Last updated: February 2026
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws applicable in the European Union is:
SofaConcerts GmbH
Neuer Kamp 32
20357 Hamburg
Germany
Represented by: Peter Wilhelm, Miriam Werkmann (formerly Schütt)
Email: support@sofaconcerts.org
Website: www.sofaconcerts.org
Phone: +49-40-88-177-500
As a platform connecting musicians and music lovers, SofaConcerts can only function if certain information you provide as a user is stored by us. You can visit the website without registration, but features such as profile creation and contacting other members can only be used after prior registration.
Scope:
This privacy policy applies only to our websites. If you are redirected to other pages via links on our pages, please inform yourself there about the respective handling of your data.
Your personal data within the meaning of Art. 4 No. 1 GDPR (e.g., title, name, address, email address, payment information) will only be processed by us in accordance with the provisions of German data protection law and in consideration of the European General Data Protection Regulation (GDPR).
The processing within the meaning of Art. 4 No. 2 GDPR of personal data is lawful according to Art. 6 GDPR if one of the following conditions exists:
a) Consent (Art. 6 Para. 1 lit. a GDPR)
The data subject has given their consent to the processing of their personal data for one or more specific purposes.
b) Contract Performance (Art. 6 Para. 1 lit. b GDPR)
Processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract.
c) Legal Obligation (Art. 6 Para. 1 lit. c GDPR)
Processing is necessary for compliance with a legal obligation to which the controller is subject.
d) Protection of Vital Interests (Art. 6 Para. 1 lit. d GDPR)
Processing is necessary to protect the vital interests of the data subject or another natural person.
e) Public Interest (Art. 6 Para. 1 lit. e GDPR)
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f) Legitimate Interest (Art. 6 Para. 1 lit. f GDPR)
Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly if the data subject is a child.
The processing of special categories of personal data (e.g., health data) within the meaning of Art. 9 Para. 1 GDPR is lawful in particular according to Art. 9 Para. 2 GDPR if one of the following conditions applies:
The duration of retention of data transferred by you is based on legal retention obligations:
Data transmitted as part of the contractual relationship will only be disclosed to third parties (Art. 4 No. 10 GDPR) if you have expressly given your consent (Art. 4 No. 11 GDPR) or if disclosure is necessary for contract fulfillment or legal obligations. Consent can be revoked informally at any time. Data collected through website visits is only collected by third parties explicitly named below.
Automated decision-making or profiling regarding personal data within the meaning of Art. 22 GDPR does not take place.
The operator ensures the security of data according to Art. 32 GDPR, taking into account the principle of proportionality through appropriate technical measures.
SSL/TLS Encryption:
In accordance with the legal regulation according to § 13 Para. 7 TMG, this site uses SSL encryption, which can be recognized by a lock symbol in the address bar of your browser. Transmitted data cannot be read by third parties when SSL encryption is activated. This is generally 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead.
Whether a single page of our website is transmitted encrypted can be recognized by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organizational security measures (TOM) to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in accordance with technological developments.
Should a data breach unexpectedly occur, the competent supervisory authority will be notified in accordance with Art. 33 GDPR, and the data subject in accordance with Art. 34 GDPR.
For the operation of our website and provision of our technical infrastructure, we use hosting and server services from netcup GmbH.
Service Provider:
netcup GmbH
Emmy-Noether-Straße 10
76131 Karlsruhe
Germany
Data Protection Officer:
ANEXIA Internetdienstleistungs GmbH
Feldkirchner Straße 140
9020 Klagenfurt, Austria
Server Location:
The servers are located exclusively in data centers in Germany. No transmission of your data to third countries outside the EU/EEA takes place.
Processed Data (Server Log Files):
Each time you access our website, the following data is automatically transmitted to our server by your browser and stored in server log files:
Purpose of Processing:
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Our legitimate interest lies in the provision and proper operation of our website and ensuring the security of our IT systems.
Data Processing Agreement:
netcup processes the above data on our behalf as a data processor according to Art. 28 GDPR. We have concluded a data processing agreement with netcup that meets the data protection requirements of the GDPR and ensures that netcup processes data exclusively according to our instructions.
Security and Certification:
Retention Period: Server log files are automatically deleted after 14 days, unless they are still required for the purposes mentioned above (e.g., defense against legal claims, investigation of security incidents).
