Privacy Policy

The controller responsible for processing personal data within the meaning of Art. 4 (7) GDPR is:

Portal Minds UG (haftungsbeschränkt)
Teichtal 12
38165 Lehre, Germany
Email: hi@way.food

We are not legally required to appoint a Data Protection Officer. For all data protection inquiries, please use the contact form below or email us directly.

• Account data (host): email address, hashed password or magic-link token, sign-up timestamp.
• Tribute content: name of the deceased, optional photo, optional background music uploaded by the host.
• Voice recordings: audio submitted by contributors, the optional contributor display name, recording duration, submission timestamp.
• Payment data: billing details processed exclusively by our payment provider; we receive only a transaction reference and payment status.
• Technical data: IP address, user-agent string, request timestamps, error logs (for security and abuse prevention).
• Communication data: the content of emails you send us.

• Providing the Service — creating tributes, collecting voice messages, compiling the final audio, sign-in. Legal basis: performance of contract, Art. 6 (1) lit. b GDPR.
• Voice contributions from third parties — processing of audio submitted by contributors. Legal basis: explicit consent, Art. 6 (1) lit. a GDPR, given via the consent checkbox before submission.
• Payment processing — collecting the one-time fee. Legal basis: performance of contract, Art. 6 (1) lit. b GDPR; statutory tax obligations, Art. 6 (1) lit. c GDPR.
• Operation, security and abuse prevention — server logs, rate limiting, error monitoring. Legal basis: legitimate interest in a secure, reliable service, Art. 6 (1) lit. f GDPR.
• Responding to inquiries — handling support and contact requests. Legal basis: Art. 6 (1) lit. b or lit. f GDPR.

Before submitting a voice recording, contributors must actively confirm that their recording may be shared with the family of the deceased and used in the compiled tribute. This consent is the legal basis under Art. 6 (1) lit. a GDPR and may be withdrawn at any time with effect for the future by emailing hi@way.food.

Recordings are stored in encrypted form and are accessible only to the host of the corresponding tribute. The host can delete individual recordings or the entire tribute at any time; deleted recordings are removed from our active storage promptly and from backups within the regular backup-rotation cycle.

Payments are processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin, Ireland ("Stripe"). When you pay, the data you enter on the payment form (such as card details, name, country) is transmitted directly to Stripe. We receive only a payment reference, the amount, the status, and the country code. Stripe's privacy policy is available at stripe.com/privacy.

We use the following providers as processors under Art. 28 GDPR. Where data is transferred outside the EU/EEA, the transfer is safeguarded by the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

• Supabase, Inc. (USA) — database, authentication and file storage. Data is stored in EU-region infrastructure where available.
• Cloudflare, Inc. (USA) — content delivery, DDoS protection and edge hosting.
• Stripe Payments Europe Ltd. (Ireland) — payment processing.

We use only strictly necessary cookies and local-storage entries that are required for the Service to function (e.g. your sign-in session, the payment provider's session during checkout). Pursuant to § 25 (2) no. 2 TTDSG, no consent is required for these. We do not use tracking, analytics or advertising cookies. Details are available in our Cookie Notice.

When you access the Service, our hosting infrastructure automatically collects technical data in log files: IP address, date and time of the request, the requested resource, HTTP status code, referrer URL, and user-agent. These data are processed on the basis of our legitimate interest in a secure and reliable service (Art. 6 (1) lit. f GDPR) and are deleted or anonymised no later than 30 days after collection, unless retention is required to investigate a specific security incident.

• Account data: until the host deletes the account.
• Tribute content and voice recordings: until the host deletes them; otherwise for the lifetime of the account.
• Payment records: as long as required by tax and commercial law (in Germany typically 6–10 years, § 257 HGB, § 147 AO).
• Server log files: up to 30 days, then deleted or anonymised.
• Support correspondence: up to 24 months after the matter is closed.

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — to know what data we hold about you.
• Right to rectification (Art. 16 GDPR) — to correct inaccurate data.
• Right to erasure (Art. 17 GDPR) — to have your data deleted.
• Right to restriction (Art. 18 GDPR) — to restrict processing.
• Right to data portability (Art. 20 GDPR) — to receive your data in a portable format.
• Right to object (Art. 21 GDPR) — in particular against processing based on legitimate interests.
• Right to withdraw consent (Art. 7 (3) GDPR) — at any time with effect for the future.

To exercise any of these rights, please email hi@way.food or use the contact form below. We will respond without undue delay and at the latest within one month.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

The competent supervisory authority for our company is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
lfd.niedersachsen.de

We use TLS encryption for all data in transit. Voice recordings and other user content are stored in access-controlled buckets with row-level security policies that restrict access to the host of the respective tribute. Access to production systems is limited to authorised personnel and protected by strong authentication.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete the data.

We may update this Privacy Policy from time to time to reflect changes to the Service or legal requirements. The current version is always available on this page; the date of the most recent update is shown at the top.