Background

What is personal data?

All information about you, such as your name, address, telephone number, e-mail address, account number, etc. as well as all information that can be traced back to you (including photos and videos) is referred to as personal data.

Your rights

The GDPR lays out your fundamental rights regarding how your personal data is handled in Articles 12 through 23. Here's what they mean for you:

• Right to Information (Article 13 GDPR): You have the right to be informed how your data is being collected and used at the time it's collected. This Privacy Policy fulfills that requirement.
• Right to Access (Article 15 GDPR): You can ask us for a copy of the personal data we hold about you.
• Right to Erasure ("Right to be Forgotten") (Article 17 GDPR): You can ask us to delete your personal data if certain criteria are met.
• Right to Restriction of Processing (Article 18 GDPR): You can ask us to limit how we use your data, for example, if you believe it's inaccurate.
• Right to Object (Article 21 GDPR): You can object to your data being processed, for instance, if you previously gave consent for a plugin to use your data.
• Right to Data Portability (Article 20 GDPR): Where applicable, you can request to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another organization.

We are committed to helping you exercise these rights in line with the GDPR and other laws. We do not use automated decision-making processes with your personal data.

How to Exercise Your Rights

Please contact the address above to make a request about your data rights. We can only provide personal information once you have adequately proven your identity. After receiving your request, we will work to provide you with a reply with the relevant documents, or we might ask you for further information to process your request.

This also applies to requests to delete your NordicFuzzCon account.

Security Notice

When communicating confidential information, we recommend using an encrypted method or postal mail instead of using an unencrypted email service. We cannot guarantee data security when using unencrypted communication methods.

We use industry standard levels of security when it comes to encryption, storage, firewalls, backups, etc. Still, no system is 100% secure. Should a data breach occur and we determine exactly who it affects, we will inform those persons according to the risk assessment.

We encourage you to use a strong password so that no one can guess your login details.

How long do we store your data

The time periods vary based on the purpose of why the data was collected, for example:

• some data is deleted on an ongoing basis (e.g. "session cookies")
• some data is retained for statutory purposes (e.g. tax law)
• some data is retained based on our own legitimate interest (e.g. records about serious infractions of the rules and policies of NordicFuzzCon; information about volunteers; etc.)

Right to be informed (Art. 13 GDPR)

The GDPR requires us to provide appropriate information whenever personal data is collected directly from the data subject (this is you). Specific information about specific processes will be covered later in the policy.

We collect personal data from you on our website and therefore would like to inform you about why and what we do with it. This collection includes, for example, when:

• we collect your IP address for the functionality of the website,
• we use a tracking tool that uses your IP address, or
• we accept any entries made by you in any field on the website, such as the contact form.
• we provide you with a registration form where you can enter your data for the purpose of creating a registration with us.

Generally, if you have provided us with personal data, we will only use it to answer your inquiries and for the technical operation of the website. An exception is the use of an anonymized IP address for statistical analysis. This allows us to:

• determine the number of visitors to our website, or
• determine which of our pages get the most traffic and therefore which are most interesting.

Your personal data will only be transferred to third parties if:

• this is necessary for the purpose of processing your contract - in particular, the transfer of order data to suppliers (e.g. personalized merchandise, hotel room bookings, etc.),
• this is necessary for billing purposes (e.g. payment service providers like Stripe)
• this is necessary because we are using sub contractors (e.g. Jira as our attendee service platform), or
• you have previously consented to the transfer.

You have the right to revoke your consent for processing at any time. This will affect future processing.

The personal data we have stored will be deleted:

• if you revoke your consent to the storage
• if the processing has been completed (e.g. no longer required for the purpose it was collected), and
• there are no statutory deletion deadlines that prevent deletion, or
• the storage is not permitted for other legal reasons.

If the data cannot be deleted for technical reasons, we will anonymize it so that it can no longer be linked to a person in the future.

As the data controller, all data collection and processing on this website is the responsibility of NordicFuzzCon.

