Privacy policy

Privacy statements are unfortunately long and complicated, I can not avoid that. To make reading easier for you, I have summarized each paragraph briefly and formulated it as comprehensible as possible.
Decisive is the detailed version.

As part of changing the payment service provider, these data protection provisions had been revised as of 07.09.2019.

In case of doubt, the German version of this privacy policy is always preferable to the English translation.

1. General

Responsible operator of the platform Timeline.pics ("controller") to the user ("data subject") is:

Sebastian Zipp
E-mail: sebastian@timeline.pics
Phone: +49 152 31 775 234

Address:
Sebastian Zipp
Neubiberger Str. 41
81737 Munich, Germany

Personal data are collected solely for the provision and implementation of the service on the Timeline.pics platform and are not otherwise processed. The service includes among others

  • the release of content (photos, videos, milestones) within closed user groups, which are by managed by the data subject
  • writing comments
  • liking content
  • the handling of payment transactions

The principle of data minimization is respected, that is, as little data as possible and only as much data as necessary are collected and stored. The data subject is able to access personal information, to correct or delete independently, so that they are always factually correct and if necessary, are up to date.

Personal data is processed in a manner that ensures adequate security of the data, in particular protection against unauthorized access and unintentional loss.

The personal data required for the proper operation of the platform will become processed in accordance with the provisions of the General Data Protection Regulation (GDPR). Below is a description of the purpose of and the extent to which the controller collects, stores and employs user data.

Note: If you have any questions, I answer you in person, so please understand that I am not available around the clock.

2. Lawfulness of processing

The lawfulness of processing is given by

a) the consent to the processing by the data subject. This applies to all user accounts, as both the creation of free and paid accounts and one-time payment transactions (purchase of a voucher) can only be carried out in connection with the consent for processing.

b) the fulfillment of a contract, that the data subject obtains with the controller by purchasing a paid service (subscriptions or purchase of a voucher).

Note: The time of your consent always corresponds to the creation time of your user account or the invoice, because you have to consent by clicking the appropriate checkbox (required field) in the form.

3. Rights of the data subject

The controller undertakes to provide the following information relating to the processing of personal data to the data subject in an understandable and easily accessible form. The information will be given by e-mail. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

The controller shall not refuse to act on the request of the data subject, unless the controller demonstrates that it is not in a position to identify the data subject.

The controller provides information on action taken on a request within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller informs the data subject of any such extension within one month of receipt of the request.

All of the information below is provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may refuse to act on the request.

If the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

3.1. Right of access by the data subject

The data subject have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing (why are the data processed)

b) the categories of personal data concerned (which data are processed)

c) the recipients of the personal data (who gets the data disclosed)

d) the period for which the personal data will be stored, where possible, or, if not possible, the criteria used to determine that period (how long will the data be stored)

e) Indications of the other rights (described below) of the data subject

3.2. Right to rectification

The data subject have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her.

3.3. Right to erasure

The data subject have the right to obtain from the controller the erasure of personal data concerning him or her and the controller shall have the obligation to erase personal data where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing

c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing

d) the personal data have been unlawfully processed

e) the personal data have to be erased for compliance with a legal obligation

f) the personal data was collected from a child or adolescent under the age of 16 without the consent of a legal guardian

Note: You can delete both individual pictures / videos as well as your entire account including all personal data and all pictures / videos. Please note that erasure is irreversible.
If you delete pictures / videos, they are completely erased. When you delete your account, everything is gone.

After erasure, data can still be preserved in a backup that is made for reasons of data security. Backups are saved for one month at the most, after which your data is completely removed. Restoring individual user accounts or even individual images / videos from the backup is not possible!

3.4. Right to restriction of processing

The data subject have the right to obtain from the controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims

d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data is only allowed to be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

A data subject who has obtained restriction of processing will be informed by the controller before the restriction of processing is lifted.

3.5. Right to data portability

The data subject have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller.

Note: You can download an archive of your data from the "my timelines" page within the settings for your user account using the "download data" link.

4. Type and extent of the data collected

The controller collects and processes different personal data according to the requirements. The following list represent the maximum case of all collected data. In some cases, not all of the listed data will be collected, especially for free user accounts.

4.1. Anonymous, non-person-specific data

When websites are accessed, non-personal data are automatically stored in log files on the server (not just Timeline.pics). This refers to

  • your anonymised IP-address,
  • your browser,
  • your installed operating system,
  • the pages visited on Timeline.pics,
  • date and time of your visit.

These data do not betray a visitor's identity. They are stored for the purpose of maintaining and ensuring the operation of the website in order, for example, to be able to comprehend an attempted attack on the website or, if there are concrete indications, the legitimate suspicion of unlawful use. The log files are automatically deleted after 14 days.

4.2. Person-specific data

With your user registration on Timeline.pics, i.e. with the creation of a free user account, the following personal data are requested and stored:

  • first name,
  • last name,
  • e-mail address.

When registering, no postal address or payment information is requested and stored, for reasons of data austerity.

Only when a user creates a paid account, i.e. either decides to do so at the first login or upgrades from the free account at a later point, the following personal data are additionally requested and stored for the purpose of invoicing:

  • Address
  • Post code and city
  • Country

4.3. Payment data

The service provider MOLLIE (mollie.com), which is based in the Netherlands, is used by the person in charge to process payment transactions.
For the payment process, the user is forwarded to a page provided by MOLLIE on which the payment will be processed via an encrypted connection (HTTPS).

