Data Protection Policy

Last Updated: 04.06.2025

1. Introduction and Legal Basis

This Data Protection Policy outlines how Wullup processes personal data in compliance with the General Data Protection Regulation (GDPR), German Federal Data Protection Act (BDSG), and other applicable data protection laws.

Our servers are hosted by netcup.de in Germany, ensuring data remains within EU jurisdiction and benefits from strong European data protection standards.

2. Data Controller Information

Data Controller: Wullup GmbH Im Vogelsang 14
35452 Heuchelheim
Germany Email: admin@wullup.com

3. Legal Basis for Data Processing

3.1 Processing Basis Under GDPR Article 6

• Consent (Article 6(1)(a)): Analytics, marketing communications, optional features
• Contract Performance (Article 6(1)(b)): Account management, service delivery
• Legal Obligation (Article 6(1)(c)): Compliance, safety reporting, tax obligations
• Legitimate Interests (Article 6(1)(f)): Security, fraud prevention, service improvement

3.2 Special Category Data (Article 9)

When processing special categories of personal data:

• Explicit consent obtained for sensitive data collection
• Processing necessary for substantial public interest (safety)
• Data subject made information manifestly public

4. Data Collection and Categories

4.1 Personal Data Categories

• Identity Data: Username, display name, profile information
• Contact Data: Email address, phone number (if provided)
• Technical Data: IP address, browser type, device information
• Usage Data: Platform interactions, content engagement, preferences
• Content Data: Posts, comments, music uploads, playlists

4.2 Special Categories

• Biometric Data: Voice recordings (for music content only)
• Health Data: Mental health crisis detection (for safety purposes)
• Political/Religious Views: If expressed in music preferences or content

4.3 Data Sources

• Direct collection from users
• Automatic collection through platform use
• PostHog analytics integration
• Third-party authentication services
• Public sources (social media profiles, music databases)

5. Purposes of Data Processing

5.1 Primary Service Functions

• User account creation and management
• Music content delivery and recommendations
• Social networking features
• Platform security and safety
• Customer support and communications

5.2 Analytics and Improvement

• Platform performance analysis via PostHog
• User experience optimization
• Feature development and testing
• Business intelligence and reporting

5.3 Legal and Safety Obligations

• Child safety protection measures
• Copyright infringement prevention
• Legal compliance and reporting
• Fraud prevention and security

6. PostHog Analytics Integration

6.1 Data Collected by PostHog

• User interaction events
• Page views and navigation patterns
• Feature usage statistics
• Performance metrics
• Error tracking and debugging data

6.2 PostHog Data Processing

• Data processed within EU (GDPR compliant)
• Anonymization and pseudonymization applied
• Retention limited to 24 months maximum
• User opt-out available through privacy settings

6.3 Purpose Limitation

PostHog data used exclusively for:

• Product improvement and optimization
• Technical performance monitoring
• User experience enhancement
• Security and error detection

7. Data Sharing and Transfers

7.1 Authorized Recipients

• Netcup.de: Server hosting and infrastructure (Germany)
• PostHog: Analytics platform (EU-based processing)
• Music Partners: Licensed content delivery
• Moderation Services: Content review for safety compliance
• Legal Authorities: When required by law

7.2 Data Transfer Safeguards

• Standard Contractual Clauses (SCCs) for third-party processors
• Adequacy decisions for transfers to approved countries
• Additional safeguards for high-risk transfers
• Regular review of transfer impact assessments

7.3 International Transfers

• Primary data processing within EU/EEA
• Limited transfers outside EU only with adequate protection
• User notification of any significant processing location changes
• Right to object to international transfers

8. Data Retention and Deletion

8.1 Retention Periods

• Active Account Data: Retained while account remains active
• Inactive Accounts: Deleted after 24 months of inactivity
• Content Data: Removed within 30 days of user deletion request
• Analytics Data: Anonymized after 24 months, deleted after 5 years
• Legal Compliance Data: Retained as required by applicable laws

8.2 Deletion Procedures

• Automated deletion processes for expired data
• Secure deletion methods preventing data recovery
• Backup system integration for complete removal
• Verification procedures for successful deletion

8.3 Exceptions to Deletion

Data may be retained longer for:

• Legal proceedings and investigations
• Safety and security purposes
• Regulatory compliance requirements
• Protection of rights and interests

9. Data Subject Rights

9.1 Access Rights (Article 15)

• Right to confirmation of data processing
• Access to personal data copies
• Information about processing purposes and recipients
• Details of retention periods and rights

9.2 Rectification (Article 16)

• Correction of inaccurate personal data
• Completion of incomplete data
• User-accessible profile editing tools
• Verification procedures for sensitive changes

9.3 Erasure/Right to be Forgotten (Article 17)

• Account deletion with complete data removal
• Content deletion upon user request
• Automated deletion of expired data
• Exceptions for legal compliance and public interest