Collection and Processing of data

Access to the Website

When you visit our website, your IP address and other information are automatically transmitted. We automatically log every access to our website and every retrieval of files stored on the website and associated storage locations.

The log contains:

• the name of the retrieved file
• the date and time of retrieval
• the amount of data transferred
• the status code of the request and
• the IP address, browser, and device information

This storage serves internal system-related purposes, primarily to ensure the availability of our website. This information will not be passed on to other recipients unless required by a law enforcement authority based on existing legal grounds. After a maximum of seven days, we anonymize your usage data. We generally delete logged website visits after a maximum of 6 months. If we wish to use the transmitted IP address for other purposes, this will be explained in more detail below.

Identity provider

We use an external authentication and authorization platform called Auth0. They process personal data on anybody with access to the online services provided by NordicFuzzCon. This personal data includes information like nickname, e-mail address, whether you are a member of staff or crew, and what kind of browser you are using.

For more information about how your data is processed by the identity provider, please refer to the GDPR Statements for Auth0.

Authentication and authorization, Identity Provider; https://auth0.com
https://www.okta.com/legal/privacy-policy/

Cloudflare

Cloudflare is a traffic optimization and distribution service provided by Cloudflare Inc. We use this service on our websites. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA ("Cloudflare").

Cloudflare offers a globally distributed content delivery network with DNS. Technically, the information transfer between your browser and our website is routed via the Cloudflare network. This enables Cloudflare to analyse the traffic between your browser and our website and act as a filter between our servers and potentially malicious traffic from the Internet. Cloudflare can also use cookies or other technologies to recognize Internet users, but these are used solely for the purpose described here.

Cloudflare keeps track of this data:

• IP Address
• Location (based on IP address)
• The type of browser you are using
• What device you are using
• What operating system you are using

The use of Cloudflare is based on our legitimate interest in providing our website as error-free and securely as possible (Art. 6 Para. 1 lit. f GDPR). As such this is considered a Functional Cookie.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Further information about security and data protection at Cloudflare can be found here: https://www.cloudflare.com/privacypolicy/.

Contact Form

When you contact us via our website, through e-mail, or through our sub-contractors, we collect various personal data. The minimum necessary data needed to enable an effective processing of your request are marked as mandatory fields. These are:

• Name
• Nickname
• E-Mail address, and
• your message.

Any additional information in the message itself, such as title, address or telephone number, is voluntary and goes beyond what is necessary. The data you provide will:

• be stored by Jira in their service center system
• be transmitted via e-mail to the email address of the selected department, which you selected.

Please note that both the inquiry and the response are unencrypted. Therefore, you should not provide confidential information in this manner.

DO NOT SEND US LEGALLY COMPROMISING MATERIAL VIA E-MAIL. If we suspect that a picture, video, or link may contain compromising material of any kind, it will be deleted from our servers without any further consideration.

The information you provide will be used exclusively to process your inquiry. If necessary for processing, we will involve other parties to process your request, taking into account legal regulations (e.g., within the scope of contract processing). If your information was provided to us for the purpose of or as part of a business relationship with us, we will store your contact details in Jira's system. Your actual request may also be stored in Jira's system to facilitate internal processing.

We assume that all contact is in regard to a business relationship, and therefore we delete or anonymize this data as business letters six years after the end of the calendar year in which the inquiry was received, provided that no legal retention or deletion periods conflict with this. By transmitting your personal data to us, you consent to the processing of your data in accordance with this privacy policy. If your information is required to fulfill a business relationship ("contract") the legal basis for the processing is Art 6 Sec 1 (a) GDPR.

For more information about how your data is handled by the ticketing system, please refer to the Atlassian Privacy Policy (https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers) and Data Processing Addendum (https://www.atlassian.com/legal/data-processing-addendum#scope-and-term).

