Privacy Policy
Last updated: June 2025
Privacy Policy
This Privacy Policy explains how Queer Alliance ("we," "our," or "us") collects, uses, shares, and protects your personal information when you use our platform and services. We are committed to protecting your privacy and maintaining the trust you place in us as you engage with our community platform.
Key Privacy Features:
- •Complete control: Delete your entire account and all data instantly from your profile settings
- •Granular consent: Choose exactly what communications you receive
- •Data transparency: Clear explanations of what data we collect and why
- •EU protection: Hosted in the EU with full GDPR compliance and Austrian data protection law adherence
- •No data sales: We never sell your personal information to third parties
1. Data Controller Information
We are the data controller responsible for your personal information. You can contact us regarding any privacy matters at:
Data Protection Officer: admin@queer-alliance.com
2. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR Article 6:
- • Your consent: For newsletter subscriptions and direct communication only
- • Contractual necessity: To provide our platform services and facilitate community connections
- • Legitimate interests: To operate and improve our platform, ensure community safety, and facilitate meaningful connections within the community. Our legitimate interest is balanced against your privacy rights.
- • Legal obligation: To comply with applicable laws and regulations
- • Vital interests: In rare cases to protect someone's life or physical safety
3. Information We Collect
Profile Information (What & Why)
• Email address (required): Account creation, authentication, critical communications, password reset
• Username: Unique identifier for community interactions and profile display
• Name (first/last, optional): Personalized greetings, community recognition, networking facilitation
• Phone number (optional): Emergency contact, two-factor authentication, premium support
• Bio and website (optional): Community networking, skill showcasing, professional connections
• Skills and abilities: Matching with relevant opportunities, project collaboration, expertise identification
• Professional information: Career networking, expertise validation, collaboration opportunities
• Participation preferences: Role matching (member, expert, activist, supporter), event recommendations
• Location (country/state/city): Local event notifications, regional community building, legal compliance
• Communication preferences: Respecting consent choices, personalized communication frequency
• Username: Unique identifier for community interactions and profile display
• Name (first/last, optional): Personalized greetings, community recognition, networking facilitation
• Phone number (optional): Emergency contact, two-factor authentication, premium support
• Bio and website (optional): Community networking, skill showcasing, professional connections
• Skills and abilities: Matching with relevant opportunities, project collaboration, expertise identification
• Professional information: Career networking, expertise validation, collaboration opportunities
• Participation preferences: Role matching (member, expert, activist, supporter), event recommendations
• Location (country/state/city): Local event notifications, regional community building, legal compliance
• Communication preferences: Respecting consent choices, personalized communication frequency
Technical Data (Security & Functionality Only)
• IP address: Security monitoring, fraud prevention, compliance with regional laws
• Browser/device information: Compatibility optimization, security verification, responsive design
• Session data: Authentication state, login security, automatic logout for protection
• Error logs: Technical issue resolution, platform stability monitoring, bug fixes
• Note: We do not track personal activity patterns, page visits, or interaction data
• Browser/device information: Compatibility optimization, security verification, responsive design
• Session data: Authentication state, login security, automatic logout for protection
• Error logs: Technical issue resolution, platform stability monitoring, bug fixes
• Note: We do not track personal activity patterns, page visits, or interaction data
Payment Information (What & How)
• Transaction records: Donation history, subscription status, billing reconciliation
• Payment metadata: Transaction IDs, amounts, currency, dates for financial reporting
• Stripe integration: Payment processing handled by Stripe with PCI DSS compliance
• Billing addresses: Tax calculation, fraud prevention, regulatory compliance
• Subscription details: Service level management, renewal processing, usage tracking
• Note: We never store credit card numbers, CVV codes, or sensitive payment data
• Payment metadata: Transaction IDs, amounts, currency, dates for financial reporting
• Stripe integration: Payment processing handled by Stripe with PCI DSS compliance
• Billing addresses: Tax calculation, fraud prevention, regulatory compliance
• Subscription details: Service level management, renewal processing, usage tracking
• Note: We never store credit card numbers, CVV codes, or sensitive payment data
Consent Data (Your Communication Preferences)
