3. Purposes, Data Categories & Legal Bases
We process personal data only as necessary.
3.1 Website delivery & security
Purpose: deliver pages, stability, security, abuse prevention
Data: IP address, timestamp, request URL, referrer, user agent, status codes
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operations)
Purpose: deliver pages, stability, security, abuse prevention
Data: IP address, timestamp, request URL, referrer, user agent, status codes
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operations)
Purpose: deliver pages, stability, security, abuse prevention
Data: IP address, timestamp, request URL, referrer, user agent, status codes
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operations)
Purpose: deliver pages, stability, security, abuse prevention
Data: IP address, timestamp, request URL, referrer, user agent, status codes
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operations)
3.2 Editor & Postererstellung
Purpose: create personalized posters (digital/print)
Data:
• GPX (uploaded by you or generated from Strava)
• Editor-Eingaben (e.g., landmark name/type/region)
Generated images (“Magic Highlight”) & final poster
Legal basis: Art. 6(1)(b) GDPR (contract/performance)
Purpose: create personalized posters (digital/print)
Data:
• GPX (uploaded by you or generated from Strava)
• Editor-Eingaben (e.g., landmark name/type/region)
Generated images (“Magic Highlight”) & final poster
Legal basis: Art. 6(1)(b) GDPR (contract/performance)
Purpose: create personalized posters (digital/print)
Data:
• GPX (uploaded by you or generated from Strava)
• Editor-Eingaben (e.g., landmark name/type/region)
Generated images (“Magic Highlight”) & final poster
Legal basis: Art. 6(1)(b) GDPR (contract/performance)
Purpose: create personalized posters (digital/print)
Data:
• GPX (uploaded by you or generated from Strava)
• Editor-Eingaben (e.g., landmark name/type/region)
Generated images (“Magic Highlight”) & final poster
Legal basis: Art. 6(1)(b) GDPR (contract/performance)
3.3 Image generation (“Magic Highlight”) via OpenAI
Purpose: generate poster graphics from short prompts
Data sent to OpenAI: prompt context only (landmark/type/region); no GPX and no payment data
Legal basis: Art. 6(1)(b) GDPR
Note: Data sharing/training at OpenAI is disabled.
Purpose: generate poster graphics from short prompts
Data sent to OpenAI: prompt context only (landmark/type/region); no GPX and no payment data
Legal basis: Art. 6(1)(b) GDPR
Note: Data sharing/training at OpenAI is disabled.
Purpose: generate poster graphics from short prompts
Data sent to OpenAI: prompt context only (landmark/type/region); no GPX and no payment data
Legal basis: Art. 6(1)(b) GDPR
Note: Data sharing/training at OpenAI is disabled.
Purpose: generate poster graphics from short prompts
Data sent to OpenAI: prompt context only (landmark/type/region); no GPX and no payment data
Legal basis: Art. 6(1)(b) GDPR
Note: Data sharing/training at OpenAI is disabled.
3.4 Maps (Mapbox) in the editor
Purpose: map tiles/styles rendering
Data: IP address and technical metadata when loading tiles/styles
Legal basis: Art. 6(1)(b) GDPR (necessary for the editor)
Purpose: map tiles/styles rendering
Data: IP address and technical metadata when loading tiles/styles
Legal basis: Art. 6(1)(b) GDPR (necessary for the editor)
Purpose: map tiles/styles rendering
Data: IP address and technical metadata when loading tiles/styles
Legal basis: Art. 6(1)(b) GDPR (necessary for the editor)
Purpose: map tiles/styles rendering
Data: IP address and technical metadata when loading tiles/styles
Legal basis: Art. 6(1)(b) GDPR (necessary for the editor)
3.5 Ordering & Payment (Stripe Hosted Checkout)
Purpose: payment processing, order handling
Data: order items/prices, language, shipping details (for print), email (for digital-only), status/references from Stripe webhooks
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (tax/commercial duties)
Purpose: payment processing, order handling
Data: order items/prices, language, shipping details (for print), email (for digital-only), status/references from Stripe webhooks
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (tax/commercial duties)
Purpose: payment processing, order handling
Data: order items/prices, language, shipping details (for print), email (for digital-only), status/references from Stripe webhooks
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (tax/commercial duties)
Purpose: payment processing, order handling
Data: order items/prices, language, shipping details (for print), email (for digital-only), status/references from Stripe webhooks
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (tax/commercial duties)
3.6 Fulfillment (Gelato) & Versand
Zweck: Druck & Versand der Poster
Daten an Gelato: Druckdateien, notwendige Kunden-/Versanddaten
Daten an Carrier: Anschrift, Kontaktdaten, Sendungsnummer
Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
Zweck: Druck & Versand der Poster
Daten an Gelato: Druckdateien, notwendige Kunden-/Versanddaten
Daten an Carrier: Anschrift, Kontaktdaten, Sendungsnummer
Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
Zweck: Druck & Versand der Poster
Daten an Gelato: Druckdateien, notwendige Kunden-/Versanddaten
Daten an Carrier: Anschrift, Kontaktdaten, Sendungsnummer
Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
Zweck: Druck & Versand der Poster
Daten an Gelato: Druckdateien, notwendige Kunden-/Versanddaten
Daten an Carrier: Anschrift, Kontaktdaten, Sendungsnummer
Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
3.7 Transaktionale E-Mails (Brevo)
Zweck: Download-Link digitale Poster; Versand-/Tracking-Updates
Daten: E-Mail, Bestell-/Tracking-Bezug, Zustell-/Öffnungs-/Klick-Metadaten
Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
3.8 Reichweitenmessung (Umami)
Zweck: rein technische, cookielose Reichweitenmessung
Daten: aggregierte, nicht auf Nutzerprofile ausgerichtete Messdaten
Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (optimierter Betrieb ohne Trackingprofile)
Keine Marketing-Newsletter: Derzeit versenden wir keine Marketing-Mails.
