Drips Privacy Policy

General information

As the operator of the Drips Web App (https://www.drips.network/app, https://www.drips.network/wave and other *.drips.network/app instances, hereinafter "Drips Web App") as well as other Drips websites (such as https://www.drips.network/, and any other *.drips.network domains, excluding the Drips Web App, hereinafter the "Drips Website"; collectively with Drips Web App referred to as the "Drips Services"), the Public Goods Association (hereinafter the "Association" or "we") takes the protection of personal data very seriously. We treat personal data confidentially, in accordance with the statutory data protection regulations and on the basis of this privacy policy. This privacy policy is aligned with the EU General Data Protection Regulation (GDPR), the Telecommunications Digital Services Data Protection Act (TDDDG) and the Swiss Federal Data Protection Act (FDAP). However, the application of these laws depends on each individual case. Where reference is made to provisions of the GDPR, the corresponding provisions of the FADP shall apply analogously, if applicable. For the sake of readability, separate references are omitted.

When you use Drips Services, various personal data is processed depending on the type and scope of use. Personal data is information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly (e.g. by reference to an online identifier).

This privacy policy informs you in accordance with Art. 12 et seqq. GDPR about the processing of your personal data when you use Drips Services. In particular, it explains what personal data we collect and what we use it for. It also informs you how and for what purpose this is done, the legal basis for it, and what your rights are in relation to it.

This privacy policy expressly refers to the website-specific data processing processes as described under 1.1 when you visit Drips Services. Separate privacy policies apply to other data processing by the Association.

Controller

According to the GDPR, the controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

The controller for the data processing processes covered by this privacy policy, is, unless otherwise indicated, as follows:

Public Goods Association
Bahnhofstrasse 20
6300 Zug, Switzerland
E-Mail: [email protected]

Purposes and legal bases of data processing

Visit of the Drips Services – server log files

For the purpose of the technical provision of the Drips Services, it is necessary for us to process certain information automatically transmitted by your browser so that the Drips Services can be displayed in your browser and you can use the Drips Services. This information (the "Access Data") is automatically collected by our host (see below section 6.3), each time you visit the Drips Services and automatically stored in so-called server log files. These are:

  • Browser type and browser version
  • Operating system used
  • Website from which the access is made (referrer URL)
  • Host name of the accessing computer
  • Date and time of access and the requested URL
  • IP address of the requesting computer

The processing of the aforementioned Access Data is necessary for technical reasons in order to provide functional Drips Services and to ensure system security. This also applies to the processing of your IP address, which is necessary and, under further conditions, can at least theoretically enable an assignment to your person. In addition to the aforementioned purposes, we use server log files exclusively for the needs-based design and optimization of the Drips Services purely statistically and without drawing any conclusions about your person. This data is not merged with other data sources, nor is it analyzed for marketing purposes.

Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of Access Data. Where enabled, this includes routing traffic through Cloudflare (edge reverse proxy/CDN and web application firewall). In this context, and acting as our processor (see below section 6.3), Cloudflare necessarily processes Access Data (including your IP address and request-related system and routing metadata) to deliver the Drips Services, mitigate attacks, and ensure availability and performance. Our legitimate interest here is to be able to provide you with a technically functioning and user-friendly Drips Services and to ensure the security of our systems as well as optimizing our Drips Services.

Your IP address will be stored on Railway's server for a maximum of 30 days for IT security purposes. Additionally, pseudonymized usage statistics derived from access logs, such as hit rates or visitor counts over time, are evaluated in Grafana Faro dashboards. These statistics are non-identifiable and do not permit any conclusions about individual users. As such, they are not considered personal data and are retained only as long as necessary to improve and optimize the Drips Services.

The storage period and deletion of your Access Data are further governed by section 8 of this privacy policy.

Use of cookies and similar functions/technologies

We do set our own so-called cookies and similar technologies (hereinafter "cookies") on the Drips Services.

Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that enables your browser to be uniquely identified when you browse on or return to the Drips Services. The cookies we use can be categorized into different types based on their purpose and necessity. Strictly necessary cookies are essential to operate the Drips Services and cannot be disabled. They enable basic functions such as security, network management, and accessibility. Functional cookies enable enhanced functionality and personalization, such as remembering your preferences or enabling support features you have requested, and are strictly necessary to deliver these requested features. Performance cookies help us understand how visitors interact with the Drips Services by collecting and reporting information anonymously or in pseudonymized form.

Our service provider Railway does not set cookies (see also below section 6.3). However, our service providers Grafana Faro (see also below section 3.2 and 6.3) and Cloudflare (see also below section 6.3) may set strictly necessary cookies required to provide security and availability. These cookies are essential to operate the Drips Services, are based on our legitimate interest in ensuring the former purposes (Art. 6 (1) sentence 1 lit. f GDPR in conjunction with Section 25 (2) no. 2 TDDDG or an equivalent national implementation of Art. 5(3) of the ePrivacy Directive), and do not track users across sites (for storage period and expiry see section 8).

Please note that when using the embedded Get In Touch form via Notion (see below section 3.3), that provider may set its own cookies under its sole responsibility.

Additional cookies used on the Drips Website when using Drips Wave

When you use Drips Wave (see also below section 3.5), additional cookies may be set to enable specific functionality related to the bounty cycle tool. These include:

  • Authentication cookies: A set of strictly necessary cookies (refresh & access tokens), set and only read by Drips Wave system, that enable user login and session management. Authentication cookies are set if and only when you actively log in to Drips Wave. It is not set during your initial visit or while browsing Drips Wave without being logged in. Once set, the cookies are read by our systems to authenticate all your requests during your session, with the refresh token cookie specifically used to keep you logged in for up to 30 days. These cookies are essential for you to perform any authenticated actions on Drips Wave (such as submitting applications, managing funding flows, or participating in bounty cycles) and cannot be disabled. Without these cookies, the application cannot function after login.

    The legal basis for the authentication cookie is Art. 6 (1) sentence 1 lit. f GDPR in conjunction with Section 25 (2) no. 2 TDDDG (or an equivalent national implementation of Art. 5(3) of the ePrivacy Directive). Our legitimate interest is to provide secure access to Drips Wave and to ensure the integrity of user sessions.

  • Intercom cookies: These cookies enable the Intercom chat widget, and other Intercom functionality such as User Research Surveys, on the Drips Wave website to provide user support and assistance. They are used to identify you as a returning user, to store your chat history with our support team, and to enable our support team to see your navigation on the page leading up to a support request and to provide real-time messaging (for example, if you previously contacted our support team and we respond while you are using Drips Wave, the response appears on screen).

    Intercom cookies are set when you express your wish to use the chat widget functionality, which can occur in the following ways: (i) by selecting 'Accept all' in the cookie banner, indicating your wish to use the chat widget across Drips Wave (ii) by explicitly enabling the Intercom Support Chat Widget cookie in the 'Configure' settings and confirming your choice by clicking 'Apply settings', or (iii) by actively opening the chat widget (or explicitly requesting to open a User Research Survey) during your session, even if you previously rejected this feature. In all three cases, Intercom Cookies are strictly necessary to provide the functionality you have expressly requested at the time of performing one of these actions and cannot function without it.

    The legal basis for Intercom cookies is Art. 6 (1) sentence 1 lit. f GDPR in conjunction with Section 25 (2) no. 2 TDDDG (or an equivalent national implementation of Art. 5(3) of the ePrivacy Directive). Our legitimate interest is to provide the support chat functionality you have expressly requested, and the cookie is strictly necessary to deliver this service. You can revoke your service request at any time by adjusting your cookie preferences in the settings. The revocation does not affect the lawfulness of processing based on your service request before its revocation.

