●Legal · Privacy Policy
Privacy Policy.
Privacy policy for the PlanesForge platform
Last updated: June 25, 2026
Note: The legally binding version of this privacy policy is the German version. This English translation is provided for convenience only.
1. Data Controller.
Steffen Jahr
Im Brumättle 23
77656 Offenburg
Germany
Email: admin@planesforge.de
2. Overview.
We only process personal data insofar as it is necessary to provide the PlanesForge platform and its features. Processing is carried out in accordance with the GDPR.
3. Data We Collect.
3.1 Account Data
When you register, we collect:
- Name — for identification in tournaments and standings
- Email address — for authentication (magic link or password) and notifications
- Street address — for organizer profiles and invoice generation (organizers only)
- Preferred language — to display the platform in the user's chosen language
Legal basis: Art. 6(1)(b) GDPR (contract performance)
3.2 Tournament Registration Data
When registering for a tournament, we additionally collect:
- Postal code (PLZ) — for statistical analysis of regional participant distribution
Legal basis: Art. 6(1)(b) GDPR (contract performance)
3.3 Tournament Data
The following data is processed during tournament participation:
- Results (match results, standings, points)
- Decklists (submitted card lists)
- Deck archetypes (for meta analysis)
This data is publicly displayed on the Platform after the tournament ends.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in transparent tournament documentation)
3.4 Technical Data
When accessing the Platform, the following data is automatically collected:
- IP address
- Date and time of access
- Browser type and version
- Operating system
- Referrer URL
This data is stored in server log files and serves to ensure the operation and security of the Platform.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
3.5 Audit Log Data
Administrative actions and staff access to user accounts are recorded in an audit log. This log contains: timestamp, identity of the acting administrator, affected user account, type of action, and — for staff access sessions — the stated access reason.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and accountability)
4. Authentication.
Credentials and sessions are processed by an identity and login management system that we operate ourselves on our hosting infrastructure (see Section 6). No transfer to an external identity provider takes place.
- Players authenticate via magic links — one-time links sent by email, valid for 30 minutes and usable only once. No passwords are stored for player accounts.
- Organizers and administrators sign in with an email address and password. Passwords are stored only as a cryptographic hash; the plaintext password is never accessible to us.
Login and verification emails are sent via Amazon Simple Email Service (SES) by Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg. Processing takes place exclusively in the AWS eu-north-1 region (Stockholm, Sweden). A data processing agreement (DPA) is in place with AWS. No third-country transfer occurs.
5. Staff Access to User Accounts.
Authorised administrators may temporarily assume the session of a user account (so-called "staff impersonation") for the purpose of customer support and troubleshooting. This function is technically restricted to read-only access — write operations are blocked for administrators in such sessions.
Every such access is fully recorded in the audit log and includes: timestamp, administrator ID, affected user ID, stated access reason, and session duration.
Users have the right under Art. 15 GDPR to request information about whether and when an administrator has accessed their account. Please direct such requests to admin@planesforge.de.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in support, platform security, and troubleshooting). A Legitimate Interest Assessment (LIA) is documented.
6. Hosting.
The Platform is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data is processed exclusively in Germany. A data processing agreement (DPA) is in place with Hetzner. No third-country transfer occurs.
Backups
IONOS SE — Backups of the database are stored in IONOS Object Storage in Frankfurt, Germany. IONOS SE is headquartered in Karlsruhe, Germany. Backups are retained for 90 days, encrypted at rest, and accessible only to the data controller. A Data Processing Agreement (DPA) is in place.
PlanesForge uses no third-party tracking, analytics, or advertising tools.
We set a single, strictly necessary cookie:
pf_session— session cookie for login. It is set after you log in, contains the identifier of your login session, is flaggedhttpOnly(not readable by JavaScript), and expires after 7 days or when you log out.
This cookie is strictly necessary to operate the logged-in area. No consent is required for it under § 25(2) TDDDG; it serves authentication only — not analytics, tracking, or advertising.