Further Information: https://www.netcup.com/de/kontakt/datenschutzerklaerung
We use Amazon CloudFront, a Content Delivery Network (CDN) from Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg ("AWS").
Functionality:
CloudFront is a globally distributed network of servers that delivers content from our website faster to users by providing it from a server near you. Although our main servers are located in Germany, static content (images, CSS, JavaScript, HTML) is delivered via CloudFront.
Data Processing:
When using CloudFront, the following data is processed:
This data is used exclusively for providing and optimizing the service and is not processed for other purposes.
Data Location:
Your requests may be forwarded to CloudFront Edge Locations worldwide, including outside the EU. AWS is certified under the EU-US Data Privacy Framework.
Data Processing Agreement: A data processing agreement has been concluded with AWS according to Art. 28 GDPR.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in fast and reliable provision)
Retention Period: Log data is deleted after 365 days
Further Information: https://aws.amazon.com/privacy/
This website uses cookies and similar tracking technologies to recognize its visitors, analyze the use of our website, and improve our offering. Cookies are small text files that are stored on your device and contain certain information.
Legal Basis:
The use of cookies is based on your consent according to Art. 6 Para. 1 lit. a GDPR in conjunction with § 25 Para. 1 TTDSG. Consent can be revoked at any time with effect for the future via our cookie settings.
Cookie Management:
You can prevent the storage of cookies in the settings of your browser or delete already stored cookies. Please note that deactivating cookies may limit the functionality of our website.
We use Google Consent Mode v2 to transmit your cookie preferences to Google services. This allows the tracking behavior of Google services to be adapted to your consent decisions. If you do not consent to certain tracking categories, the corresponding Google services will be operated in restricted mode or deactivated.
Technically Necessary Cookies:
These cookies are absolutely necessary for the operation of the website and cannot be deactivated. They enable basic functions such as page navigation, access to protected areas, and storage of session information.
Analytics Cookies:
These cookies help us understand how visitors interact with our website by anonymously collecting and analyzing information. See 4.1.
Marketing Cookies:
These cookies are used to make advertising more relevant to you and measure the effectiveness of our advertising campaigns. See 4.2.
Registration is required to use some of the services offered. The data you enter in the input mask will be collected and stored. Data will not be disclosed to third parties unless this is necessary for the execution of the contractual relationship. You can change or delete the data at any time. After deletion of data, the service can no longer be offered to you unless you register again.
Processed Data:
In addition to the data you enter, the IP address and date and time information of the registration are also stored. The storage of IP data serves to prevent abuse and investigate criminal offenses.
Legal Basis: Art. 6 Para. 1 lit. b GDPR (contract performance)
Retention Period: Until account deletion or legal retention obligations
Musician Profiles:
Musicians can create public profiles with the following information:
Host Profiles:
Hosts can create profiles with the following information:
Public Nature of Profiles:
Profile information is partially or fully publicly visible. You decide when creating which information should be publicly visible.
Legal Basis:
Data Sharing for Booking Requests:
When you make a booking request to a musician via our platform, the following data is shared with the requested musician:
Contact Data:
Event Data:
Message History:
Responsibility:
The requested musician becomes an independent controller for this data through data sharing. SofaConcerts acts as an intermediary platform. Musicians process your data independently for quote preparation, contract processing, and concert performance.
Legal Basis:
Retention Period by Musicians:
Musicians store your data for the duration of the request and, in case of booking, for the contract duration plus legal retention periods (6-10 years for tax and commercial law purposes).
We are authorized to intervene in data communication between users of the platform if laws are violated through published content (e.g., deletion of insults) and if contact or contract conclusion between customers fails.
For fraud prevention, platform development, and customer service purposes, we may review, scan, or analyze user communication. As part of our fraud prevention measures, we scan messages to mask contact data, for example. The results of reviews are used exclusively to ensure compliance with our terms of use and improve our service, and are not sold or re-marketed to third parties.
Use of AI-Powered Analysis Tools:
For effective abuse detection and platform security improvement, we use AI-powered analysis tools (see Section 7.2 ChatGPT API). These enable:
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
The basis for these activities is SofaConcerts' legitimate interest in ensuring compliance with applicable laws and our terms of use, preventing fraud, promoting the security of all platform users, and ensuring and improving the best execution of our service.
