Privacy statements are unfortunately long and complicated, I can not avoid that. To make reading easier for you, I have summarized each paragraph briefly and formulated it as comprehensible as possible.
Decisive is the detailed version.
Responsible operator of the platform Timeline.pics ("controller") to the user ("data subject") is:
80671 Munich, Germany
Personal data are collected solely for the provision and implementation of the service on the Timeline.pics platform and are not otherwise processed. The service includes among others
the release of content (photos, videos, milestones) within closed user groups, which are by managed by the data subject
the handling of payment transactions
The principle of data minimization is respected, that is, as little data as possible and only as much data as necessary are collected and stored.
The data subject is able to access personal information, to correct or delete independently, so that they are always factually correct and
if necessary, are up to date.
Personal data is processed in a manner that ensures adequate security of the data, in particular protection against unauthorized access and unintentional loss.
The personal data required for the proper operation of the platform will become
processed in accordance with the provisions of the General Data Protection Regulation (GDPR). Below is a description of the purpose of and the extent to which the controller collects, stores and employs user data.
Note: If you have any questions, I answer you in person, so please understand that I am not available around the clock.
2. Lawfulness of processing
The lawfulness of processing is given by
a) the consent to the processing by the data subject.
This applies to all user accounts, as both the creation of free and paid accounts and one-time payment transactions (purchase of a voucher) can only be carried out in connection with the consent for processing.
b) the fulfillment of a contract, that the data subject obtains with the controller by purchasing a paid service (subscriptions or purchase of a voucher).
Note: The time of your consent always corresponds to the creation time of your user account or the invoice, because you have to consent by clicking the appropriate checkbox (required field) in the form.
3. Rights of the data subject
The controller undertakes to provide the following information relating to the processing of personal data to the data subject in an understandable and easily accessible form. The information will be given by e-mail.
When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
The controller shall not refuse to act on the request of the data subject, unless the controller demonstrates that it is not in a position to identify the data subject.
The controller provides information on action taken on a request
within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
The controller informs the data subject of any such extension within one month of receipt of the request.
All of the information below is provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may refuse to act on the request.
If the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
3.1. Right of access by the data subject
The data subject have the right to obtain from the controller confirmation as
to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing (why are the data processed)
b) the categories of personal data concerned (which data are processed)
c) the recipients of the personal data (who gets the data disclosed)
d) the period for which the personal data will be stored, where possible, or, if not possible, the criteria used to determine that period (how long will the data be stored)
e) Indications of the other rights (described below) of the data subject
3.2. Right to rectification
The data subject have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her.
3.3. Right to erasure
The data subject have the right to obtain from the controller the erasure of personal data concerning him or her and the controller shall have the obligation to erase personal data where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
the data subject objects to the processing and there are no overriding legitimate grounds for the processing
d) the personal data have been unlawfully processed
e) the personal data have to be erased for compliance with a legal obligation
f) the personal data was collected from a child or adolescent under the age of 16 without the consent of a legal guardian
You can delete both individual pictures / videos as well as your entire account including all personal data and all pictures / videos. Please note that erasure is irreversible.
If you delete pictures / videos, they are completely erased. When you delete your account, everything is gone.
After erasure, data can still be preserved in a backup that is made for reasons of data security. Backups are saved for one month at the most, after which your data is completely removed. Restoring individual user accounts or even individual images / videos from the backup is not possible!
3.4. Right to restriction of processing
The data subject have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data is only allowed to be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
A data subject who has obtained restriction of processing will be informed by the controller before the restriction of processing is lifted.
3.5. Right to data portability
The data subject have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller.
Note: You can download an archive of your data from the "my timelines" page within the settings for your user account using the "download data" link.
4. Type and extent of the data collected
The controller collects and processes different personal data according to the requirements. The following list represent the maximum case of all collected data. In some cases, not all of the listed data will be collected, especially for free user accounts.
4.1. Anonymous, non-person-specific data
When websites are accessed, non-personal data are automatically stored in log files on the server (not just Timeline.pics). This refers to
your anonymised IP-address,
your installed operating system,
the pages visited on Timeline.pics,
date and time of your visit.
These data do not betray a visitor's identity. They are stored for the purpose of maintaining and ensuring the operation of the website in order, for example, to be able to comprehend an attempted attack on the website or, if there are concrete indications, the legitimate suspicion of unlawful use. The log files are automatically deleted after 14 days.
4.2. Person-specific data
With your user registration on Timeline.pics, i.e. with the creation of a free user account, the following personal data are requested and stored:
When registering, no postal address or payment information is requested and stored, for reasons of data austerity.
Only when a user creates a paid account, i.e. either decides to do so at the first login or upgrades from the free account at a later point, the following personal data are additionally requested and stored for the purpose of invoicing:
Post code and city
4.3. Credit card data (payment data)
For credit card payment, Timeline.pics uses STRIPE (stripe.com). It accepts the entered credit card data via an encrypted connection (HTTPS), verifies and stores it and returns a hash value to Timeline.pics. Timeline.pics will only store this hash value and not your credit card data. These are the sole responsibility of the payment service provider STRIPE.