In addition, the Platform stores strictly necessary information locally in your browser (localStorage, sessionStorage, and IndexedDB) to ensure functionality and usability — such as your language, theme, and view preferences, filter settings, the life-total counter during an ongoing round, and an offline queue for result submissions (Progressive Web App). This information remains on your device and is not transmitted to third parties.
Legal basis: § 25(2) TDDDG (strictly necessary) in conjunction with Art. 6(1)(b) and (f) GDPR.
8. Data Sharing with Third Parties.
Personal data is generally not shared with third parties, unless:
- the user has given explicit consent,
- sharing is necessary for contract performance (e.g., tournament results are publicly displayed),
- there is a legal obligation.
Tournament organizers have access to registration data of registered players (name, postal code, payment status) within the scope of their tournaments.
Stripe (Payment Processing and Stripe Connect)
We use Stripe as a payment service provider for processing tournament entry fees. The provider is Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. The necessary payment and personal data (e.g. name, email address) are transmitted to Stripe for payment processing. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Stripe. Stripe may transfer data to the United States; standard contractual clauses (SCCs) pursuant to Art. 46 GDPR are in place for such transfers. Further information: https://stripe.com/privacy
Legal basis: Art. 6(1)(b) GDPR (contract performance)
PlanesForge additionally uses Stripe Connect to enable tournament organizers to receive entry fee payments directly. Organizers wishing to accept payments through the platform undergo a Stripe-operated onboarding process during which they submit their identity and banking details directly to Stripe. This data is processed by Stripe under their own responsibility and subject to Stripe's privacy policy. PlanesForge does not receive access to bank account numbers or full identity documents. The data transfer is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure payment processing).
Scryfall (Card Data)
To validate and enrich decklists, we use the public API of Scryfall (api.scryfall.com), operated by Scryfall LLC, USA. When a decklist is submitted, only card names are sent to Scryfall to retrieve card data (legality, image references). No personal data is transmitted to Scryfall. Card data is cached locally to avoid repeated requests.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in correct card validation)
Further information: https://scryfall.com/docs/api
9. External Links.
Our Platform contains links to external services, in particular:
- Discord (discord.com) — community server for discussion and support
- PayPal (paypal.com) — if configured as a payment option by the organizer
- Moxfield (moxfield.com) and Archidekt (archidekt.com) — optional decklist import
Clicking these links redirects you to external websites governed by their own privacy policies. Data is only transmitted to these services when you actively click a link, not automatically when visiting our Platform.
10. Data Retention.
- Account data is retained as long as the user account exists. On deletion, personal data (name, email, address) is anonymised immediately. The anonymised account record is retained indefinitely to preserve tournament statistics.
- Tournament data (results, standings, decklists) is stored permanently for tournament history.
- Payment records are retained for 10 years in accordance with §257 HGB and §147 AO (German commercial and tax record-keeping obligations).
- Database backups are retained for 90 days, then deleted automatically. Backups are encrypted at rest.
- Audit log entries (administrative actions and staff access sessions) are retained for 2 years and then automatically deleted.
- Server log files are deleted after 30 days.
- Magic links expire after 30 minutes and are invalidated after use.
11. Your Rights.
You have the following rights regarding your personal data:
- Access (Art. 15 GDPR) — what data we have stored about you
- Rectification (Art. 16 GDPR) — correction of inaccurate data
- Erasure (Art. 17 GDPR) — deletion of your data, unless retention obligations apply
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR) — receipt of your data in a machine-readable format
- Objection (Art. 21 GDPR) — against processing based on legitimate interest
Self-service: You can download all your personal data and delete your account directly in your profile settings — no request needed.
For all other rights — including information about staff access to your account (Art. 15 GDPR), data portability (Art. 20 GDPR), or erasure (Art. 17 GDPR) — contact us at admin@planesforge.de. We respond to requests within 30 days.
12. Right to Complain.
You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg Lautenschlagerstraße 20 70173 Stuttgart https://www.baden-wuerttemberg.datenschutz.de
13. Changes.
We reserve the right to update this privacy policy to reflect changes in the law or changes to the Platform. The current version is always available on this page.
Need help?
Got a question? Drop us a line at admin@planesforge.de