The user agrees that they may be contacted via the contact information they provided (e.g., phone, email) if a problem occurs in the booking process. Contact is made exclusively to simplify the user's booking process. There is no contact for advertising purposes.
Legal Basis: Art. 6 Para. 1 lit. b GDPR (contract performance)
Images uploaded by you are stored by us and can be displayed to other registered users. Transfer to other third parties does not take place unless you have expressly consented to it. You have the right to change, delete, or revoke consent for your uploaded images at any time.
Storage with Amazon Web Services (AWS S3):
Uploaded images are stored on Amazon Web Services (AWS) servers. We use the Amazon S3 (Simple Storage Service) for storing image and media files.
Service Provider:
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy
L-1855 Luxembourg
Data Processing:
When you upload images, these files are stored on AWS S3 servers along with the following metadata:
Server Location:
Images are stored on AWS servers in the EU (primarily Frankfurt/Germany). In exceptional cases, data may also be stored on servers outside the EU. AWS is certified under the EU-US Data Privacy Framework and thus provides guarantees for compliance with European data protection standards.
Data Processing Agreement:
AWS processes your image data on our behalf as a data processor according to Art. 28 GDPR. We have concluded a data processing agreement with AWS that ensures AWS processes data exclusively according to our instructions and takes appropriate technical and organizational measures to protect your data.
Access and Delivery:
Stored images are delivered to users via Amazon CloudFront (CDN) to ensure fast loading times (see Section 2.1).
Legal Basis: Art. 6 Para. 1 lit. b GDPR (contract performance)
Retention Period: Until deletion by the user
Further Information: https://aws.amazon.com/privacy/
Users have the opportunity to leave comments on other users' profiles and images and submit reviews for booked concerts. To prevent abuse and investigate criminal offenses, IP addresses and date and time information are stored with comments and reviews. Comments can be deleted by the user. Reviews can be deleted upon request by SofaConcerts.
Legal Basis: Art. 6 Para. 1 lit. b GDPR (contract performance) and lit. f (legitimate interest)
Retention Period: Until deletion by the user or upon request
When using the contact form offered on these pages, the information you enter and attached files are transmitted and stored for the purpose of responding to your inquiry. Data is not disclosed to third parties.
Legal Basis:
Retention Period: Until complete processing of your inquiry, then according to legal retention obligations
During the application process, personal data such as name, address, phone number, and email address are stored in the applicant database. Furthermore, application documents (cover letter, CV, certificates, etc.) are recorded and stored.
Your data will only be evaluated, processed, or forwarded internally as part of the application process. Applicant data can also only be viewed by HR staff and those responsible for selection. Data is not disclosed to third parties in any way.
In case of a successful application, the application data will be transferred to the personnel file. The remaining applicant data will be stored for a maximum of 6 months after the application process ends.
You have the option at any time to revoke consent and have the applicant data deleted. An informal email to our team is sufficient for this.
Legal Basis:
Retention Period: 6 months after conclusion of the application process
This website uses Google Analytics 4 (GA4), a web analytics service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses cookies and similar technologies that enable analysis of your use of the website.
Properties Used:
User ID Tracking:
When you are logged into your account, we use your anonymized user ID (person_uuid) to analyze your usage across devices and sessions. This enables us to better understand your usage habits across multiple visits and devices.
Google Consent Mode v2:
We use Google Consent Mode v2 to adapt the tracking behavior of Google Analytics to your cookie settings. Depending on your consent, data is collected in restricted mode or fully.
IP Anonymization:
IP anonymization is activated so that your IP address is shortened by Google within member states of the European Union or other parties to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server and shortened there.
Integration with Google Ads:
Google Analytics is linked to Google Ads to measure the performance of our advertising campaigns and create remarketing lists.
Data Processing:
Google will use this information on behalf of SofaConcerts to evaluate your use of the website, compile reports on website activity, and provide other services related to website activity and internet usage.
Data Transfer to the USA:
Google is certified under the EU-US Data Privacy Framework and thereby provides a guarantee to comply with European data protection law.
Data Processing Agreement: A data processing agreement has been concluded with Google.
