Privacy Policy & GDPR Compliance – Munich Connect

Last Updated: 16 April 2025

Munich Connect ("we", "us") is the official, city‑backed platform that digitises Munich’s event‑approval workflow. We connect event organisers, municipal departments (Department of Public Order, Fire, Health, Police), and other stakeholders to enable a bidirectional, continuous data flow. This Privacy Policy explains which data we collect, why we collect it, how long we keep it, and your GDPR rights.

1. Who is Responsible?

Controller: Munich-Connect, Wotanstrasse 8, 82110 Munich, Germany
Email: privacy@munich-connect.de

2. What Data Do We Collect?

  • Account & Authentication Data: name, email, phone, password hash – stored in Firebase Auth/Firestore for secure login and role management.
  • Organisation Details: association/company name, address, VAT/registration numbers – required for permit issuance.
  • Event Records: title, description, dates, expected attendance, location polygons (geodata in OGC‑compliant GeoJSON), uploaded site plans, risk assessments, insurance proofs, documents, and real‑time status comments.
  • Workflow & Approval Data: internal comments, departmental approvals, Kanban status ("To Do", "In Progress", etc.).
  • Technical Logs & Usage: IP, device/browser, timestamps, API route calls, error traces – used for security, auditing, and service improvement.
  • Optional Marketing/Notification Prefs: newsletter opt‑ins, preferred language, notification channels (email, WhatsApp).

3. Why Do We Process Your Data (Legal Basis)?

  • Event Contract (Art. 6 (1)(b) GDPR): to register events, forward data to the right authority, and issue permits.
  • Legal Obligations (Art. 6 (1)(c)): municipal reporting duties, public‑safety regulations, retention of approval files.
  • Legitimate Interests (Art. 6 (1)(f)): city‑wide coordination, fraud prevention, maintaining platform security, analytics to improve the service.
  • Consent (Art. 6 (1)(a)): for optional marketing emails or WhatsApp updates.

4. Who Receives Your Data?

  • Municipal Departments & Agencies (KVR, Fire Department, Health Department, Police) – strictly for evaluating and approving your event.
  • Technical Processors – e.g. Google Cloud (Firebase), Mapbox/OpenStreetMap for geodata tiles, hosting partners – bound by GDPR‑compliant Data Processing Agreements (DPAs).
  • Other Third Parties only when required by law or explicitly authorised by you.

5. International Transfers

Where processors operate outside the EEA, we rely on EU Standard Contractual Clauses and continuous security audits.

6. Retention Periods

  • User Accounts: retained until you delete your account or 3 years of inactivity (plus 90‑day backup).
  • Event Files & Approvals: 3 years after the event end‑date (German municipal archiving rules may extend this).
  • Server Logs: 12 months for security auditing.

7. Security

Data is encrypted in transit (TLS 1.3) and at rest. We implement role‑based access, regular penetration tests, and incident‑response procedures.

8. Cookies & Tracking

We use essential cookies for authentication and optional analytics cookies (Matomo, self‑hosted) to improve usability. You may opt‑out in settings.

9. Your GDPR Rights

You have the right to access, rectify, erase, restrict, or object to processing, and to data portability. Contact privacy@munich-connect.de. We reply within one month.

10. Supervisory Authority

If you believe your rights are infringed, you may lodge a complaint with the Bavarian Data Protection Authority (BayLDA), Promenade 27, 91522 Ansbach, Germany.

By using Munich Connect you accept this Privacy Policy.

© 2025 Munich Connect – Official City of Munich Collaboration. All rights reserved.