MOLLIE processes the following personal data:

  • Payment data (e.g. bank account number or credit card number)
  • IP address
  • Internet browser and device type
  • in some cases the first and last name
  • in some cases address data
  • in some cases information about the product or service

Payment methods are represented by the service provider MOLLIE via unique identification keys. The person responsible saves no payment data (account or credit card data), but only these identification keys in order to perform recurring payments for a subscription.

Note: The actual payment process takes place on a page of the service provider MOLLIE, as a result of which cookies are also set by MOLLIE.

4.4. Bank account

If you do not want to entrust payment data to MOLLIE, the payment service provider mentioned above, it is possible to pay by bank transfer after getting in contact and receiving a manually invoice first.
A monthly payment interval is not possible on account of the higher administrative expenditure.

Incoming payments by bank transfer are processed on the account statements of BNP Paribas (branch office Germany). For bank statements a retention period of 10 years applies.

4.5. Cookies

The controller uses two types of cookies. Session cookies are used to save your current login status. These cookies expire when the browser is closed, at the latest after four hours, or immediately when you click on the "Logout" link.

If you use the "stay logged in" function, so that you do not have to log in again each time you visit Timeline.pics, a so-called permanent cookie is set.

Detailed information about the cookies set on Timeline.pics:

timeline_session: Contains information about the logged in user. Is valid for four hours.

XSRF-TOKEN: Is used to secure input forms against so-called cross-site scripting attacks. The duration corresponds to the duration of the user session (four hours).

remember_web_[0-9,a-z]: Only set if the user selects "stay logged in". Contains a unique number that identifies the browser to Timeline.pics. The cookie has a term of five years, it is immediately deleted when the user clicks on "Logout".

timeline_2fa: Only set if the user uses so-called two-factor authentication. Contains a unique number that Timeline.pics can use to check, that a valid one-time code has already been queried in this browser. The cookie has a term of one month. It will be deleted immediately when the user clicks on "Logout".

Note: In the case of payment transactions via the payment service provider MOLLIE, several additional cookies are set by the payment service provider for the purpose of payment processing.

If you do not want to accept such cookies, you can set your Internet browser to automatically reject all cookies, or ask you to accept or reject each cookie.

4.6. Notifications by e-mail

The data subject can be notified by e-mail about certain events. Before such e-mails can be sent by the responsible person to the data subject, they must identify themselves via a confirmation e-mail as the owner of the registered e-mail address ("double opt-in"). You can set up notifications by e-mail for specific events, e.g. if one of your photos / videos is commented on. Before you can receive such e-mails, a confirmation mail will be sent to check whether you are the owner of the e-mail address you entered ("double opt-in").

Note: As a Timeline owner, you can can set up notifications by e-mail for specific events, e.g. if one of your photos / videos is commented on. You can subscribe to a weekly summary of all the news from your timelines. You can unsubscribe from these additional notifications at any time.

4.7. Webanalytics (Tracking) and social networks

The controller does not use web analytics, for reasons of data austerity. The usage of the website is not analyzed; we find this fact to be worth mentioning. A privacy notice regarding webanalytics is therefore not necessary.

On Timeline.pics, no share functions or other so-called social plugins of social networks are integrated. Moreover, individual photos / videos can not be shared on social networks, as they are only visible with an active login (only for registered users). Privacy policies for social networks are therefore not necessary.

5. Security of data processing

The controller take the necessary technical and organizational measures to ensure a level of protection appropriate to the risk in the processing of personal data.

5.1. Encrypted connection

The connection to Timeline.pics is encrypted via an SSL server certificate issued by Let's Encrypt Authority.

The data subject is always forwarded to an encrypted connection, even if the url was entered without "https" in the address bar of the browser.

5.2. Passwords and 2-step verification

The password associated with the account is not in plaintext, but is composed with a random value ("salt") and stored as an encrypted hash value ( see "Bcrypt" on Wikipedia). It is thus no longer possible to draw conclusions as to the unencrypted password.

The data subject can optionally secure his or her user account with two-factor authentication (2FA).

Note: You can enable the 2-step verification (2FA) in your user account settings under the menu item My Password.

5.3. Backups

The controller secures all personal data as well as the photos and videos uploaded by the data subject with daily backups to protect them against accidental or deliberate manipulation, loss and destruction.

Note: Timeline.pics does not replace a backup solution. Please backup your photos and videos for yourself, e.g. by copying them to a USB hard drive on a regularly basis.

6. Photo- and video data

In Germany, each person holds the right to their own image, which is a particular form of the fundamental personal rights. This law says that every human being can decide whether or not images of themselves are published at all (see "Personality Rights, Germany" on Wikipedia).

On Timeline.pics, pictures and videos from private environments are uploaded and shared with a closed utility group. Nevertheless, the personal right to one's own picture are valid to the point that, before the publication of any pictures, you have to obtain the permission to publish with the persons concerned or their parents in the case of legal minors.

7. Children and adolescents

Naturally, data protection regulations also apply to the personal data of children and adolescents who register with Timeline.pics. However, Timeline.pics strongly recommends that persons under the age of 16 can only register an account with Timeline.pics with the consent of their parents or educational advisors and, in particular, to upload photos to their own timelines only with their consent!

8. Validity

These data protection regulations apply from April 28th 2018 and replace the data protection regulations valid up to this deadline.