  • Grafana Faro Monitoring cookie: Grafana Faro helps us track errors and performance issues on our website to improve your experience. It collects data about how you interact with our website in anonymized or pseudonymized form. Grafana Faro uses cookie-like technologies to understand user sessions and to enable us to optimize the performance, stability and user experience of Drips Wave. The Grafana Faro Monitoring cookie is only set if you select 'Accept all' in the cookie banner or if you explicitly enable Grafana Faro Monitoring in the 'Configure' settings and confirm your choice by clicking 'Apply settings'. If you reject or disable Grafana Faro Monitoring in the settings, this cookie will not be set at all.

    The legal basis for the Grafana Faro Monitoring cookie is Art. 6 (1) sentence 1 lit. a GDPR in conjunction with Section 25 (1) TDDDG (or an equivalent national implementation of Art. 5(3) of the ePrivacy Directive) (your consent). You can withdraw your consent at any time by adjusting your cookie preferences in the settings. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Note: After disabling this cookie, you may need to refresh the page to fully disable Grafana Faro Monitoring.

You can change your cookie preferences at any time through the 'Settings' option available on the Drips Wave app. Please note that revoking your request for the support chat widget will affect the respective functionality.

For storage period and expiry see section 8. For further information on cookies set by third-party service providers Intercom and Grafana Faro, please refer to section 6.3 (recipients) and/or their respective privacy policies.

Get In Touch form

On Drips Services, users may access a 'Get In Touch' form on various subpages (e.g. after selecting a use case such as 'Run a RetroPGF round', 'Fund entire ecosystems' or 'Discuss a funding program' or by using the general contact option). The form is provided via our service provider Notion to collect and store your provided data, solely for the purpose of responding to your inquiry.

If you contact us as part of an existing contractual relationship, make support requests or contact us in advance for information about our range of products and services, the data you provide will be processed for the purpose of processing and responding to your inquiries in accordance with Art. 6 (1) sentence 1 lit. b GDPR (legal basis). In all other cases, processing is based on our legitimate interest in and for the purpose of appropriately handling and responding to inquiries and improving communication with interested parties, in accordance with Art. 6 (1) sentence 1 lit. f GDPR.

To submit the form, certain information is required: name, email address, your message, and confirmation that we may respond to your inquiry via the provided contact details. This information is not legally or contractually required, but it is necessary to process your inquiry. Without it, we are unable to properly receive, assign, or respond to your inquiry, and therefore cannot accept it for submission in the first place. Any additional information you provide (such as your organization, role or Telegram handle) is voluntary and helps us tailor our response more effectively.

Please note that the processing of your data via Notion's infrastructure is also subject to Notion's own Privacy Policy and Cookie Policy, which are available on their website. We only have control and process the data you actively submit through the form. Any additional data processing performed by Notion (e.g. via cookies or usage analytics on their platform) is outside of our control.

The same applies if you contact us via the email address provided on Drips Services. In this case, we process the personal data you provide (e.g. your email address and message) on the same legal basis and for the same purposes as outlined above.

As a rule, we delete the personal data you provided via the contact form or by email once communication has been completed, unless statutory retention obligations apply, the data is required for the establishment, exercise or defense of legal claims, or further inquiries can reasonably be expected. The storage period and deletion of your provided data in this regard are further governed by section 8 of this privacy policy.

Use of specific Drips Web App functions

Because certain of the Drips Web App functions are built on decentralized and immutable infrastructures, any information committed on-chain or to the InterPlanetary File System ("IPFS") becomes permanently public and cannot be deleted. We therefore process no more personal data than is technically necessary to provide the requested functionality.

Connecting and using a Web3 Wallet

On the Drips Web App, you may connect a Web3 wallet (e.g. MetaMask or another WalletConnect-compatible wallet) to access and use protocol features such as funding open-source projects, receiving donations, managing programmable funding flows, or participating in Retroactive Public Goods Funding rounds ("RPGF"). Connecting a wallet is technically comparable to identifying yourself via your blockchain address.

