Privacy policy

1. Controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:

Torhaus Berlin e.V.
Columbiadamm 10
12101 Berlin
Germany

Represented by:

Ayosha Kortlang (1st chair)
Tomma Suki Hinrichsen (2nd chair)
Email: info@torhausberlin.de

2. General information on processing

We process personal data only to the extent necessary to provide a functional website and our content and services. The website serves to inform the public about our work. We do not use third-party advertising or analytics services that build cross-site profiles.

3. Hosting and infrastructure

The website is operated on our own servers (self-hosted). The servers are provided by Hetzner Online GmbH, Germany, in a data center located in Germany.

When you access the website, the hosting environment processes technical information in particular (for example the IP address of the requesting device, date and time of the request, amount of data transferred, and where applicable browser type and operating system in server log files). Processing serves to ensure security (for example defense against attacks) and stability of the website and for troubleshooting. The legal basis is Article 6(1)(f) GDPR (legitimate interests in a secure and reliable web presence).

4. Website technology and content

The public site is delivered using the Next.js framework. Content and media are managed through the Payload CMS content management system and stored in a database (MongoDB). This may include personal data that you provide to us or that appears in editorial content (for example names in publications where you have made them public).

The public pages do not set non-essential cookies for advertising or tracking. The protected administration area may use technically necessary cookies or comparable mechanisms for login and session management.

5. Contact forms and form submissions

Where we offer forms, the data you enter is processed to handle your request or for the purpose described on the form and is stored in the content management system database. Depending on configuration, form contents may also be sent by email to recipients we specify; in that case email providers or other technical service providers may be involved to the extent required for delivery.

The legal basis is, depending on the situation, Article 6(1)(b) GDPR (steps prior to a contract or performance of a contract) and/or Article 6(1)(f) GDPR (legitimate interests in handling inquiries) and/or Article 6(1)(a) GDPR (consent), where we obtain consent.

6. User accounts in the administration area

Maintaining the website may involve processing personal data of administrators (for example name, email address, technical access data). The legal basis is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR where processing relates to security and operation of the system.

7. Storage period

We store personal data only as long as necessary for the respective purposes or where statutory retention obligations apply. Server log data is generally retained only for a limited period unless a longer retention is required for security reasons.

8. Sharing of data

We do not transfer your data to third parties beyond the technical processes described in this notice (for example hosting), unless we are legally obliged to do so or you have expressly consented.

9. Transfers to third countries

Where we use servers in Germany only and do not use additional services based outside the EU or EEA, no transfer to a third country takes place. If individual configurations change (for example email delivery via a provider outside the EU), we will inform you of the appropriate safeguards (for example adequacy decision, standard contractual clauses).

10. Your rights

Subject to applicable law, you have the right to access personal data we hold about you, to rectification, erasure, restriction of processing, data portability, and to object to processing where it is based on Article 6(1)(f) GDPR.

Where processing is based on consent, you may withdraw consent with effect for the future.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or the place of our association’s seat.

11. Obligation to provide data

When using the website you are generally not contractually or legally required to provide personal data. Without certain information (for example in a form) we may not be able to process corresponding requests.

Last updated: 23 April 2026