Note: From the first interaction with STRIPE, e.g. typing in your credit card number in the input field, a connection to the web server of the payment provider will be established for the purpose of the payment process, as a result of which cookies are set by STRIPE.
If you do not want to entrust your credit card information to STRIPE, or if you do not want to pay by credit card, you can alternatively pay by bank transfer.
4.4. Bank account (payment data)
Annual subscriptions or coupons can be purchased on account and paid by bank transfer.
A monthly payment interval is unfortunately not possible due to the higher administrative expenses.
Incoming payments by bank transfer are processed on the account statements of BNP Paribas (branch office Germany). For bank statements a retention period of 10 years applies.
The controller uses two types of cookies. Session cookies are used to save your current login status. These cookies expire when the browser is closed, at the latest after four hours, or immediately when you click on the "Logout" link.
If you use the "stay logged in" function, so that you do not have to log in again each time you visit Timeline.pics, a so-called permanent cookie is set.
Detailed information about the cookies set on Timeline.pics:
timeline_session: Contains information about the logged in user. Is valid for four hours.
XSRF-TOKEN: Is used to secure input forms against so-called cross-site scripting attacks. The duration corresponds to the duration of the user session (four hours).
remember_web_[0-9,a-z]: Only set if the user selects "stay logged in". Contains a unique number that identifies the browser to Timeline.pics. The cookie has a term of five years, it is immediately deleted when the user clicks on "Logout".
timeline_2fa: Only set if the user uses so-called two-factor authentication. Contains a unique number that Timeline.pics can use to check, that a valid one-time code has already been queried in this browser. The cookie has a term of one month. It will be deleted immediately when the user clicks on "Logout".
Note: If you select STRIPE as the payment service provider, after the first interaction (for example, typing your credit card number in the input field), several more cookies will be set by the payment service provider for the purposes of payment processing.
If you do not want to accept such cookies, you can set your Internet browser to automatically reject all cookies, or ask you to accept or reject each cookie.
4.6. Notifications by e-mail
The data subject can be notified by e-mail about certain events. Before such e-mails can be sent by the responsible person to the data subject, they must identify themselves via a confirmation e-mail as the owner of the registered e-mail address ("double opt-in").
You can set up notifications by e-mail for specific events, e.g. if one of your photos / videos is commented on. Before you can receive such e-mails, a confirmation mail will be sent to check whether you are the owner of the e-mail address you entered ("double opt-in").
Note: As a Timeline owner, you can can set up notifications by e-mail for specific events, e.g. if one of your photos / videos is commented on. You can subscribe to a weekly summary of all the news from your timelines. You can unsubscribe from these additional notifications at any time.
4.7. Webanalytics (Tracking) and social networks
The controller does not use web analytics, for reasons of data austerity. The usage of the website is not analyzed; we find this fact to be worth mentioning.
A privacy notice regarding webanalytics is therefore not necessary.
On Timeline.pics, no share functions or other so-called social plugins of social networks are integrated. Moreover, individual photos / videos can not be shared on social networks, as they are only visible with an active login (only for registered users). Privacy policies for social networks are therefore not necessary.
5. Security of data processing
The controller take the necessary technical and organizational measures to ensure a level of protection appropriate to the risk in the processing of personal data.
5.1. Encrypted connection
The connection to Timeline.pics is encrypted via an SSL server certificate issued by Let's Encrypt Authority.
The data subject is always forwarded to an encrypted connection, even if the url was entered without "https" in the address bar of the browser.
5.2. Passwords and 2-step verification
The password associated with the account is not in plaintext, but is composed with a random value ("salt") and stored as an encrypted hash value ( see "Bcrypt" on Wikipedia). It is thus no longer possible to draw conclusions as to the unencrypted password.
The data subject can optionally secure his or her user account with two-factor authentication (2FA).
Note: You can enable the 2-step verification (2FA) in your user account settings under the menu item My Password.
The controller secures all personal data as well as the photos and videos uploaded by the data subject with daily backups to protect them against accidental or deliberate manipulation, loss and destruction.
Note: Timeline.pics does not replace a backup solution. Please backup your photos and videos for yourself, e.g. by copying them to a USB hard drive on a regularly basis.
6. Photo- and video data
In Germany, each person holds the right to their own image, which is a particular form of the fundamental personal rights. This law says that every human being can decide whether or not images of themselves are published at all (see "Personality Rights, Germany" on Wikipedia).
On Timeline.pics, pictures and videos from private environments are uploaded and shared with a closed utility group. Nevertheless, the personal right to one's own picture are valid to the point that, before the publication of any pictures, you have to obtain the permission to publish with the persons concerned or their parents in the case of legal minors.
7. Children and adolescents
Naturally, data protection regulations also apply to the personal data of children and adolescents who register with Timeline.pics. However, Timeline.pics strongly recommends that persons under the age of 16 can only register an account with Timeline.pics with the consent of their parents or educational advisors and, in particular, to upload photos to their own timelines only with their consent!
These data protection regulations apply from April 28th 2018 and replace the data protection regulations valid up to this deadline.
You are offline :(
Without an internet connection some functions are not available.