When connecting your wallet and interacting with the Drips Protocol, the following data may be processed or become visible:

  • Your wallet address on supported networks (Ethereum address or of other Ethereum-compatible chains such as OP Mainnet or Filecoin)
  • Transaction metadata such as token type used, transaction amounts, timestamp and recipients
  • Indicator whether you make a continuous or one-time donation
  • Additional data may be processed depending on the role-specific features you use, such as:
    • In the case of creating or managing Drip Lists: a list of GitHub repositories, wallet addresses, or other Drip Lists, each with assigned percentage allocations
    • In the case of receiving funds: verification of GitHub repository ownership
    • In the case of RPGF rounds: configuration data, application fields, or vote allocations (for full details, see section 3.4b) below).

This data is disclosed by you through voluntary interaction with the protocol and is required to execute the intended functionalities (e.g. making donations, claiming or distributing funds, submitting applications, or managing voting rounds). The legal basis for processing is your contractual relationship with us or another party (Art. 6 (1) sentence 1 lit. b GDPR), where applicable, or our legitimate interest in operating a transparent, user-driven protocol (Art. 6 (1) sentence 1 lit. f GDPR).

All interactions with the Drips Protocol are written to public and immutable infrastructures, including blockchains (e.g. Ethereum-compatible networks such as OP Mainnet or Filecoin) and, where applicable, the IPFS. As a result, submitted data becomes publicly accessible and cannot be deleted due to the nature of these systems.

To improve performance and ensure availability, publicly available protocol data may additionally be indexed and mirrored by the Association in a read-only database (hosted by a third-party infrastructure provider) to enable faster retrieval in the Drips Web App. This processing is carried out on the basis of our legitimate interest in providing a performant service (Art. 6 (1) sentence 1 lit. f GDPR

We do not store or process any personal data beyond what is technically required to enable your interactions with the protocol. Please note, however, that any data you publish on-chain (e.g. through transactions or public attestations) is visible to everyone and permanently accessible.

Additional role-specific protocol functions within the Drips Protocol

Depending on your role and interaction with the Drips Web App, additional categories of data may be processed in order to provide the respective protocol functionality and enable access to our services. This includes, for example, creating or managing funding flows, claiming open-source projects, participating in funding rounds, or reviewing applications. The legal basis for processing your data in these cases is either your contractual relationship with us or another party (Art. 6 (1) sentence 1 lit. b GDPR) or our legitimate interest in offering and maintaining the related protocol features (Art. 6 (1) sentence 1 lit. f GDPR).

As a project maintainer / funding recipient

If you claim a GitHub repository and receive funding via the Drips Protocol, we process your wallet address on supported networks and require proof-of-ownership of the repository (e.g. by committing a verification file to the repository). If you choose to forward received funds to dependencies, the related recipient addresses and share allocations (i.e. a list of downstream recipients such as wallets, Drip Lists, or repositories, each with a defined percentage) are also public. This data is processed solely to enable your participation and distribution of funds via the protocol.

As a Retroactive Public Goods Funding ("RPGF") round admin

If you initiate or manage an RPGF round, we process your wallet address on supported networks as well as the configuration data for the round, such as round name, descriptions, eligible voter addresses, optionally a list of additional wallet addresses to act as co-admins, and review decisions. This data is required to enable RPGF functionality. Most information is public, except the voter list, which is visible only to round admins and select platform maintainers for maintenance purposes.

As an RPGF applicant

If you submit an application for an RPGF round, we process your wallet address on supported networks, proof of project ownership (e.g. by committing a verification file to the relevant GitHub repository), and application form data (as defined by the round admin). Fields marked 'private' are stored off-chain, are visible only to round admins and designated platform maintainers, and may be deleted once the round concludes (see section 8). Fields not marked as private are attested on-chain via the Ethereum Attestation Service and become publicly visible after approval; they are therefore immutable.

As an RPGF voter

If you participate in voting, your wallet address on supported networks and vote allocations are collected and stored. This information is only visible to round admins and selected platform maintainers and is not made public.

Deletion of off-chain data follows section 8; however, public on-chain or IPFS data is due to its nature immutable.

