MemberCore
Plan & billingSign up

Privacy policy

Last updated: 6 May 2026. 1. Controller The controller within the meaning of the General Data Protection Regulation (GDPR) is: Martin Christof Peutz Hillerstraße 7/32 1020 Vienna Austria Email: office@membercore.eu Phone: +43 670 2083041 2. Data Protection Officer There is no statutory obligation to appoint a data protection officer under Art. 37 GDPR. Please direct any data-protection inquiries to the email address above. 3. Role: controller vs. processor Two distinct processing relationships exist when you use MemberCore: a) For data you provide as a website visitor or as a signed-in administrator (club official), or that arises through your visit, MemberCore is the controller within the meaning of Art. 4(7) GDPR. This Privacy Policy describes that processing. b) For data of your club’s members that you import or capture as a signed-in club, your club is the controller; MemberCore acts as a processor within the meaning of Art. 28 GDPR. The legal terms of that processing are governed by the Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) between your club and MemberCore. 4. Data processed, purposes, and legal bases 4.1 Server log files On every request, technically necessary data are collected (IP address, browser type, operating system, referrer URL, date and time, requested URL). Purpose: ensuring stable operation, detecting and mitigating attacks, error analysis. Legal basis: legitimate interests under Art. 6(1)(f) GDPR. Retention: up to 30 days; longer for security incidents, but no longer than necessary for resolution. 4.2 Account and sign-in data On registration we process name, email address, a hashed password, optional profile picture and phone number. With multi-factor authentication, related security factors are processed in addition. Purpose: provision of the user account, authentication, sign-in security. Legal basis: contract performance under Art. 6(1)(b) GDPR. Retention: duration of the contractual relationship plus statutory retention periods. 4.3 Club and member data (processor relationship) Data captured by a club as the controller in MemberCore (in particular member, fee, SEPA-mandate, and communications data) are processed exclusively on instructions of the club. See the AVV for details. 4.4 Payment processing Payment data for the MemberCore subscription are transmitted to Stripe Payments Europe Ltd. MemberCore itself does not receive or store full payment-instrument data; only references needed to identify a payment are stored (Stripe customer ID, status, last 4 digits of an instrument). Legal basis: contract performance under Art. 6(1)(b) GDPR. 4.5 Transactional and service email We send system emails (e.g. sign-in confirmations, password resets, notifications, invoices) via the service Resend. Legal basis: contract performance under Art. 6(1)(b) GDPR. 4.6 Marketing and product email You receive direct marketing or product updates only with your consent (newsletter sign-up). You may object at any time or withdraw consent in any marketing email or by emailing office@membercore.eu. Legal basis: consent under Art. 6(1)(a) GDPR. 4.7 Cookies and similar technologies We set strictly necessary cookies (session, security, language preference, storing your consent choice) and — only after your consent — analytics cookies (PostHog). See the Cookies & tracking page for details. Legal basis (necessary): contract performance / legitimate interests under Art. 6(1)(b) and (f) GDPR, and § 165(3) Austrian Telecommunications Act 2021 (TKG). Legal basis (analytics): consent under Art. 6(1)(a) GDPR and § 165(3) TKG 2021. 4.8 Error monitoring (Sentry) For service stability, technical error reports (e.g. stack traces, browser type, affected URL) are sent to our service provider Sentry (EU region, Frankfurt). Personal references (such as IP address or cookies) are minimized before transmission. Legal basis: legitimate interests under Art. 6(1)(f) GDPR (operating a stable IT service). 5. Recipients and processors We use carefully selected processors. Data processing agreements within the meaning of Art. 28 GDPR are in place with all recipients. For transfers to third countries, Standard Contractual Clauses (controller-to-processor module) and/or the EU-US Data Privacy Framework (DPF) apply; where required, we apply additional measures (encryption at rest and in transit). a) Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA Purpose: application hosting Region: Frankfurt (EU) Third-country transfer: USA — covered by SCCs and EU-US DPF b) Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992 Purpose: database, authentication, file storage Region: Frankfurt (EU, AWS eu-central-1) Third-country transfer: none in the regular flow; covered by SCCs c) Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02 H210, Ireland Purpose: subscription payment processing for MemberCore Region: EU/EEA Third-country transfer: intra-group transfer to the USA possible; covered by SCCs and EU-US DPF d) Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA Purpose: sending transactional and marketing email Third-country transfer: USA — covered by SCCs and EU-US DPF e) Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA Purpose: error and performance monitoring Region: Frankfurt (EU; ingest.de.sentry.io) Third-country transfer: US headquarters; covered by SCCs and EU-US DPF f) PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA Purpose: product analytics (usage statistics) — only after your consent Region: EU (eu.posthog.com) Third-country transfer: US headquarters; covered by SCCs and EU-US DPF A current list of processors is available on request; we will notify clubs of changes at least 30 days in advance, unless a shorter period is required by law or contract. 6. Retention We retain personal data only as long as necessary for the purposes set out above or as required by statutory retention periods (in particular § 132 BAO and § 212 UGB — up to 7 years for invoice-related records). Data are deleted or anonymized after that. 7. Your rights You may at any time exercise the rights of: — access (Art. 15 GDPR); — rectification (Art. 16 GDPR); — erasure (Art. 17 GDPR); — restriction of processing (Art. 18 GDPR); — data portability (Art. 20 GDPR); — objection to processing based on legitimate interests (Art. 21 GDPR); — withdrawal of consent with effect for the future (Art. 7(3) GDPR). Please direct requests to office@membercore.eu. We respond within statutory deadlines (Art. 12(3) GDPR). 8. Right to lodge a complaint You have the right to lodge a complaint with the competent supervisory authority. In Austria this is the Austrian Data Protection Authority (Barichgasse 40-42, 1030 Vienna; https://www.dsb.gv.at). You may also contact the supervisory authority of your habitual residence or place of work. 9. Obligation to provide data The provision of your personal data is neither a statutory nor a contractual requirement. However, without the data needed to perform the contract (in particular an email address for sign-in), we cannot provide MemberCore to you. 10. Automated decision-making No automated decision-making within the meaning of Art. 22 GDPR takes place. 11. Changes to this Privacy Policy We update this Privacy Policy when processing or legal requirements change. The current version is always available at this address.