Privacy Policy
Version 1.1 · Last updated April 2026
1. Controller
Jan Köhler & Roman Lautner Vibesolutions GbR
represented by Jan Antonio Köhler and Lutz Roman Lautner
Augustenstr. 12, 26441 Jever, Germany
Email: info@vibesolutions.de
2. General Information
We process personal data in accordance with applicable law, in particular the GDPR and German data protection law (BDSG). This Privacy Policy explains which data we process, for which purposes, and on which legal basis.
3. Categories of Data Processed
Depending on your use, we may process:
- Usage and device data (for example, IP address, browser, access time)
- Geolocation data (coordinates if location features are enabled)
- Content data (uploaded GPX files and generated route/game data)
- Payment-related data (for example, payment status, transaction ID, payer email address via PayPal)
- Feedback and report data (game ratings, content reports without personal identification)
4. Purposes and Legal Bases
| Purpose | Legal basis |
|---|---|
| Provision and operation of the website and APIs | Art. 6(1)(f) GDPR |
| Contract performance and payment processing for paid unlock | Art. 6(1)(b) GDPR |
| Abuse prevention and system security (bot protection, rate limiting) | Art. 6(1)(f) GDPR |
| Analytics and usage measurement (Matomo, cookieless) | Art. 6(1)(f) GDPR |
| Processing game ratings and content reports | Art. 6(1)(f) GDPR |
| Compliance with statutory retention obligations | Art. 6(1)(c) GDPR |
5. Specific Processing Activities
5.1 Server Operations and Logs
When you access the website, technically required log data may be processed (for example, IP address, timestamp, requested resource, status code, user agent) to ensure stable and secure operation.
5.2 Location Data During Gameplay
For location-based game functions (for example, proximity to waypoints), browser/device location data may be used. Location access is subject to browser and operating system permissions. Location data is not stored server-side.
5.3 GPX Upload and Game Generation
Uploaded GPX data is processed server-side to generate routes, waypoints, and quiz content. The coordinates contained are used exclusively for internal waypoint calculation and for anonymized queries to public POI data sources (Wikipedia, Nominatim).
5.4 Game State and Local Storage
Game-related data (game progress, completed waypoints, last selected difficulty) may be stored in your browser's localStorage to preserve progress between sessions. This storage resides exclusively on your device and is not transmitted to our servers.
5.5 Payment Processing (PayPal)
Payments are processed via PayPal. Payment-related data (in particular the payer's email address, transaction ID, amount, currency) is transferred to PayPal and stored by us after successful payment for accounting and tax purposes.
Recipient: PayPal (Europe) S.a r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
More information: https://www.paypal.com/de/legalhub/paypal/privacy-full
5.6 External APIs Used for Core Features
Depending on the feature used, the following external services are called server-side (no direct connection between your browser and these services):
| Service | Purpose | Data transmitted | Third country? |
|---|---|---|---|
| Wikipedia MediaWiki API | POI search and article content | GPS coordinates (anon.), article titles | No |
| OpenStreetMap Nominatim | Reverse geocoding | GPS coordinates (lat/lon) | No |
| OpenRouteService | Route planning; geocoding | Coordinates; for geocoding: user-entered place name (free text) | No |
| OpenRouter (AI infrastructure) | Routing to AI language models for quiz generation | Exclusively public Wikipedia texts and POI names; no personal user data | USA (SCCs) |
5.7 Bot Protection (Cap.js)
To protect public forms (for example, GPX upload) against abusive automated requests, we use Cap.js. The Cap.js instance is self-hosted within our own cluster and does not share data with any third party.
5.8 Analytics (Matomo)
We use Matomo (self-hosted in our own cluster) to analyze page views and navigation patterns. Matomo is configured to set no cookies (cookieless tracking) and to anonymize IP addresses before any storage. No data is shared with third parties.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymized usage statistics for service improvement).
5.9 AI-Assisted Quiz Generation(Transparency notice under Art. 50 EU AI Act)
Quiz questions, answer options, and explanatory texts are generated using AI language models provided via the OpenRouter service (USA). The inputs consist exclusively of publicly available Wikipedia texts and geographic place names — no personal user data is transmitted to the AI model.
In accordance with Art. 50 of the EU AI Act, we inform you that the quiz content is AI-generated. Wikipedia source references are provided to support factual plausibility.
5.10 Game Ratings and Content Reports
Users may optionally submit game ratings (overall score 1–5, optional sub-scores and comment) and report inaccurate quiz content. These submissions do not contain personal data (no name, no email address) and are stored server-side.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in quality assurance and improvement of game content).
5.11 Internal Email Notifications
Incoming content reports and game ratings are forwarded as internal notifications by email to the operators. We use the SMTP service of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) for this purpose. No personal user data is included in these emails.
6. Recipients and Processors
Where legally required, service providers are engaged under a data processing agreement (Art. 28 GDPR).
| Recipient | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (server, database, SMTP) | Germany |
| PayPal (Europe) S.a r.l. et Cie, S.C.A. | Payment processing | Luxembourg |
| OpenRouter Inc. | AI language model infrastructure (no personal user data transmitted) | USA |
7. International Data Transfers
| Recipient | Country | Transfer mechanism |
|---|---|---|
| PayPal | USA / Luxembourg | Standard Contractual Clauses (SCCs) under Art. 46 GDPR; PayPal privacy information |
| OpenRouter | USA | Standard Contractual Clauses (SCCs) under Art. 46 GDPR; no personal user data transmitted; OpenRouter privacy policy |
8. Storage Duration
| Data category | Retention period | Legal basis |
|---|---|---|
| Server log data | Max. 30 days | Operational security |
| Game and route data | For the duration of service operation | Service purpose (permanent access via share link) |
| Payment receipts | 10 years | §§ 147 German Tax Code (AO), 257 German Commercial Code (HGB) |
| Game ratings and content reports | 2 years | Quality improvement |
| localStorage (user's device) | Until deleted by the user in their browser | Stored locally |
9. Data Subject Rights
Under GDPR, you have in particular the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Withdrawal of consent with effect for the future
To exercise your rights, contact: info@vibesolutions.de
10. Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest).
This applies in particular to the anonymized usage analytics (Matomo). Upon receipt of your objection, we will cease the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Object by email: info@vibesolutions.de
11. Right to Lodge a Complaint
You have the right to lodge a complaint with a competent data protection supervisory authority. The authority responsible for us is:
Die Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)
Prinzenstraße 5, 30159 Hannover, Germany
Phone: +49 (0) 511 120-4500
Website: lfd.niedersachsen.de
12. Data Security
We implement appropriate technical and organizational measures to protect data against loss, misuse, and unauthorized access.
13. Changes to this Privacy Policy
We may update this Privacy Policy if legal, technical, or organizational requirements change. The current version published on this page applies.