Use of Drips Wave

Drips Wave is a recurring bounty cycle tool that enables ecosystems to run structured, time-bound funding rounds for open-source contributions. Maintainers submit repositories and issues with assigned point values, contributors apply to work on issues and earn points upon completion, and funding is distributed based on earned points at the end of each cycle.

When you use Drips Wave, we process GitHub account information (including contributor and maintainer profile data, repository and issue data), data generated through your use of the service (such as issue applications and approvals, point allocations, and funding distribution data), as well as identity verification data collected via our KYC provider. This data is processed to provide, operate and improve the Drips Wave service, which includes facilitating connections between maintainers and contributors, managing submissions and applications, tracking contributions and point allocations, managing GitHub issue statuses, labels and assignments, facilitating communication via GitHub comments, distributing funding, user sign-up and sign-in via GitHub, and analyzing user engagement. We may, subject to applicable legal requirements, also process GitHub data for marketing purposes. Further, we process this data to ensure service security, prevent fraudulent activity, and to comply with legal obligations including KYC verification.

The legal basis for this processing is your contractual relationship with us or another party (Art. 6 (1) sentence 1 lit. b GDPR), where applicable, compliance with legal obligations including KYC verification (Art. 6 (1) sentence 1 lit. c GDPR), or our legitimate interest (Art. 6 (1) sentence 1 lit. f GDPR). Our legitimate interest is to provide a functional and efficient bounty cycle tool, to ensure the security and integrity of the service, to improve user experience through engagement analysis, and to promote our services, subject to your right to object.

Safety or Security Reasons / Risk Management

We process your data to protect our IT and other infrastructure. For example, we process data for monitoring, analysis and testing of our networks and IT infrastructures including access controls. Further, we process your data as part of our risk management and corporate government in order to protect us from criminal or abusive activity.

We process your personal data to protect our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest is to keep our IT and other infrastructure safe and safe as well as to protect us and our infrastructure from criminal or abusive activities.

Compliance with legal regulations

We also process your personal data in order to fulfill legal obligations that may apply to us in connection with our business activities. These include, in particular, to combat money laundering and terrorist financing (KYC), to fulfil tax obligations and retention periods under commercial, trade or tax law.

We process your personal data in accordance with Art. 6 (1) sentence 1 lit. c GDPR (legal basis) to fulfill a legal obligation to which we are subject.

Law enforcement

We also process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary for the prevention or prosecution of criminal offenses.

We process your personal data to protect our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR (legal basis), insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal offenses (legitimate interest).

General Information regarding On-Chain Data

When you use blockchains, you acknowledge that your wallet address and other data/information provided by your transactions, which are considered personal data if relating to an identified or identifiable natural person, are permanently and publicly stored on-chain, which means such data is publicly available to anyone. Neither we, nor any third party, has any power to delete such data published by its users to the blockchain. If you want to ensure that your privacy rights are not affected in any way, you should not transact on blockchains as certain rights may not be available or exercisable by you or us due to the technological infrastructure of the blockchain.

You hereby release and indemnify us of any liability associated with data that you transferred to the blockchain.

Consent-based data processing

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent.

The legal basis in this case is Art. 6 (1) sentence 1 lit. a GDPR.

Consent can be revoked at any time. Please note that the revocation only takes effect in the future, so processing up to that point is not affected.

Recipients of data

Within our company, access to your data is granted to those departments that need it to fulfill our contractual and legal obligations or to exercise our rights.

Service providers and vicarious agents employed by us (e.g. technical service providers, shipping companies, waste disposal companies) may also receive data for these purposes.