Opt-Out:
You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent)
Retention Period: Up to 24 months
Further Information: https://policies.google.com/privacy
We use Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, to better understand the needs of our users and optimize the offering and experience on this website.
Functionality:
Using Hotjar's technology, we get a better understanding of our users' experiences (e.g., how much time users spend on which pages, which links they click, what they like and dislike, etc.).
Processed Data:
Hotjar works with cookies and other technologies to collect data about the behavior of our users and their devices:
Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling data collected on our behalf.
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent)
Retention Period: 365 days
Further Information: https://www.hotjar.com/legal/policies/privacy/
We use Google Ads and Google AdSense from Google Ireland Limited to advertise our services and display ads on selected pages.
Google Ads:
We use Google Ads to display advertisements in Google search and the Google Display Network. When you click on one of our ads, a conversion cookie is set to measure the success of our advertising campaigns.
Google AdSense (Blog):
On selected pages, we use Google AdSense to display personalized advertising. Google uses cookies to display ads based on your previous visits to our website or other websites.
Remarketing:
We use Google Ads' remarketing function to show visitors to our website targeted advertising later when they visit other websites in the Google Display Network.
Data Transfer to the USA: Google is certified under the EU-US Data Privacy Framework.
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent)
Retention Period: Cookies up to 24 months
Opt-Out: https://adssettings.google.com/
Further Information: https://policies.google.com/privacy
We use the "Facebook Pixel" from Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta"). With the help of Facebook Pixel, we can identify visitors to our website as a target audience for displaying ads (so-called "Facebook Ads"). The Facebook Pixel enables us to:
Data Processing:
When you visit our website and the Facebook Pixel is activated, your browser establishes a direct connection to Meta's servers. The content of the pixel is transmitted by Meta directly to your browser and integrated into the website by it. Meta thereby receives information that you have visited our website and can associate this information with your Facebook account if you are logged into Facebook.
Data Transfer to the USA: Meta is certified under the EU-US Data Privacy Framework.
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent)
Retention Period: Cookies up to 180 days
Further Information: https://www.facebook.com/privacy/explanation
We use TikTok Analytics, an analytics tool from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, or TikTok Inc., 5800 Bristol Parkway, Suite 100, Culver City, CA 90230, USA.
Functionality:
TikTok Analytics uses cookies and similar technologies to analyze the use of our website and measure the effectiveness of our TikTok advertising campaigns. Information about your use of the website (including your IP address) is transmitted to TikTok servers and stored there.
Purposes of Use:
Data Transfer:
Your data may be transferred to TikTok servers in the USA and other countries outside the EU. TikTok has committed to complying with the EU-US Data Privacy Framework.
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent)
Retention Period: Cookies up to 13 months
Further Information: https://www.tiktok.com/legal/privacy-policy
We use the Pinterest Tag from Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
Functionality:
The Pinterest Tag is a code snippet integrated into our website that enables Pinterest to collect information about the use of our website. When you visit our website and are logged into Pinterest, Pinterest can associate your visit with your Pinterest account.
Purposes of Use:
Data Transfer to the USA: Your data may be transferred to Pinterest servers in the USA.
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent)
Retention Period: Cookies up to 365 days
Opt-Out: https://www.pinterest.de/settings/
Further Information: https://policy.pinterest.com/en/privacy-policy
Our website uses plugins from the Google-operated site YouTube (YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA). When you visit one of our pages equipped with a YouTube plugin, a connection to YouTube servers is established. The YouTube server is informed which of our pages you have visited.
If you are logged into your YouTube account, you enable YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Further Information: https://policies.google.com/privacy
Plugins from Vimeo.com are used on our website, which is operated by Vimeo LLC, 555 West 18th Street, New York, New York 10011, USA. When you visit web pages of our internet presence provided with such a plugin, a connection to Vimeo servers is established and the plugin is displayed on the web page by notification to your browser.
If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Further Information: https://vimeo.com/privacy
Plugins from the social network SoundCloud (SoundCloud Limited, Berners House, 47-48 Berners Street, London W1T 3NF, United Kingdom) are integrated on our pages. You can recognize SoundCloud plugins by the SoundCloud logo on the affected pages.