Links to other websites

Our website contains links to external third-party websites over whose content we have no influence (such as Facebook, X - formerly known as Twitter, Bluesky, etc. as well as other furry conventions). Therefore, we cannot accept any liability for this external content. The respective provider or operator of the linked pages is always responsible for the content of the linked pages. At the time the pages were linked, they were reviewed for possible legal violations. At that time, no illegal content was recognizable.

Permanent monitoring of the content of the linked pages is not reasonable without concrete evidence of a legal violation, however. Upon becoming aware of any legal violations, we will remove such links immediately. Please note the privacy policies of the third parties to whose site the link is located.

Should you discover a legal violation on a page linked to by us, it is in our particular interest to remove this link. We therefore gratefully accept any notifications from you. Please use the contact information listed above.

Contractual Obligations / Event Registration Form

In order for interested parties to register for our events, the following fields are requested: nickname, first name, last name, address, date of birth, email address, languages spoken (mandatory fields), and other voluntary information. This data is stored and managed in our event management software.

The data you enter during registration is collected and stored by us exclusively for pre-contractual services, for the fulfillment of the contract, or for the purpose of participant management (e.g., to provide you with an overview of your order with us). When you register, we store the IP address where the request originated from and the date and time of the request.

Since registration serves pre-contractual measures and the fulfillment of the contract, the legal basis for this processing is Art. 6 (1) (b) GDPR. The data collected in this regard will be deleted as soon as processing is no longer necessary. However, we must observe retention periods under tax and commercial law.

The collected data will be forwarded to the event organizers for the following purposes:

• Participant lists (for example, on the website or in the Conbook)
• Name badges, and
• Event realisation and execution.

The data you submit when registering for the respective event will be processed by us for the purpose of contract execution and is necessary for this purpose. Conclusion and contract execution are not possible without providing your data.

The legal basis for this processing and transfer is Art. 6 (1) (b) GDPR. We will delete the data once the contract has been fully processed, but must observe the retention periods under tax and commercial law. As part of the contract execution, we will pass on your data to the financial service provider if the transfer is necessary for booking or payment purposes.

Hotels and Payment Providers

In the course of fulfilling our contractual obligations with you, we will transfer relevant personal data to the respective hotels and service providers, as well as other necessary third parties for the purpose of organizing the event and fulfilling the contract.

Please refer to the privacy policy for the hotel you selected for information on how the hotel handles your personal information.

Stripe - payment service provider; Website: https://stripe.com; Privacy Policy: https://stripe.com/en-de/privacy

Plugins / Cookies / Tracking / Analysis

When you visit our website, certain data will be stored on your device (PC, laptop, tablet, smartphone, etc.). You'll first be confronted with a Cookie Consent Box where you'll be asked to set your preferences. This data is stored locally on your device by the browser you use. This function is necessary to save your selection without having to set additional cookies. The storage takes place until your browser cache is deleted and is based on our legitimate interest in implementing the cookie settings, in accordance with Art. 6 (1) (f) GDPR.

Our website uses these cookies in several places. Cookies are small text files that are stored on your computer and saved by your browser. They can have a variety of different functions.

• Convenience** - By setting cookies, the internet acquires a kind of memory – the website remembers that a user has previously accessed it, eliminating the need to log in again on an encrypted page.
• Accessibility** - By setting cookies, the website can remember settings that you have made, for example surrounding Accessibility (e.g. setting font sizes, dark modes, different fonts, etc.)
• Profiling - These cookies are used to determine usage and surfing behavior. They can store information on usage behavior and transmit it to the user. Thus, the use of cookies enables profiling, which is viewed critically under data protection law.
• Advertising - Cookies can be used to deliver personalized advertising. The term "targeting" refers to activities designed to enable the targeted display of advertising on websites. A further development of this advertising strategy is retargeting, in which a provider/advertiser uses a tracking cookie to mark a customer when they visit their company website and tracks them as they browse the internet. Their own advertising can then be regularly displayed as a banner on third-party websites to remind visitors of their own events and services.