4. Cookies & Similar Technologies
We use only essential cookies for the editor
Session↔GP X binden (JWT: id, iss, exp, iat, src, gpxk, gpxu)
editor.mementomap.com (Path /)
HttpOnly, Secure, SameSite=La x
Session↔GP X binden (JWT: id, iss, exp, iat, src, gpxk, gpxu)
editor.mementomap.com (Path /)
HttpOnly, Secure, SameSite=La x
Session↔GP X binden (JWT: id, iss, exp, iat, src, gpxk, gpxu)
editor.mementomap.com (Path /)
HttpOnly, Secure, SameSite=La x
StravaOAuthCredentials (JWT)
editor.mementomap.com (Path /api/v1/stra va)
HttpOnly, Secure, SameSite=La x
StravaOAuthCredentials (JWT)
editor.mementomap.com (Path /api/v1/stra va)
HttpOnly, Secure, SameSite=La x
StravaOAuthCredentials (JWT)
editor.mementomap.com (Path /api/v1/stra va)
HttpOnly, Secure, SameSite=La x
Third-party media/forms: External content (e.g., YouTube) does not load automatically. Where used, we apply a two-click (click-to-load) solution so no non-essential cookies are set before you opt to load the embed. This means no global consent banner is required.
5. Recipients / Processors
Processing occurs under Art. 28 GDPR DPAs; for third-country transfers we rely on EU Standard Contractual Clauses (SCCs) and additional safeguards.
Hosting (Editor/API) & Object Storage (S3- kompatibel)
Hosting (Editor/API) & Object Storage (S3- kompatibel)
Hosting (Editor/API) & Object Storage (S3- kompatibel)
Hosting of marketing pages
Hosting of marketing pages
Hosting of marketing pages
DNS only (no CDN proxy in use)
DNS only (no CDN proxy in use)
DNS only (no CDN proxy in use)
Hosted Checkout, webhooks
SCCs + EEA infrastructure
Hosted Checkout, webhooks
SCCs + EEA infrastructure
Hosted Checkout, webhooks
SCCs + EEA infrastructure
Print & fulfillment (incl. carriers like DHL/UPS etc.)
Print & fulfillment (incl. carriers like DHL/UPS etc.)
Print & fulfillment (incl. carriers like DHL/UPS etc.)
Image generation from short prompts; training disabled
Image generation from short prompts; training disabled
Image generation from short prompts; training disabled
Map tiles/styles; IP on load
Map tiles/styles; IP on load
Map tiles/styles; IP on load
Transactional email, delivery logs
Transactional email, delivery logs
Transactional email, delivery logs
Cookieless reach measurement
Cookieless reach measurement
Cookieless reach measurement
Mail handling for public address
Mail handling for public address
Mail handling for public address
Links to each provider’s DPA/SCCs are available on request.
6. Storage Locations & Retention
Infrastructure: Hetzner servers & object storage in Nuremberg (DE/EEA). Access to files uses time-limited presigned URLs.
Session purpose, data minimization
Session purpose, data minimization
Session purpose, data minimization
AI images (“Magic Highlight”)
AI images (“Magic Highlight”)
AI images (“Magic Highlight”)
Tax/commercial laws (AO/HGB)
Tax/commercial laws (AO/HGB)
Tax/commercial laws (AO/HGB)
Tracking IDs/shipping data
up to statutory retention
Tracking IDs/shipping data
up to statutory retention
Tracking IDs/shipping data
up to statutory retention
Automatic deletion: enforced via S3 lifecycle rules (no “Object Lock/Legal Hold” for customer assets). Deletion on request: see Rights below.
9. Your Rights
You have the rights of access, rectification, erasure, restriction, portability, and objection (Art. 15–21 GDPR).
Contact: info@mementomap.com — we usually respond within 30 days.
You may also lodge a complaint with the BayLDA. Erasure without an account: Email us with your order ID and email.
We will delete GPX, AI images, and final posters and stop further processing, subject to legal retention obligations.
11. Third-party content & consent (media/forms)
External content (e.g., YouTube; surveys) is loaded only after your click. Until then, no third-party requests or non-essential cookies are triggered. When you click, the third party’s terms and privacy notice apply.
Product feedback: The feedback form is first-party/native (no automatic third-party embed).
12. Changes to this Notice
We update this notice when our technology, legal requirements, or processes change. The current version is published here; the effective date is shown at the top.