When you visit our pages, after activating the plugin, a direct connection is established between your browser and the SoundCloud server. SoundCloud thereby receives information that you have visited our page with your IP address.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Further Information: https://soundcloud.com/pages/privacy
Features of the music service Spotify are integrated on our pages. Provider is Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm in Sweden. You can recognize Spotify plugins by the green logo on our page.
When visiting our pages, a direct connection can be established between your browser and the Spotify server via the plugin. Spotify thereby receives information that you have visited our page with your IP address.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Further Information: https://www.spotify.com/legal/privacy-policy/
Features of the music service Bandcamp are integrated on our pages. Provider is Bandcamp (operated by Songtradr Inc., 1840 Century Park East, Suite 700, Los Angeles, CA 90067, USA).
Functionality:
Musicians can embed Bandcamp players in their profiles to present audio samples of their music. When you visit a page with an embedded Bandcamp player, a direct connection is established between your browser and Bandcamp servers.
Data Processing:
When loading the Bandcamp player, the following data is transmitted to Bandcamp:
Bandcamp thereby receives information that you have visited our page with your IP address and which music tracks you have played.
Interaction with Bandcamp Account:
If you are logged into Bandcamp, Bandcamp can associate your listening behavior directly with your Bandcamp profile. You can prevent this by logging out of your Bandcamp account before visiting our page.
Purpose:
Data Transfer to the USA:
Your data may be transferred to Bandcamp servers in the USA. Bandcamp has implemented appropriate data protection measures to ensure compliance with international data protection standards.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Our legitimate interest lies in providing an attractive platform for musicians and the ability to offer audio samples directly on our website.
Further Information: https://bandcamp.com/privacy
We offer you the option to register on our page via Facebook Connect with your Facebook account. Additional registration is not required.
Data Processing:
For registration, you will be redirected to the Facebook page, where you can log in with your usage data. This links your Facebook profile and our service. Through the link, we automatically receive the following data from Meta:
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent) and lit. b (contract performance)
Further Information: https://www.facebook.com/privacy/explanation
We offer you the option to log in to our platform with your Google account ("Sign in with Google"). Provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Data Processing:
When you log in via Google, you will be redirected to a Google page. After successful authentication, we receive the following information from Google:
We use this information to create your user account or log you in.
Data Transfer to the USA: Google is certified under the EU-US Data Privacy Framework.
Legal Basis: Art. 6 Para. 1 lit. a GDPR (consent) and lit. b (contract performance)
Further Information: https://policies.google.com/privacy
External fonts, Google Fonts, are used on these web pages. Google Fonts is a service of Google Ireland Limited. The integration of these web fonts is done through a server call, usually a Google server in the USA. This transmits to the server which of our web pages you have visited. Your IP address is also stored by Google.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in uniform display)
Further Information: https://policies.google.com/privacy
This website uses the "Google Maps API" from Google Ireland Limited for visual presentation of map material. When using Google Maps, Google also collects, processes, and uses data on the use of Maps functions by website visitors.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest)
Further Information:
https://www.google.com/intl/en/help/terms_maps/
https://policies.google.com/privacy
When paying by credit card (MasterCard/Visa), invoice, and/or PayPal, we forward your payment data to MANGOPAY S.A., 59 Boulevard Royal, L-2449 Luxembourg for payment processing.
Payment Methods Offered via Mangopay:
Data Processing:
For the use of these payment services, Mangopay collects, stores, and processes your personal data such as:
Responsibility:
Mangopay is responsible as an independent controller for the protection and handling of data collected by Mangopay. Processing is done according to Mangopay's privacy policies.
Legal Basis: Art. 6 Para. 1 lit. b GDPR (contract performance)
The transfer of your data to Mangopay is necessary for payment processing and is done to fulfill the purchase contract.
Further Information: https://www.mangopay.com/terms/privacy-policy/
We use Google Workspace (formerly G Suite) from Google Ireland Limited for internal business processes. Google Workspace includes the following services:
Gmail:
For email communication with customers, musicians, and business partners. Emails are stored on Google servers in the EU.
Google Drive:
For storage and management of documents, files, and other business records. Storage primarily occurs on servers in the EU.
Google Calendar:
For managing appointments, events, and concert bookings.
Google Docs (Docs, Sheets, Slides):
For creating and editing documents, spreadsheets, and presentations.