We reserve the right to use any of these cookies on our website. Some of these (those marked with an "**" above) are technically necessary. Some of them are up to your choice ("Profiling" and "Advertising"). These cookies may only be implemented if you actively opt-in to them.

• When you visit the website, you'll be asked to set your preferences in the Cookie Banner. Here you inform us which additional or optional cookies you wish to have set.
• Depending on your browser, you can prevent cookies directly in your browser settings.

You can always change and / or review your cookie preferences at the bottom of the home page by clicking on "Cookie Settings".

Most of the cookies we use are so-called "session cookies." They are automatically deleted after your visit. Please refer to any specific information about cookies in explicit sections of their use elsewhere in this privacy policy or in dialog/banner messages (e.g., cookie notice when using Google products via banners). You can view the cookies we use on this website in the cookie banner.

The legal basis for the use of cookies is your consent and our legitimate interest in implementing the cookie requirements, in accordance with Art. 6 (1) (f) GDPR. The basis for this is the EU Cookie Directive (opt-in) and Chapter 6, section 18 of the ECA (Electronic Communication Act).

Processing of information via social media

We participate in various social media platforms to communicate with our registered users and to inform them about our events and services. Users of the platform use these platforms and their functions (e.g., sharing, commenting, rating) at their own risk.

By using our website, you consent to the use of social media plug-ins, which serves as the legal basis for processing.

We would like to point out that your data may be processed by the respective social networks outside the EU. Please refer to the privacy policy of the respective social network for the legal basis for this data processing, which is carried out at your own risk.

It is possible that your data will be used for advertising and market research purposes. User profiles, for example, can be created based on your user behavior. Based on these profiles, advertisements are then placed on social networks and third-party platforms, for example. Cookies and other identifiers are generally stored on your computer for this purpose.

As part of the operation of our social media presence, we may access information about the use of our profile, such as statistics provided by the respective social media platform. These aggregated statistics primarily include demographic information and data on interaction with our corresponding company profile and the content we distribute through it. Please refer to the links to the social network listed below for details on the data from the social media platform to which we, as the operator of a company profile, have access.

The legal basis for data processing is our legitimate interest in effectively informing and communicating with users in accordance with Art. 6 (1) (f) GDPR. Below, we inform you about the social networks on which we operate a company profile. You will also receive information about the data processing activities of the respective platform and your options for opting out. We would like to point out that data protection inquiries can be most effectively addressed to the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly.

YouTube

Playback of audio and video files; Service provider: YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066, USA; Website: https://youtube.com/; Privacy Policy: https://policies.google.com/privacy.

Telegram

Instant messaging, chat, voice conferences, and video conferences; Service provider: Telegram, Commerce House, Wickhams Cay 1, PO Box 3140, Road Town, Tortola, VG1110, British Virgin Islands; Website: https://telegram.org/; Privacy policy: https://telegram.org/privacy/de.

Discord

Discord Instant Messaging, Chat, Voice Conferencing, and Video Conferencing; Service provider: Discord, Inc., 444 De Haro St, Suite 200, San Francisco, California 94107, USA; Website: https://discordapp.com/; Privacy Policy: https://discordapp.com/privacy.

Mastodon

Instant Messaging, Chat; https://mastodon.social/; Privacy Policy: https://meow.social/privacy-policy.

Bluesky

Instant Messaging, Chat; Service provider: Bluesky, PBC; Website: https://bsky.social/; Privacy Policy: https://bsky.social/about/support/privacy-policy.

Barq

Instant Messaging, Chat; Service Provider: Barq; Website: https://barq.app; Privacy policy: https://barq.app/privacy.

Processing data for organizing the event

We use external partners, for example for cloud service for storing data (Google Workspace and Azure). These services are used for the technical organization of the event.