In some cases, the recipients receive your personal data as processors and are then strictly bound by our instructions when handling your personal data. These processors include the following companies in particular:

Hosting and technical service providers

  • Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA, certified under the Data Privacy Framework, for edge delivery and security services (reverse proxy/CDN, Web Application Firewall) to ensure the security, availability, and performance of the Drips Services.
  • Railway Corporation, 548 Market St PMB 68956, San Francisco, CA 94104, USA, certified under the Data Privacy Framework, for hosting of the Drips Services.
  • Raintank Inc., dba Grafana Labs, 165 Broadway, 23rd Floor, New York, NY 10006, USA, certified under the Data Privacy Framework, for pseudonymised telemetry dashboards and performance monitoring (Grafana Faro).
  • Notion Labs, Inc., 548 Market St 74567, San Francisco, CA 94104, USA, certified under the Data Privacy Framework, for hosting the Get In Touch form and possessing respective data.

Customer Support and Communication

  • Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, USA, certified under the Data Privacy Framework, for customer support and communication management.
  • Noti-Fire Apps Ltd. (Novu), Derech Ben Gurion 132, Ramat Gan, Israel, for transactional email notifications related to Drips Wave.

Identity Verification

  • Sum and Substance Ltd (Sumsub), 30 St. Mary Axe, London, England, for Know Your Customer (KYC) verification services in connection with Drips Wave.

Finally, in individual cases we transmit personal data to our consultants in legal or tax matters, whereby these recipients are generally already obliged to maintain special confidentiality and secrecy due to their professional status.

Data transfer to third countries

If necessary for our purposes, we may also transfer your data to recipients outside the European Economic Area or Switzerland ("Third Countries"). This is particularly the case in the context of contract processing or due to legal regulations, or if such transfer is based on your explicit consent or subject to safeguards that assure the protection of your data.

We only transfer your data to recipients in Third Countries in accordance with the provisions of Chapter 5 of the GDPR, i.e. if it is ensured that the European Commission has adopted an adequacy decision pursuant to Art. 45 (1) GDPR / the Federal Council has recognized a States' adequate level of data protection, or appropriate safeguards within the meaning of Art. 46 (2) and (3) GDPR have been implemented, or a derogation pursuant to Art. 49 GDPR applies.

We use the EU Commission's standard contractual clauses for the transfer of personal data to third countries (SCC) to ensure an appropriate level of protection for the recipient of the data (adjusted according to Swiss law, if applicable and required).

You have the option of accessing the SCC via the link provided or requesting a copy from the data protection officer.

Duration of data processing and deletion

We initially process your personal data for the duration for which the respective processing purpose - see above - requires corresponding processing. Users may request deletion of their personal data at any time by contacting us at [email protected]. We will comply with deletion requests unless we have a legal basis for further processing, e.g. where retention is required by law, processing is necessary to establish, exercise, or defend legal claims, or required to complete ongoing transactions. We may delete data associated with inactive accounts after a reasonable period of inactivity.

Insofar as the processing is carried out for the performance of a contract, the processing period also includes the periods of initiation of a contract (pre-contractual legal relationship) and the performance of a contract (including any subsequent claims).

Insofar as the processing is carried out to safeguard our legitimate interests, the processing period includes the period until the processing purposes pursued are achieved. Where enabled, Cloudflare retains Access Data (as defined in section 3.1) and strictly-necessary cookies only for the periods necessary to provide the security, availability, and performance of the Drips Services, as further described in Cloudflare's Privacy Policy and cookie documentation. Within those interests, Drips Services may use Cloudflare Turnstile services to protect its platforms against automated spam.

If the processing is based on your consent, the processing period covers the period from the time you give your consent until the time you withdraw your consent or until the time the processing covered by the consent is completed.

In this respect, we would like to point out that even in the event of withdrawal of consent, further processing may be possible on the basis of other legal bases (Art. 17 (1) lit. b GDPR).