Data Processing:
When using these services, personal data (email addresses, names, communication content, booking data) may be transmitted to Google and processed on Google servers.
Data Processing Agreement:
A data processing agreement has been concluded with Google according to Art. 28 GDPR. Google processes data exclusively according to our instructions.
Data Location:
Data is primarily stored in data centers within the EU. Google is certified under the EU-US Data Privacy Framework.
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest in efficient business operations) and lit. b (contract performance)
Retention Period: According to our retention guidelines and legal requirements
Further Information: https://workspace.google.com/intl/en/terms/dpa_terms.html
In some cases, we use the ChatGPT API from OpenAI Ireland Limited, 31 Merrion Square East, Dublin 2, D02 PN86, Ireland, for the following purposes:
Purposes of Use:
Data Processing:
When you use the ChatGPT-powered service, your inquiries and relevant context information are sent to the OpenAI API. OpenAI processes this data to generate a response that is sent back to you.
Transmitted Data:
Important Notes:
Data Transfer to the USA:
OpenAI may process data on servers in the USA. OpenAI has committed to complying with appropriate data protection standards.
Legal Basis: Art. 6 Para. 1 lit. b (contract performance)
Retention Period: 30 days at OpenAI, according to retention guidelines with us
Further Information: https://openai.com/policies/privacy-policy
We use Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland, for telephony services (voice calls) and SMS sending.
Functionality:
Twilio enables us to:
Processed Data:
Consent Before Using the Phone Function:
To use the phone function, you must first consent to a separate privacy policy for the phone function. You are expressly informed that:
Without your consent, you cannot use the phone function.
Purpose of Recording:
The recordings serve for:
Storage in Chat:
After each phone call, the recording is automatically saved as an audio file in your chat history. Both conversation participants (musician/host) have access to this recording in their respective chat.
Legal Basis:
Withdrawal of Consent:
You can revoke your consent to use the phone function at any time with effect for the future. Already recorded and stored conversations in the chat remain unaffected unless legal retention obligations exist.
Data Transfer:
Twilio may process data on servers in the USA and other countries. Twilio is certified under the EU-US Data Privacy Framework.
Data Processing Agreement: A data processing agreement has been concluded with Twilio according to Art. 28 GDPR.
Retention Period: Connection data is stored for 12 months
Further Information: https://www.twilio.com/legal/privacy
You can request information about the personal data stored about you at any time and free of charge. Your rights also include confirmation, correction, restriction, blocking, and deletion of such data, provision of a copy of the data in a format suitable for transmission, as well as revocation of granted consent and objection. Legal retention obligations remain unaffected.
Your rights arise in particular from the following provisions of the GDPR:
You have the right to withdraw granted consent at any time with effect for the future. The lawfulness of processing carried out until withdrawal remains unaffected.
You have the right to transparent information, communication, and modalities for exercising your rights.
You have the right to information when collecting personal data from the data subject.
You have the right to information if personal data was not collected from the data subject.
You have the right to access your stored personal data, confirmation, and provision of a copy of personal data.
You have the right to request correction of inaccurate or completion of incomplete personal data.
You have the right to erasure ("right to be forgotten") of your personal data, provided no legal retention obligations or other exceptions apply.
You have the right to request restriction of processing of your personal data.
You have the right to notification in connection with rectification or erasure of personal data or restriction of processing.
You have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit this data to another controller.
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you based on Art. 6 Para. 1 lit. f GDPR.
You have the right not to be subject to a decision based solely on automated processing, including profiling.
You have the right to lodge a complaint with a data protection supervisory authority, particularly in the member state of your habitual residence, place of work, or place of alleged infringement.
To exercise your rights (except Art. 77 GDPR), please contact the office named under "Controller under the GDPR":
SofaConcerts GmbH
Email: support@sofaconcerts.org
Phone: +49-40-88-177-500
Hamburg Commissioner for Data Protection and Freedom of Information
Klosterwall 6 (Block C)
20095 Hamburg
Tel.: 040 / 428 54 - 4040
Fax: 040 / 428 54 - 4000
Email: mailbox@datenschutz.hamburg.de
Website: https://datenschutz-hamburg.de
We reserve the right to change this privacy policy to adapt it to changed legal situations or when changes to our services occur. The new privacy policy will then apply to future visits.
Last updated: February 2026