Last updated: March 7, 2026
The party responsible for data processing on this website (the "controller") is listed on our Imprint page. For privacy-related inquiries, please contact us via the email address listed there.
being.at ("we", "us", "our") operates a platform that enables users to track physical objects (such as lighters) via QR codes. Each object has a journey page where people who find the object can add text entries and photos.
We take the protection of your personal data seriously. This policy explains what data we collect, how we use it, and your rights regarding your data.
When you visit our website, our web server automatically collects technical data in server log files. This includes your IP address, browser type and version, operating system, referring URL, pages visited, and the date and time of your visit.
This data is collected on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in ensuring the technical functionality and security of our website. This data is not combined with other data sources and is deleted after 30 days.
We use essential cookies and browser local storage to maintain your session and store your authentication token. These are strictly necessary for the functioning of the service and do not require consent.
Specifically, we store: your authentication token (to keep you logged in), and basic user preferences. No third-party tracking cookies are set by our website directly.
You can create an account using your email address. We store your email address and a securely hashed version of your password. Your email is used for account authentication and, if necessary, to communicate important service-related information.
The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract). You can request deletion of your account and associated data at any time.
When you add an entry to an object's journey, you may provide text, a photo, and optionally your location. This content is publicly visible on the object's journey page.
Photos are stored on Amazon Web Services (AWS) S3 servers. Text entries and metadata are stored in our database. If you choose to share your location, the city or area name is stored alongside your entry.
The legal basis for processing user-generated content is Art. 6(1)(a) GDPR (consent) — you actively choose to submit each entry. You can request removal of your entries by contacting us.
Photos uploaded to being.at are stored on Amazon Web Services (AWS) S3 in the EU region. Images are accessible via direct URLs on the journey pages where they were posted.
We do not perform facial recognition or biometric analysis on uploaded images. Images are retained as long as the associated journey entry exists, or until you request their deletion.
We use Amplitude, a third-party analytics service, to understand how visitors interact with our website. Amplitude collects information such as pages visited, buttons clicked, device type, and general interaction patterns.
Amplitude may set its own cookies. Data is processed by Amplitude, Inc. (USA). The transfer to the USA is based on Standard Contractual Clauses (SCCs) approved by the European Commission.
You can opt out of analytics tracking by using a browser extension that blocks Amplitude, or by enabling "Do Not Track" in your browser settings.
The legal basis for analytics is Art. 6(1)(f) GDPR (legitimate interest in improving our service).
We use the following third-party services:
Amazon Web Services (AWS) S3 — for storing user-uploaded images. AWS processes data in accordance with their Data Processing Addendum. Servers are located in the EU.
Amplitude — for web analytics (see Section 8 above).
Under the General Data Protection Regulation, you have the following rights:
Right of access (Art. 15 GDPR) — You can request information about the personal data we hold about you.
Right to rectification (Art. 16 GDPR) — You can request that inaccurate data be corrected.
Right to erasure (Art. 17 GDPR) — You can request deletion of your personal data, subject to legal retention obligations.
Right to restriction (Art. 18 GDPR) — You can request that we restrict the processing of your data.
Right to data portability (Art. 20 GDPR) — You can request your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR) — You can object to data processing based on legitimate interests.
Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority for us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.
To exercise any of these rights, please contact us via the email address listed on our Imprint page.
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.
Account data is retained for the duration of your account. Upon account deletion, your personal data is removed within 30 days, except where retention is required by law.
Journey entries (text and images) remain publicly accessible as part of the object's journey unless you request their removal.
Server log files are deleted after 30 days.
We use industry-standard security measures to protect your data. All data transmitted between your browser and our servers is encrypted using TLS/SSL. Passwords are stored as secure hashes and are never stored in plain text.
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "last modified" date. We encourage you to review this policy periodically.