Even if the primary processing purposes have been achieved, further processing of your personal data may take place, in particular if this is necessary to fulfill a legal obligation and/or to protect our rights. This includes the following purposes in particular:

  • Fulfillment of statutory obligations, retention and documentation periods specified there are up to ten years. Where longer retention is necessary to preserve evidence, we perform an annual review to determine whether the purpose still exists.
  • Preservation of evidence, taking into account the statute of limitations.
  • Storage period for cookies used on Drips Wave: The cookies used on Drips Wave (as described in section 3.2) are stored for the following periods:
    • Authentication cookies: These cookies are stored for the duration of your session and expire automatically when you log out or after at least 30 days of inactivity.
    • Intercom Support Chat Widget cookie: This cookie is stored for the duration of your session plus 30 days thereafter to maintain your chat history and enable continuous support. You can revoke your service request at any time through the cookie settings, after which any Intercom cookies will no longer be accessed.
    • Grafana Faro Monitoring cookie: Fully anonymous telemetry & session data collected via Grafana Faro is aggregated and the results stored for up to 6 months. You can withdraw your consent at any time through the cookie settings, after which no further data will be collected. You may need to refresh the page to fully stop monitoring.
  • For cookies set by Cloudflare, see section 8.3.

Social Media

In addition, we also use various social media services, some of which we have integrated directly on the Drips Services or websites, which we are represented on. Those services might process personal data. Further information on data processing can be found in the respective social media services' privacy policies. There you will also find further information on your rights and setting options to protect your personal data.

We use the following social media:

Data security

Personal data is protected by us by means of suitable technical and organizational measures in order to ensure an appropriate level of protection and to safeguard your personal rights. The measures taken serve, among other things, to prevent unauthorized access to the technical equipment used by us and to protect personal data from unauthorized access by third parties.

In particular, the Drips Services uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as the contact requests you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be intercepted by third parties.

Nevertheless, we would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is therefore not possible.

Rights of data subjects

In connection with our processing of your data, you have various rights under applicable data protection law. Please note that we reserve the right to enforce legal restrictions, if necessary, e.g. if we are obliged to store or process certain data, have an overriding interest (insofar as we can invoke such interests) or need the data to assert claims. If the exercise of certain rights involves costs for you, we will inform you in advance. We have already referred to the possibility of withdrawing consent above. It is important to note that exercising these rights may conflict with your contractual obligations and could result in consequences such as early termination of the contract or associated costs. Should this occur, we will inform you in advance, unless this has already been contractually agreed. In addition, please note that we may need to verify your identity in order to prevent misuse, e.g. by means of a copy of your ID card or passport, unless identification is otherwise possible.

Right to information

You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to obtain access to the personal data concerning you and the information pursuant to Art. 15 (1) lit. a-h GDPR. Where personal data concerning you are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer. Subject to the conditions set out in Art. 15 GDPR, you have the right to receive a copy of the personal data concerning you undergoing processing.

Right to rectification

You have the right to obtain from us without undue delay the rectification of personal data concerning you if it is inaccurate. Taking into account the purposes of the processing, you have the right to have incomplete personal data concerning you completed, including by means of providing a supplementary statement.

Right to erasure

You have the right to obtain from us the erasure of personal data concerning you without undue delay if one of the grounds listed in Art. 17 GDPR applies, e.g. if the data have been unlawfully processed.

Right to restriction of processing

Subject to the conditions set out in Art. 18 GDPR, you have the right to obtain from us restriction of processing.

Right to data portability

Subject to the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us. In exercising your right to data portability, you have the right to have the personal data concerning you transmitted directly from us to another controller, where technically feasible.

Right to withdraw consent

If the data processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent, you can also choose, inter alia, the contact channel that you used when giving your consent.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the applicable law.

Right of objection

Subject to the conditions set out in Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on lit. (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Subject to the conditions set out in Art. 21 GDPR, where personal data concerning you are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you.

Obligation to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make the Drips Services without restriction or answer your inquiries to us.

Personal data that we do not necessarily require for the above-mentioned processing purposes is marked accordingly as voluntary information.

Automated decision-making/profiling

We do not use automated decision-making in the meaning of Art. 22 (1) GDPR or profiling (an automated analysis of your personal circumstances).

Validity and amendment of this privacy policy

This privacy policy is currently valid and effective as of July 5, 2025.

Due to the further development of the Drips Services or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. In this case, we will update this privacy policy accordingly.