Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you use Varbe. Personal data is any data that can be used to personally identify you.

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy. Varbe only collects data that is absolutely necessary for the operation of the platform. We do not sell data to third parties and do not use invasive tracking technologies.

What do we collect?

Currently (Early Access):

• Account data upon registration (email, encrypted password, username)
• Profile information (bio, artist name, profile picture, location optional)
• Usage behavior (likes, follows, comments, chat messages)
• Technical data (IP address, browser type, device)

Future (when features go live):

• Discovery Feed interactions (views, swipes, preferences)
• Marketplace data (transactions, shipping addresses, payment information via Stripe)
• Location data (only when you use Local Art Radar and grant permission)

How do we use your data?

• Provision and operation of the platform
• Account management and authentication
• Personalization of the Discovery Feed (when active)
• Communication (updates, feature launches, support)
• Processing transactions (once Marketplace is active)
• Improving the platform through usage analysis
• Protection against misuse and fraud

Your Rights

You have the right at any time to:

• Access your stored data
• Correct inaccurate data
• Delete your data
• Restrict processing
• Data portability
• Object to processing
• Lodge a complaint with a supervisory authority

2. Responsible Party

The party responsible for data processing on this website is:

The responsible party decides alone or jointly with others on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

3. Hosting and Technical Infrastructure

Firebase / Google Cloud Platform

Varbe is hosted on Firebase (Google Cloud Platform). The provider is:

When you use Varbe, Firebase collects various log files including your IP address. This is technically necessary for the operation of the website. Firebase processes data on our behalf and is bound by a data processing agreement (DPA).

Data Transfer to the USA:
Google is certified under the EU-US Data Privacy Framework. Data transfer to the USA is based on Standard Contractual Clauses of the EU Commission.

Legal Basis:
Art. 6(1)(f) GDPR (legitimate interest in reliable hosting)

More Information:
Firebase Privacy
Google Privacy Policy

Firestore Database

We use Cloud Firestore from Firebase to store user data, profiles, artworks, comments, and other content structures. The data is stored encrypted and is subject to Firebase's privacy policy.

Firebase Storage

Uploaded images and media are stored in Firebase Storage. The data is encrypted during transmission and storage.

4. Data Collection and Processing

4.1 Registration and Account Creation

When you register with Varbe, we collect the following data:

Required Information:

• Email address
• Password (stored encrypted, never in plain text)
• Username / Display Name

Optional:

• Profile picture
• Bio / Artist description
• Artist name
• Location (city/country) for Local Art Radar
• Links to social media profiles
• Artistic background (for verification)

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Storage Duration: Until account deletion or upon your request

4.2 Firebase Authentication

We use Firebase Authentication for user authentication. Firebase stores:

• Email address
• Encrypted password
• User ID (unique identifier)
• Timestamps of registration and last login

When using Social Login (Google OAuth, if implemented), additional profile data provided by the provider (name, profile picture) is collected.

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

4.3 Artist Verification

During artist verification, we additionally collect:

• At least 3 sample artworks (images)
• Description of artistic background
• Information about technique, style, previous exhibitions
• AI detection results (automated)

This data is manually reviewed by our team and partially deleted after verification (only relevant profile information is retained).

Legal Basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in an AI-free platform)

4.4 Content (Artworks, Posts, Comments)

When you upload content to Varbe, we store:

• Images / Media
• Title, description, tags
• Voice Notes (optional, as audio file)
• Process Videos (optional)
• Metadata (upload time, resolution, file size)

Public Visibility:
All uploaded artworks and posts are publicly visible by default. Comments are linked to your profile and public.

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

4.5 Usage Behavior and Interactions

We collect your usage behavior to improve the platform and personalize the Discovery Feed:

• Likes and favorites
• Follows (artists you follow)
• Comments
• Views on artworks
• Swipe behavior in Discovery Feed (when active)
• Search history

This data is used to show you relevant content and generate recommendations.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in a personalized user experience)

You can object to personalization at info@varbe.org. In this case, you will receive non-personalized content.

4.6 Chat and Direct Messages

Messages in chat areas and Direct Messages (when active) are stored to enable communication. We do not read your messages except in cases of reported violations of community guidelines.

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Storage Duration: Messages are stored until you delete them or close your account.

5. Future Features and Data Processing

The following data processing will only take effect when the corresponding features are active. You will be notified by email in advance.

5.1 Discovery Feed Personalization

Once the Discovery Feed goes live, we will analyze your usage behavior in more detail:

• Time spent on artworks
• Swipe directions (up/down)
• Preferences for categories, styles, techniques
• Interaction with Stories (listening to Voice Notes, watching Process Videos)

This data is used to personalize the "For You" feed. You can switch to non-personalized feeds at any time.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

5.2 Local Art Radar

If you want to use the Local Art Radar, we need your location data:

• Current location (GPS coordinates, only during active use)
• Location preferences (saved places)

Important: Location data is only collected if you explicitly grant permission and actively use the feature. You can revoke permission at any time in your device settings.

