Shia Alliance

Privacy Policy

Last updated: 12.04.2026

1. Controller

Hamed Nokhostin

Roseggerstrasse 16

41564 Kaarst

Deutschland

Email: [email protected]

2. Scope of this notice

This privacy policy describes the current processing carried out through the public website, the event submission flow, the invite-only admin area, and the consent-gated analytics layer implemented in this repository.

It is intentionally limited to the features that are actually implemented today. The site does not currently offer public visitor accounts, newsletters, advertising tags, or session replay.

The public site also includes a general contact form for platform questions, event corrections, and privacy-related requests.

3. Website delivery, hosting, and server-side logs

The website is currently delivered through DigitalOcean-hosted application infrastructure. When pages are requested, technical request data such as IP address, timestamp, requested URL, referrer, browser, and operating-system information can be processed to deliver the site, maintain security, and investigate faults.

The legal basis for this processing is Art. 6 para. 1 lit. f GDPR.

4. Browser storage and similar technologies

a) Necessary preference and admin cookies

  • `mf-locale` stores the selected site language.
  • `mf-access-token` and `mf-refresh-token` are httpOnly admin session cookies and are only set when an admin signs in.
  • `mf-admin-invite-preview` is a short-lived admin-only cookie used to show the one-time invite preview after an invited admin account is created.

b) Analytics consent storage

The consent choice for browser-side analytics is stored in localStorage under the key `mf-analytics-consent` so the site can remember whether analytics must stay blocked or may run.

The repository does not keep a separate server-side consent ledger for this browser preference.

c) What we do not use

The site does not currently use marketing cookies, ad-tech pixels, session replay, fingerprinting, or visitor profiling.

5. Analytics with consent

Browser-side analytics is optional. Google Analytics 4 is only loaded if a GA measurement ID is configured and you actively choose the analytics option in the consent banner or later privacy settings.

Without that choice, the GA script does not load and no public analytics events are sent. With consent, the current implementation sends only public-route page views and the submit-confirmation signal `submission_confirmation_view`. Admin routes are not part of the intended public analytics scope.

The legal basis for optional analytics is Art. 6 para. 1 lit. a GDPR. You can withdraw or change this choice later through the privacy settings entry in the footer.

6. Maps and optional location features

a) Mapbox

Public discovery pages can load Mapbox tiles and, in some cases, Mapbox geocoding requests. In that context, technical data such as IP address, browser information, and the requested map or geocoding query can be processed by Mapbox.

b) Browser geolocation

If you explicitly use the 'Use my location' action, your browser may provide location coordinates to the page so distances can be calculated locally in the browser. The application does not intentionally store those user coordinates in its database.

7. Event submissions, moderation, and public publication

When you submit an event, we process the data you provide in the submission form. This can include event details, organizer details, submitter contact details, consent choices, and an optional flyer upload.

Required form fields are needed so the submission can be reviewed. Public contact display is optional and is controlled separately from the required submission-processing consent.

a) Submission review and moderation

Submission data is stored in Supabase-backed database and storage services so admins can review, correct, approve, reject, or keep submissions pending. The legal basis for submitter personal data in this workflow is the consent collected in the submission form under Art. 6 para. 1 lit. a GDPR.

b) Optional flyer-assisted extraction

If you choose the optional flyer-assisted submission path, the uploaded flyer and any optional extra text you provide in that step are sent to OpenAI so a draft extraction result can be generated for later review in the submission flow.

This step does not publish an event automatically. The extraction result remains a draft that must still be reviewed, edited, or discarded before final submission.

c) Public event pages

If a submission is approved and published, the event data becomes part of the public event directory. Contact person, email address, and phone number are only displayed publicly if the separate public-contact consent was granted.

d) Abuse prevention and security

To protect the submission flow against bots and abuse, the server processes technical request signals such as IP address, user agent, accept-language data, timing information, and rate-limit counters. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR.

When the optional flyer-assisted extraction path is enabled, starting a new extraction can additionally require a Cloudflare Turnstile check. In that context, Cloudflare can process technical request and browser-security data needed for bot defence.

8. Admin area, authentication, and security records

The admin area is invite-only and uses Supabase Auth for sign-in. Admin session handling uses the cookies described above.

For security and accountability, the system also records admin audit entries for privileged actions and writes security log events. Where practical, identifiers such as email addresses or IP addresses are hashed before being written to security logs. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR.

9. Service providers and recipients

  • DigitalOcean for application hosting and runtime operations.
  • Supabase for Postgres data storage, authentication, and storage buckets for event and submission flyers.
  • Mapbox for map tiles and geocoding on relevant discovery features.
  • OpenAI for optional flyer-content extraction when the flyer-assisted submission path is used.
  • Resend for transactional email delivery for submissions and contact-form messages.
  • Cloudflare Turnstile for anti-bot protection on the optional flyer-extraction trigger.
  • Google Analytics 4 only if optional analytics consent is granted.

10. International transfers

Some of the services used by this project can involve processing outside the EU/EEA or access from third countries, especially Google Analytics, Mapbox, Cloudflare Turnstile, and optional OpenAI flyer processing. We therefore do not claim that all processing is limited to the EU/EEA.

Where such transfers occur, they are made on the basis of the provider's applicable contractual or other legal safeguards. The exact data location can also depend on the configured provider region.

11. Retention

The project does not currently enforce one universal automated deletion schedule for all records. Data is kept only as long as it is operationally needed for publication, moderation, security, abuse prevention, or legal defence, and is reviewed manually where appropriate.

  • Public event records and related public flyer media stay available while they are published or otherwise still needed for the operation of the event directory.
  • Submission and moderation data is kept while review, follow-up, or abuse-prevention needs still exist.
  • Contact-form messages can be kept while handling, follow-up, or rights-request clarification is still operationally needed.
  • Admin audit and security records can be retained longer where this is necessary for accountability or incident handling.
  • The analytics consent choice remains in localStorage until you change it or clear browser storage yourself.

12. Your rights

You can contact us at [email protected] regarding access, rectification, erasure, restriction, portability, objection, or consent withdrawal.

If your request concerns an event submission, published event page, or admin invite/account record, please include enough detail for us to identify the record safely.

For analytics consent, the primary withdrawal path is the privacy preferences entry in the footer. You can still contact us by email if you need help understanding or documenting that choice.

We handle requests manually through the contact email. As a proportionate verification step, we may ask you to reply from the same email address used for a submission or admin onboarding flow, or to confirm concrete record details such as the event title, city, approximate submission date, or linked public event URL. We do not ask for identity documents by default.

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object where processing is based on legitimate interests
  • Right to withdraw consent with effect for the future
  • Some requests may still require provider or host review, especially for Supabase Auth records, GA4 data already processed after consent, or runtime/security logs that are retained outside the main application database.
  • Where records must be retained for security, abuse prevention, accountability, or legal defence, handling may be limited to explanation, restriction, or case-by-case review instead of immediate deletion.

13. Supervisory authority

You also have the right to lodge a complaint with a supervisory authority. A competent authority for the controller's place of residence is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia

Postfach 20 04 44

40102 Duesseldorf

Email: [email protected]

Phone: +49 (0)211 38424-0

14. No automated decision-making

The site does not use automated decision-making or profiling within the meaning of Art. 22 GDPR.