Privacy Policy

Last updated: April 19, 2026

Note: The legally binding version of this privacy policy is the German version. This English translation is provided for convenience only.

1. Data Controller

Steffen Jahr
Im Brumättle 23
77656 Offenburg
Germany

Email: admin@planesforge.de

2. Overview

We only process personal data insofar as it is necessary to provide the PlanesForge platform and its features. Processing is carried out in accordance with the GDPR.

3. Data We Collect

3.1 Account Data

When you register, we collect:

  • Name — for identification in tournaments and standings
  • Email address — for magic link authentication and notifications
  • Street address — for organizer profiles and invoice generation (organizers only)
  • Preferred language — to display the platform in the user's chosen language

Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.2 Tournament Registration Data

When registering for a tournament, we additionally collect:

  • Postal code (PLZ) — for statistical analysis of regional participant distribution

Legal basis: Art. 6(1)(b) GDPR (contract performance)

3.3 Tournament Data

The following data is processed during tournament participation:

  • Results (match results, standings, points)
  • Decklists (submitted card lists)
  • Deck archetypes (for meta analysis)

This data is publicly displayed on the Platform after the tournament ends.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in transparent tournament documentation)

3.4 Technical Data

When accessing the Platform, the following data is automatically collected:

  • IP address
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL

This data is stored in server log files and serves to ensure the operation and security of the Platform.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

4. Authentication

Players authenticate via magic links — one-time links sent by email. These links are valid for 15 minutes and can only be used once. No passwords are stored for player accounts.

Emails are sent via Amazon Simple Email Service (SES) by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. Processing takes place exclusively in the AWS EU North 1 region (Stockholm, Sweden). A data processing agreement (DPA) is in place with AWS. No third-country transfer occurs.

5. Hosting

The Platform is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data is processed exclusively in Germany. A data processing agreement (DPA) is in place with Hetzner. No third-country transfer occurs.

Backups

IONOS SE — Backups of the database are stored in IONOS Object Storage in Frankfurt, Germany. IONOS SE is headquartered in Karlsruhe, Germany. Backups are retained for 90 days and accessible only to the data controller. A Data Processing Agreement (DPA) is in place.

6. Cookies and Tracking

PlanesForge uses no tracking cookies and no third-party analytics tools. Only technically necessary cookies are used:

  • Session token (JWT) — for authenticating the logged-in user

7. Data Sharing with Third Parties

Personal data is generally not shared with third parties, unless:

  • the user has given explicit consent,
  • sharing is necessary for contract performance (e.g., tournament results are publicly displayed),
  • there is a legal obligation.

Tournament organizers have access to registration data of registered players (name, postal code, payment status) within the scope of their tournaments.

Stripe (Payment Processing and Stripe Connect)

We use Stripe as a payment service provider for processing tournament entry fees. The provider is Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. The necessary payment and personal data (e.g. name, email address) are transmitted to Stripe for payment processing. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Stripe. Stripe may transfer data to the United States; standard contractual clauses (SCCs) pursuant to Art. 46 GDPR are in place for such transfers. Further information: https://stripe.com/privacy

Legal basis: Art. 6(1)(b) GDPR (contract performance)

PlanesForge additionally uses Stripe Connect to enable tournament organizers to receive entry fee payments directly. Organizers wishing to accept payments through the platform undergo a Stripe-operated onboarding process during which they submit their identity and banking details directly to Stripe. This data is processed by Stripe under their own responsibility and subject to Stripe's privacy policy. PlanesForge does not receive access to bank account numbers or full identity documents. The data transfer is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure payment processing).

Scryfall (Card Data)

To validate and enrich decklists, we use the public API of Scryfall (api.scryfall.com), operated by Scryfall LLC, USA. When a decklist is submitted, only card names are sent to Scryfall to retrieve card data (legality, image references). No personal data is transmitted to Scryfall. Card data is cached locally to avoid repeated requests.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in correct card validation)

Further information: https://scryfall.com/docs/api

8. External Links

Our Platform contains links to external services, in particular:

  • Discord (discord.com) — community server for discussion and support
  • PayPal (paypal.com) — if configured as a payment option by the organizer
  • Moxfield (moxfield.com) and Archidekt (archidekt.com) — optional decklist import

Clicking these links redirects you to external websites governed by their own privacy policies. Data is only transmitted to these services when you actively click a link, not automatically when visiting our Platform.

9. Data Retention

  • Account data is retained as long as the user account exists.
  • Tournament data (results, standings) is stored permanently for tournament history and may remain in anonymized form after account deletion.
  • Server log files are deleted after 30 days.
  • Magic links expire after 15 minutes and are deleted after use or expiration.

10. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) — what data we have stored about you
  • Rectification (Art. 16 GDPR) — correction of inaccurate data
  • Erasure (Art. 17 GDPR) — deletion of your data, unless retention obligations apply
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR) — receipt of your data in a machine-readable format
  • Objection (Art. 21 GDPR) — against processing based on legitimate interest

To exercise your rights, contact us at admin@planesforge.de.

11. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg Lautenschlagerstraße 20 70173 Stuttgart https://www.baden-wuerttemberg.datenschutz.de

12. Changes

We reserve the right to update this privacy policy to reflect changes in the law or changes to the Platform. The current version is always available on this page.
PlanesForge