Privacy Policy

1. Controller

Vandrap Media UG (haftungsbeschränkt)
Berliner Platz 39
48143 Münster
Germany

Phone: +49 176 21629474
Email: info@vandrapmedia.com
Managing Director: Sebastian Chojnacki

A formal data protection officer is not legally required (less than 20 persons permanently engaged in automated processing). Direct data protection requests to the address above or to info@vandrapmedia.com.

2. Scope of processing

The Vandrap Portal is an internal tool for managing employment relationships at Vandrap Media UG. It is only accessible to employees. The portal handles:

• Vacation and special leave requests
• Overtime tracking and approvals
• Sick notifications and sick note uploads
• Personal documents (contracts, payslips, other HR documents)
• Company document confirmations
• Slack notifications for workflow events

3. Categories of personal data

We process the following categories of personal data:

• Master data: first and last name, email address, phone number, date of birth, nationality, address, language, avatar
• Employment data: job title, department, portal role, employment type, weekly hours, start date and contract end date, Slack user ID
• Payroll-relevant data: IBAN, BIC, tax identification number, social security number, health insurance
• Emergency contact: name, phone number and relationship of the emergency contact
• Absence and working time data: vacation requests, sick periods, overtime, special leave with periods, status and reason if applicable
• Documents: employment contract, payslips, sick notes, other HR documents
• Usage data: login timestamps, IP address at login, browser type, performed actions (audit log)

4. Purposes and legal bases

Processing is carried out for the following purposes:

• Performance of the employment relationship: § 26 (1) BDSG in conjunction with Art. 88 GDPR and Art. 6 (1) (b) GDPR
• Compliance with legal obligations (tax law, social security, occupational safety): Art. 6 (1) (c) GDPR
• Legitimate interests (e.g. IT security, audit log): Art. 6 (1) (f) GDPR
• Consent (where required, e.g. for optional features): Art. 6 (1) (a) GDPR

5. Recipients and processors

We use the following technical service providers with whom data processing agreements under Art. 28 GDPR are in place:

• Supabase (Supabase Inc., 970 Toa Payoh North, Singapore): Database hosting and authentication. Server location: Frankfurt am Main, Germany (eu-central-1). Data processing stays within the EU.
• Vercel (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA): Web application hosting. Processing takes place in EU data centers with EU Standard Contractual Clauses for any data transfers.
• n8n Cloud (n8n GmbH, Stresemannstraße 121, 10963 Berlin, Germany): Workflow automation for notifications. Data processing within the EU.
• Slack (Slack Technologies LLC, 500 Howard Street, San Francisco, CA 94105, USA): Slack notifications. Data transfers to the US are based on the EU-US Data Privacy Framework.
• Google Workspace (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland): Email communication. Server location EU.

We do not share your data with third parties outside these processors unless required by law (e.g. tax authorities, social security) or with your explicit consent.

6. Retention period and deletion

Personal data is processed for the duration of the employment relationship. After termination, the following retention periods apply:

• HR documents, contracts, payslips: 10 years after the end of the business year (§ 257 German Commercial Code, § 147 German Fiscal Code)
• Social security-related documents: up to 6 years after termination (§ 28f (1) German Social Code IV)
• Audit log: 10 years as evidence of processing

After the retention periods expire, all personal data is automatically anonymized. Personal documents in the Vault are deleted in this step. Employment and absence data remains as anonymized statistical aggregates.

7. Your rights

You have the following rights at any time:

• Right of access (Art. 15 GDPR): You can download a ZIP file with all data stored about you in the portal under Settings → Privacy.
• Rectification (Art. 16 GDPR): You can update master data yourself in Settings. Other corrections can be requested from Sebastian.
• Erasure (Art. 17 GDPR): subject to legal retention obligations
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR): fulfilled through the data export ZIP
• Objection (Art. 21 GDPR) to processing based on legitimate interests
• Withdrawal of consent with effect for the future (Art. 7 (3) GDPR)
• Complaint to a data protection supervisory authority. In NRW: State Commissioner for Data Protection and Freedom of Information NRW, Kavalleriestraße 2-4, 40213 Düsseldorf, Germany

8. Data security

We implement technical and organizational measures to protect your data:

• Encrypted transmission via TLS (HTTPS)
• Encrypted storage in the database (at rest)
• Row-Level Security: each employee only sees their own data. HR administrators see data only to the extent necessary
• Authentication via password (minimum length 10 characters) or Google Workspace
• Password compromise protection via HaveIBeenPwned database
• Automatic daily backups
• Complete audit log of all administrative actions
• Sensitive documents (contracts, payslips) require re-authentication before opening

9. Cookies

The portal uses only technically necessary cookies for the login session and language selection. No tracking or analytics cookies are used. No consent is required for this under § 25 (2) (2) TTDSG.

10. Changes to this privacy policy

We reserve the right to update this privacy policy if legal requirements change or new features are introduced. For material changes, you will be asked to re-confirm at your next login.

11. Contact for privacy questions

For questions about the processing of your data, contact info@vandrapmedia.com or Sebastian Chojnacki directly.