• Direct contact: Consent to being contacted with opportunities inside of the queer alliance
• Newsletter: Consent to receiving newsletters and information (not marketing)
• Organizational representative: Consent to being contacted as a representative of an organization directly
• Consent history: Timestamps and changes to your preferences (GDPR compliance)
• Newsletter: Consent to receiving newsletters and information (not marketing)
• Organizational representative: Consent to being contacted as a representative of an organization directly
• Consent history: Timestamps and changes to your preferences (GDPR compliance)
4. How We Use Your Information (Detailed Purposes)
- • Community building: Skill-based member matching, local event recommendations, mentorship connections, collaboration opportunities based on shared interests and location
- • Personalized experience: Content curation based on participation roles, event suggestions matching your skills, language-specific communications, timezone-appropriate notifications
- • Communication: Newsletter delivery (consent-based), direct contact with opportunities (consent-based), organizational representative contact (consent-based), platform updates, security notifications
- • Platform operation: User authentication, session management, feature functionality, data synchronization, multi-language support, mobile responsiveness
- • Community safety: Fraud detection through IP monitoring, spam prevention via rate limiting, abuse reporting systems, content moderation, account verification
- • Website Analytics: Anonymized website statistics from Vercel Analytics (no personal data collected, completely cookie-free)
- • Legal compliance: Austrian data protection law adherence, GDPR requirement fulfillment, audit trail maintenance, regulatory reporting when required
- • Technical functionality: Database optimization, backup creation, system monitoring, security patch deployment, performance optimization, error tracking and resolution
5. Information Sharing
We take your privacy seriously and only share information in these specific circumstances:
- • Service providers: Trusted partners who help us operate our platform (e.g., Supabase for data hosting, Stripe for payments, Vercel for analytics)
- • Legal requirements: When required by law, court order, or to protect our legal rights
- • With your consent: Any other sharing only occurs with your explicit permission
- • No member sharing: We do not share your information with other alliance members or users
We never sell your personal information to third parties.
6. International Data Transfers
Some of our service providers may be located outside the European Economic Area (EEA). When we transfer your data internationally, we ensure adequate protection through:
- • Adequacy decisions: Transfers to countries with adequate data protection
- • Appropriate safeguards: Standard contractual clauses approved by the European Commission
- • Our current providers include Supabase (EU infrastructure), Stripe (global with EU safeguards), and Vercel (EU hosting in Frankfurt region)
7. Data Retention and Deletion
We retain your personal information only as long as necessary and provide immediate deletion capabilities:
- • Active accounts: Data retained while your account remains active and you continue using our services
- • Dormant accounts: Automatic deletion after 3 years of complete inactivity (with 90-day advance warning via email)
- • Immediate self-deletion: Delete your entire account instantly via Profile Settings → Account Settings → Delete Account
- • Upon deletion request: Immediate removal from all active systems, databases, and authentication services
- • Backup removal: Complete removal from all backup systems within 90 days of account deletion
- • Legal requirements: Limited data retention only where specifically required by Austrian or EU law (e.g., financial records for tax purposes)
- • Technical deletion process: Profile data deleted from main database → Authentication credentials removed → Audit logs marked for deletion → Backup systems purged
- • Deletion confirmation: Automatic logout and email confirmation sent after successful account deletion
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- • Right of access: Request a copy of your personal data via admin@queer-alliance.com or view directly in your profile settings
- • Right to rectification: Correct inaccurate data directly in your profile settings or request assistance via admin@queer-alliance.com
- • Right to erasure: Delete your entire account instantly from your profile settings (Settings > Account Settings > Delete Account) or request deletion via admin@queer-alliance.com
- • Right to restriction: Limit how we process your data by contacting admin@queer-alliance.com
- • Right to data portability: Receive your data in structured JSON format via admin@queer-alliance.com
- • Right to object: Object to processing based on legitimate interests via admin@queer-alliance.com
- • Withdraw consent: Modify consent preferences directly in your profile settings or contact admin@queer-alliance.com
- • Right to complain: Lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at dsb.gv.at
Most rights can be exercised directly in your profile settings. For additional assistance, contact admin@queer-alliance.com (30-day response guarantee).