Legal Basis: Art. 6(1)(a) GDPR (consent)

5.3 Marketplace and Payments

Once the Marketplace is active, we additionally process:

For Sellers (Artists):

• Stripe Connect account data (bank details, tax ID)
• Transaction history (sales, payouts)
• Shipping information

For Buyers:

• Shipping address
• Payment information (only via Stripe, we do not store credit card data)
• Order history
• Tracking numbers

Payment Processing by Stripe:
All payments are processed by Stripe Inc. Stripe processes credit card data and payment information. We only receive confirmations of successful payments, never your complete credit card data.

Stripe Privacy: https://stripe.com/privacy

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Storage Duration: Transaction data is stored according to legal retention periods (10 years for tax purposes).

6. Cookies and Tracking

6.1 Cookies

Varbe uses cookies to ensure the functionality of the website. Cookies are small text files stored on your device.

Technically Necessary Cookies:

• Session cookies for authentication
• Preference cookies for language settings

These cookies are essential for the operation of the website and are set without your consent.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

Optional: Analytics Cookies (consent required):
We may use Google Analytics or similar tools to analyze user behavior. These cookies are only set if you consent.

Legal Basis: Art. 6(1)(a) GDPR (consent)

You can manage or delete cookies in your browser settings. Disabling cookies may limit the functionality of the website.

6.2 Tracking and Analytics

Firebase Analytics:
We use Firebase Analytics to obtain aggregated statistics about platform usage (e.g., number of users, popular features, error reports). The data is collected anonymously.

IP Anonymization:
IP addresses are truncated so that no tracing to individual users is possible.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in improving the platform)

Right to Object: You can object to analysis at info@varbe.org.

6.3 No Invasive Trackers

Varbe does not use:

• Facebook Pixel
• TikTok Pixel
• Third-party advertising trackers
• Cross-Site Tracking
• Fingerprinting

We respect your privacy and only use the minimally necessary tracking technologies.

7. Data Sharing with Third Parties

We do not share your personal data with third parties, except:

7.1 Data Processors:

• Google Firebase / Google Cloud Platform (hosting, database)
• Stripe (payment processing, only for Marketplace usage)

These service providers process data exclusively on our behalf and are bound by data processing agreements (DPA).

7.2 Legal Obligations:

We may disclose data if we are legally obligated to do so (e.g., official requests, court orders) or to enforce our rights.

7.3 Sale or Merger:

In the event of a sale or merger of Varbe, your data may be transferred to the acquirer. You will be notified in advance.

8. Data Transfer to Third Countries

By using Google Firebase, data may be transferred to the USA. Google is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.

Additionally, we use Standard Contractual Clauses of the EU Commission as the legal basis for data transfer.

9. Data Security

We implement technical and organizational measures to protect your data:

Technical Measures:

• SSL/TLS encryption for all data transmissions
• Encrypted storage of passwords (bcrypt/scrypt)
• Firewall and access restrictions on Firebase
• Regular security updates
• Backups for data recovery

Organizational Measures:

• Access to data only for authorized employees
• Confidentiality obligations for employees
• Data protection impact assessments for new features
• Incident response plan for security incidents

Despite all security measures, no data transmission over the Internet can be 100% secure. You use Varbe at your own risk.

10. Storage Duration

We only store your data for as long as necessary for the respective purposes:

11. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

11.1 Right to Access (Art. 15 GDPR)

You can request information about your stored personal data at any time. The information is free of charge and includes:

• What data is stored about you
• For what purposes the data is processed
• To whom the data has been disclosed
• How long the data will be stored

Request: info@varbe.org

11.2 Right to Rectification (Art. 16 GDPR)

You can request the correction of inaccurate data. Most profile data can be corrected by yourself in your account settings.

11.3 Right to Erasure (Art. 17 GDPR)

You can request the deletion of your data ("right to be forgotten"). We will delete your data if:

• The data is no longer needed for the original purposes
• You withdraw your consent (for consent-based processing)
• You object and there are no overriding legitimate grounds for processing
• The data was processed unlawfully

Exceptions: We may refuse deletion if legal retention periods apply (e.g., transaction data) or the data is needed for legal proceedings.

Account Deletion: info@varbe.org
We will delete all your data within 30 days.

11.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request restriction of processing if:

• The accuracy of the data is contested
• The processing is unlawful but you do not want deletion
• The data is no longer needed but you need it for legal claims

11.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format and have it transferred to another provider.

Request Data Export: info@varbe.org
We will provide your data in JSON or CSV format.

11.6 Right to Object (Art. 21 GDPR)

You can object to the processing of your data based on legitimate interests (Art. 6(1)(f) GDPR) at any time. We will stop processing unless we can demonstrate compelling legitimate grounds.

In particular: You can object to the personalization of the Discovery Feed at any time.

11.7 Right to Withdraw Consent (Art. 7(3) GDPR)

If processing is based on your consent (e.g., analytics cookies, location data), you can withdraw it at any time. The lawfulness of processing carried out before the withdrawal remains unaffected.

12. Right to Complain to Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data is unlawful.

13. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to comply with changed legal requirements or changes to our services.

For significant changes, registered users will be notified by email (at least 14 days before entry into force). The current version is always available at varbe.org/datenschutz.

Recommendation: Visit this page regularly to stay informed about changes.

14. Privacy Contact

For questions about data protection or to exercise your rights:

We usually respond within 7 days.