9.4 Restriction of Processing (Article 18)

• Temporary suspension of data processing
• Limited processing for specific purposes
• User notification before restriction removal
• Secure storage during restriction period

9.5 Data Portability (Article 20)

• Machine-readable data export
• Direct transfer to other services where possible
• Comprehensive data package including all user content
• Secure transfer procedures

9.6 Objection Rights (Article 21)

• Objection to processing based on legitimate interests
• Opt-out of direct marketing
• Objection to automated decision-making
• Balancing test for compelling legitimate grounds

10. Privacy by Design and Default

10.1 Technical Measures

• Encryption of data in transit and at rest
• Pseudonymization of personal data where possible
• Access controls and authentication systems
• Regular security updates and patches

10.2 Organizational Measures

• Staff training on data protection principles
• Privacy impact assessments for new features
• Data protection by default settings
• Regular compliance audits and reviews

10.3 Minimization Principles

• Collection limited to necessary data only
• Purpose limitation strictly enforced
• Storage limitation with defined retention periods
• Processing minimization through anonymization

11. Security Measures

11.1 Technical Security

• AES-256 encryption for sensitive data
• TLS 1.3 for data transmission
• Multi-factor authentication options
• Regular penetration testing
• Automated threat detection systems

11.2 Access Controls

• Role-based access permissions
• Principle of least privilege
• Regular access reviews and updates
• Secure authentication for staff access
• Activity logging and monitoring

11.3 Incident Response

• 24-hour breach detection capabilities
• Incident response team and procedures
• User notification within 72 hours if required
• Regulatory notification within 72 hours
• Post-incident review and improvement

12. Automated Decision-Making

12.1 Automated Processing Activities

• Content recommendation algorithms
• Safety and security monitoring
• Spam and abuse detection
• Music preference analysis

12.2 User Rights and Protections

• Right to human review of automated decisions
• Explanation of algorithmic logic where significant
• Right to challenge automated decisions
• Opt-out options for non-essential automated processing

13. Cross-Border Data Flows

13.1 Primary Processing Location

• Main servers located in Germany (netcup.de)
• EU/EEA data processing preference
• Local data residency options where required
• Compliance with national data localization laws

13.2 Transfer Mechanisms

• Standard Contractual Clauses for EU transfers
• Adequacy decisions for approved countries
• Binding Corporate Rules for group companies
• Specific derogations for necessary transfers

14. Vendor and Processor Management

14.1 Processor Selection Criteria

• GDPR compliance capabilities
• Technical and organizational security measures
• Data protection track record
• Location and jurisdiction considerations

14.2 Data Processing Agreements

• Comprehensive DPA requirements
• Regular processor audits and assessments
• Incident notification procedures
• Data subject rights facilitation

14.3 Processor Monitoring

• Regular compliance reviews
• Security assessment requirements
• Performance monitoring and reporting
• Termination procedures for non-compliance

15. Supervisory Authority Relations

15.1 Lead Supervisory Authority

German Federal Commissioner for Data Protection and Freedom of Information Graurheindorfer Str. 153 53117 Bonn, Germany Email: poststelle@bfdi.bund.de

15.2 Cooperation Procedures

• Proactive engagement with regulators
• Voluntary compliance reporting
• Cooperation with investigations and inquiries
• Implementation of regulatory guidance

16. Training and Awareness

16.1 Staff Training Programs

• Mandatory GDPR training for all employees
• Role-specific data protection training
• Regular updates on regulatory changes
• Incident response training exercises

16.2 User Education

• Privacy policy explanations and guides
• Data protection rights information
• Security best practices recommendations
• Regular communication about privacy updates

17. Compliance Monitoring

17.1 Regular Assessments

• Annual data protection compliance audits
• Privacy impact assessments for new features
• Vendor compliance reviews
• User rights fulfillment monitoring

17.2 Continuous Improvement

• Regular policy updates based on legal changes
• Implementation of regulatory guidance
• User feedback integration
• Technology and security updates

18. Contact and Complaints

18.1 Data Protection Contacts

• General Inquiries: admin@wullup.com
• Data Protection Officer: admin@wullup.com
• User Rights Requests: admin@wullup.com
• Security Incidents: admin@wullup.com

18.2 Complaint Procedures

• Internal complaint handling process
• Response within 30 days for rights requests
• Escalation procedures for complex issues
• Right to lodge complaints with supervisory authorities

19. Policy Updates and Changes

19.1 Regular Reviews

• Annual policy review and updates
• Updates following regulatory changes
• Technology and business change adaptations
• User feedback integration

19.2 Change Communication

• 30-day advance notice for material changes
• Clear explanation of changes and impacts
• User consent re-collection where required
• Continued use as acceptance for non-material changes