the data we hold about you
• Right to rectification (Art. 16 GDPR) — correct inaccurate data
• Right to erasure (Art. 17 GDPR) — request deletion of your data ("right to be forgotten")
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR) — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at paula.schwalm@mni.thm.de. You also have the right to lodge a complaint with a supervisory authority. The competent authority for Hesse (Germany) is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1
65189 Wiesbaden
datenschutz.hessen.de

15. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include:

• HTTPS / TLS encryption for all data in transit
• bcrypt hashing for all passwords
• CSRF protection on all state-changing requests
• Role-based access control
• Regular security updates for the underlying framework (Laravel)

16. Changes to This Policy

We may update this privacy policy as the platform evolves. Changes will be published on this page with an updated revision date. We recommend reviewing this page periodically.