For Staff and Crew

We sometimes use platforms and applications from other providers for the purpose of holding video and audio conferences, webinars and other types of video and audio meetings, in order to organise events and thereby fulfil our contractual obligations. In this context, data of the communication participants are processed and stored on the servers of the third-party providers, insofar as they are part of communication processes with us. This data can include, in particular, registration and contact data, visual and vocal contributions as well as entries in chats and shared screen contents. If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers can process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask you to observe the data protection information of the respective third-party provider:

• Google Meet (https://support.google.com/meet/answer/9852160?hl=de&ref_topic=10632347#safetymeasures&encryption&secure&privacy&incident&safety&),
• Discord (https://discordapp.com/privacy) and
• Telegram (https://telegram.org/privacy).

Bot Prevention

We also use Google reCAPTCHA to check and prevent automated servers ("bots") from accessing and interacting with our website. This service allows Google to determine from which website your request has been sent and from which IP address the reCAPTCHA input box has been used. In addition to your IP address, Google may collect other information necessary to provide and guarantee this service, please read more about what information and the handling of it, on https://policies.google.com/privacy.

Photos / videos

Photos and video recordings of people are also considered personal information. As such, we would like to inform you of our photo / video policy.

NordicFuzzCon will be recording video and taking photos in public areas of the convention (common spaces and event venues). We do this to document and promote the event and our organization. NordicFuzzCon is the data controller for this media and processes it based on our legitimate interest in informing about the convention. We are careful to respect privacy. No filming will occur in restrooms, private meetings, or other spaces where you have a reasonable expectation of privacy without your explicit permission.

By attending, you acknowledge that you may appear in these videos or photos. If you have concerns or prefer not to be filmed or photographed, please inform our staff at the event or contact us at the e-mail address listed above. We will make reasonable efforts to accommodate your request (for example, by avoiding filming you).

The footage and images may be livestreamed or published on NordicFuzzCon's channels (e.g. website, social media or future event materials) to share the convention experience. They will not be used for unrelated purposes without further consent. You have the right to object to this processing at any time, and to request removal of pictures of you. To exercise your rights or ask any questions, contact us at the e-mail above.

If you object or ask us to delete media that identifies you, we will assess your request on a case-by-case basis. We will delete or blur the material unless we have a valid legitimate ground for keeping the media(for example, essential documentation of the event, legal obligations, or material that is already irreversibly printed or widely distributed). If we decide to not delete the media, we will explain why. You always have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY) or another competent supervisory authority.

Use of Artificial Intelligence

Artificial Intelligence is defined in the EU AI Act as a "machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments". Art. 3 EU AI Act.

NordicFuzzCon takes its responsibility with your personal data, especially with regard to artificial intelligence, very seriously. Our organization neither builds, nor operates, nor participates in training AI systems.

NordicFuzzCon may use photo and video editing tools which may contain AI components provided by third parties regulated by the EU AI Act. The legal basis for data processing is our legitimate interest in effectively processing visual materials for the purpose of documenting our events in accordance with Art. 6 (1) (f) GDPR.

Additionally, should a data subject wish to have their personal data blurred from photo or video materials, we may use AI to help identify where that personal data is located in the material. The legal basis for data processing is our legitimate interest in effectively fulfilling our legal obligations in accordance toArt. 6 (1) (f) GDPR.

For information on how our third parties use artificial intelligence, please refer to their privacy policies linked in this document.

Children's Privacy

Our Service does not address anyone under the age of 18.

We do not knowingly collect personal data from children. If you are a child, please do not attempt to register for our services or send any of your personal data to us. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us at the e-mail above.

If we become aware that we have collected personal data from children without verification of parental consent, we will delete such personal data from our servers as quickly as possible.

Changes to this Privacy policy

From time to time, it may become necessary to make changes to this Privacy Policy. We will alert you by placing a notice on our website. You can see when this Privacy Policy was last updated by checking the date at the top of this page.

You are responsible for periodically reviewing this Privacy Policy and keep up to date on any updates and / or changes.

Further information

can be obtained from the DPO's contact address provided above. This is the central email address of the responsible party for data protection inquiries.