8.1. Complete Account Deletion (Self-Service)
You can delete your entire account and all associated data at any time directly from your profile settings:
- • How to access: Sign in → Profile → Settings → Account Settings → Delete Account
- • Deletion process: Type 'DELETE' to confirm → Immediate permanent deletion of all data
- • What gets deleted: All profile information, skills, preferences, consent history, audit logs, session data, and authentication credentials
- • Timing: Immediate deletion from all systems, including database and authentication
- • Important: This action is irreversible - once deleted, your account and data cannot be recovered
- • Backup removal: Your data is removed from all backups within 90 days of deletion
- • Confirmation: You will be automatically logged out and redirected after successful deletion
- • Alternative: Contact admin@queer-alliance.com if you need assistance with account deletion
9. Comprehensive Data Security Measures
We implement multiple layers of robust security measures to protect your personal information:
Technical Security Measures
• Data encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256) via Supabase
• Database security: Row Level Security (RLS) policies ensuring users can only access their own data
• Authentication: Multi-factor authentication support, secure session management with automatic expiry
• Input validation: Comprehensive XSS prevention, SQL injection protection, input sanitization
• Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), anti-clickjacking protection
• API security: Rate limiting, request validation, secure API endpoints with authentication required
• Database security: Row Level Security (RLS) policies ensuring users can only access their own data
• Authentication: Multi-factor authentication support, secure session management with automatic expiry
• Input validation: Comprehensive XSS prevention, SQL injection protection, input sanitization
• Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), anti-clickjacking protection
• API security: Rate limiting, request validation, secure API endpoints with authentication required
Organizational Security Measures
• Access controls: Principle of least privilege, role-based access to systems and data
• Staff training: Regular security awareness training, data protection protocols
• Data processing agreements: Comprehensive agreements with all third-party processors
• Incident response plan: Documented procedures for security breach detection and response
• Regular audits: Quarterly security reviews, annual penetration testing, vulnerability assessments
• Staff training: Regular security awareness training, data protection protocols
• Data processing agreements: Comprehensive agreements with all third-party processors
• Incident response plan: Documented procedures for security breach detection and response
• Regular audits: Quarterly security reviews, annual penetration testing, vulnerability assessments
Continuous Security Monitoring
• Real-time monitoring: 24/7 system monitoring, automated threat detection
• Audit trails: Comprehensive logging of all profile changes, login attempts, data access
• Session tracking: Active session monitoring, automatic logout after inactivity
• Fraud prevention: IP-based anomaly detection, suspicious activity alerts
• Error tracking: Automated error logging and response for security-related issues
• Audit trails: Comprehensive logging of all profile changes, login attempts, data access
• Session tracking: Active session monitoring, automatic logout after inactivity
• Fraud prevention: IP-based anomaly detection, suspicious activity alerts
• Error tracking: Automated error logging and response for security-related issues
Infrastructure Security
• Hosting security: EU-based Supabase infrastructure with SOC 2 Type II compliance
• Network security: Firewalls, VPN access for administrators, secure communication channels
• Backup security: Encrypted automatic backups, secure backup storage, tested recovery procedures
• Update management: Automated security patches, regular dependency updates, vulnerability scanning
• Compliance: GDPR compliance, Austrian data protection law adherence, regular compliance audits
• Network security: Firewalls, VPN access for administrators, secure communication channels
• Backup security: Encrypted automatic backups, secure backup storage, tested recovery procedures
• Update management: Automated security patches, regular dependency updates, vulnerability scanning
• Compliance: GDPR compliance, Austrian data protection law adherence, regular compliance audits
Data Breach Response
• Detection: Automated monitoring systems, immediate alerts for suspicious activity
• Response: 72-hour breach notification to Austrian Data Protection Authority when required
• User notification: Direct communication to affected users within 72 hours of confirmed breach
• Mitigation: Immediate containment procedures, security patch deployment, system hardening
• Documentation: Complete incident documentation, post-incident security improvements
• Response: 72-hour breach notification to Austrian Data Protection Authority when required
• User notification: Direct communication to affected users within 72 hours of confirmed breach
• Mitigation: Immediate containment procedures, security patch deployment, system hardening
• Documentation: Complete incident documentation, post-incident security improvements
10. Cookies and Tracking
We use only essential cookies - no tracking, analytics, or marketing cookies. For detailed information, please see our Cookie Policy. Key points:
- • Essential cookies only: Required for login, payments, and language support (no consent needed)
- • No analytics cookies: We use Vercel's cookie-free analytics instead
- • Preferences stored in your account: Language, theme, and settings saved to your database profile, not cookies
- • No marketing cookies: We don't use advertising or behavioral tracking cookies
11. Protection of Minors
Our platform is designed for individuals 18 years and older. Users under 18 are not permitted to create accounts or use our services.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:
- • Notify users: Email notification for significant changes
- • Obtain consent: For material changes affecting your rights
- • Post updates: Always maintain the current version on our website
- • Update date: The "Last updated" date shows the most recent revision
13. Contact Information
For any privacy-related questions or to exercise your rights, contact us:
Email: admin@queer-alliance.com
Response time: Within 30 days
Data Protection Authority: Österreichische Datenschutzbehörde (dsb.gv.at)