1. Data Controller
The controller responsible for the processing of personal data on this website is:
ECD Beyond Experience GmbH
Tübinger Strasse 12-16
70178 Stuttgart, Germany
Phone: +49 711 21842 0
E-mail: info@ecd-international.com
2. Data Protection & Information Security Contact
For all matters relating to data protection, data subject rights, or information security, please contact our Data Manager and CISO:
Hannes Werthmann
E-mail: data@ecd-international.com
3. Data We Collect and Why
We only collect personal data that is necessary for the purposes described below. The legal bases refer to Article 6 GDPR.
3.1 Account Registration & Membership
When you create a Beyond Bagatelle account or purchase a membership, we collect your first name, last name, email address, and membership status. We also store a Stripe customer ID to link your account to billing records.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
3.2 Payment Processing
Payment information (card details, billing address) is processed exclusively by Stripe, Inc. We never store full card numbers on our servers. We receive and store only your Stripe customer ID and subscription status.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
3.3 Concierge Contact Inquiries
When you submit a contact or concierge request, we collect your name, email address, and the content of your message. This information is used solely to handle your inquiry.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) GDPR — legitimate interest in providing member services.
3.4 Newsletter
If you opt in to our newsletter, we process your email address and opt-in timestamp. You can withdraw your consent at any time via your account settings or by contacting us.
Legal basis: Art. 6(1)(a) GDPR — consent.
3.5 Staff Referrals
For Bagatelle staff who participate in the referral programme we store the referral code issued to them and the commission amounts accrued from confirmed member sign-ups. We do not collect bank or payment details: commissions are paid out by Bagatelle as part of the staff member's regular salary.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract.
3.6 Event Attendance (Guest Suite)
When you register for a Beyond Bagatelle event as a guest, we collect your name, email address, phone number, company, and attendance details. You are informed of this processing at the point of registration.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(a) GDPR — consent where explicitly given.
3.7 Error Monitoring & Application Security
We use Sentry to monitor application errors and performance. Session replays are sampled for 10% of sessions; all text content is masked and media is blocked. No personally identifiable information is intentionally transmitted to Sentry.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining application security and stability.
3.8 Rate Limiting (IP Address)
To protect against abuse and automated attacks, we temporarily store your IP address in an in-memory cache for rate-limiting purposes. IP addresses are not linked to your account and are automatically discarded after 60 minutes.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in protecting the security and integrity of our services.
3.9 Consent Logging
To demonstrate compliance with Art. 7 GDPR, we log consent events (e.g. newsletter opt-in, data processing consent) with a timestamp, a truncated/hashed IP address, and the source of the consent action.
Legal basis: Art. 6(1)(c) GDPR — compliance with a legal obligation.
3.10 Admin Audit Logs
All administrative actions affecting member accounts are logged for security and accountability purposes. Logs record only the type of action and the field names changed — not the values themselves.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest; Art. 6(1)(c) GDPR — compliance with legal obligations (ISO 27001 / HGB).
4. Cookies
This website uses only strictly necessary cookies. We do not use tracking, advertising, or analytics cookies. No cookie consent banner is shown because these cookies cannot be disabled without breaking the service.
| Cookie | Purpose | Duration |
|---|---|---|
sb-* | Authentication session (Supabase). Keeps you logged in across page loads. | Session / up to 7 days |
5. Data Processors (Sub-processors)
We use the following service providers to process personal data on our behalf. Each is bound by a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR and, where applicable, Standard Contractual Clauses (SCCs) for international transfers.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | Profile data, auth tokens, inquiries, consent logs, event media | EU (Frankfurt) |
| Stripe, Inc. | Payment processing & subscription management | Customer ID, email, subscription & invoice data | EU (Ireland) |
| Resend, Inc. | Transactional email delivery | Name, email address, message content | EU (SCCs applied) |
| Functional Software, Inc. (Sentry) | Error monitoring & performance | Anonymised error events, masked session replays | EU (Frankfurt) |
| Upstash, Inc. | Rate limiting | IP address (temporary, max 60 min) | EU (SCCs applied) |
6. Data Retention
| Data | Retention period |
|---|---|
| Member profile & account data | Duration of membership + 3 years |
| Billing records (Stripe) | 10 years (§ 257 HGB) |
| Contact / concierge inquiries | 3 years after last communication |
| Admin audit logs | 7 years (§ 257 HGB / ISO 27001) |
| Consent logs | 3 years after the last consent event |
| Error events (Sentry) | 90 days |
| Rate-limit IP addresses (Upstash) | 60 minutes |
7. Your Rights
Under the GDPR you have the following rights. To exercise any of them, please contact us at data@ecd-international.com. We will respond within 30 days.
Right of access (Art. 15)
You may request a copy of the personal data we hold about you. You can also use the "Request my data" feature in your account dashboard.
Right to rectification (Art. 16)
You may correct inaccurate or incomplete personal data via your account settings or by contacting us.
Right to erasure (Art. 17)
You may request deletion of your account and personal data at any time. You can do this directly from your account dashboard. Active subscriptions will be cancelled first.
Right to restriction of processing (Art. 18)
You may request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20)
You may request an export of your personal data in a structured, machine-readable format.
Right to object (Art. 21)
You may object to processing based on legitimate interest (Art. 6(1)(f)) at any time.
Right to withdraw consent (Art. 7(3))
Where processing is based on your consent, you may withdraw it at any time (e.g. newsletter opt-out in account settings). Withdrawal does not affect the lawfulness of prior processing.
8. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The authority responsible for ECD Beyond Experience GmbH is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
Website: www.baden-wuerttemberg.datenschutz.de
9. Changes to This Policy
We may update this Privacy Policy to reflect changes in our services or legal requirements. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this page periodically.