Privacy Policy
Effective date: October 6, 2025
1. Controller & Contact
MementoMap – Inhaber: Roman Lysokon (Einzelunternehmer)
Anschrift (ladungsfähig): c/o COCENTER, Koppoldstr. 1, 86551 Aichach, Deutschland
E-Mail (Datenschutz): info@mementomap.com
Supervisory authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Deutschland.
2. Scope
This notice applies to:
• mementomap.com (Landing, About, AGB/Impressum/Datenschutz; Hosting via Framer)
• editor.mementomap.com (Poster-Editor; Hosting/Storage bei Hetzner, Nürnberg/DE)
We do not offer customer accounts. Orders are placed as a guest via Stripe Hosted Checkout.
3. Purposes, Data Categories & Legal Bases
We process personal data only as necessary.
3.1 Website delivery & security
3.2 Editor & Postererstellung
3.3 Image generation (“Magic Highlight”) via OpenAI
3.4 Maps (Mapbox) in the editor
3.5 Ordering & Payment (Stripe Hosted Checkout)
3.6 Fulfillment (Gelato) & Versand
3.7 Transaktionale E-Mails (Brevo)
Zweck: Download-Link digitale Poster; Versand-/Tracking-Updates
Daten: E-Mail, Bestell-/Tracking-Bezug, Zustell-/Öffnungs-/Klick-Metadaten
Rechtsgrundlage: Art. 6 Abs. 1 lit. b DSGVO
3.8 Reichweitenmessung (Umami)
Zweck: rein technische, cookielose Reichweitenmessung
Daten: aggregierte, nicht auf Nutzerprofile ausgerichtete Messdaten
Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (optimierter Betrieb ohne Trackingprofile)
Keine Marketing-Newsletter: Derzeit versenden wir keine Marketing-Mails.
4. Cookies & Similar Technologies
We use only essential cookies for the editor
Name
Zweck
Typ
Geltungsbereich
TTL
Attribute
mm_cto
Session↔GP X binden (JWT: id, iss, exp, iat, src, gpxk, gpxu)
essentiel l
editor.mementomap.com (Path /)
~6 h
HttpOnly, Secure, SameSite=La x
mm_pto k
StravaOAuthCredentials (JWT)
essentiel l
editor.mementomap.com (Path /api/v1/stra va)
~6 h
HttpOnly, Secure, SameSite=La x
Third-party media/forms: External content (e.g., YouTube) does not load automatically. Where used, we apply a two-click (click-to-load) solution so no non-essential cookies are set before you opt to load the embed. This means no global consent banner is required.
5. Recipients / Processors
Processing occurs under Art. 28 GDPR DPAs; for third-country transfers we rely on EU Standard Contractual Clauses (SCCs) and additional safeguards.
Dienstleister
Sitz/Region
Rolle
Zweck/Kategorien
Transfer
Hetzner
DE (Nürnberg)
Processor
Hosting (Editor/API) & Object Storage (S3- kompatibel)
EEA
Framer
EU/Global
Processor
Hosting of marketing pages
SCCs where applicable
Cloudflare
EU/Global
Recipient (DNS)
DNS only (no CDN proxy in use)
SCCs where applicable
Stripe
EU/Global
Independent controller
Hosted Checkout, webhooks
SCCs + EEA infrastructure
Gelato
NO/EU/Global
Processor
Print & fulfillment (incl. carriers like DHL/UPS etc.)
SCCs
OpenAI (Images v1)
EU/Global
Processor
Image generation from short prompts; training disabled
SCCs
Mapbox
EU/Global
Processor
Map tiles/styles; IP on load
SCCs
Brevo
EU/Global
Processor
Transactional email, delivery logs
SCCs where applicable
Umami (selfhosted)
DE
Processor
Cookieless reach measurement
EEA
anschrift.net (COCENTER)
DE
Processor
Mail handling for public address
EEA
Links to each provider’s DPA/SCCs are available on request.
6. Storage Locations & Retention
Infrastructure: Hetzner servers & object storage in Nuremberg (DE/EEA). Access to files uses time-limited presigned URLs.
Datensatz
Aufbewahrungs
Begründung
Server logs
30 days
Operations/security
DB backups
30 days (rolling)
Disaster recovery
GPX files
6–24 hours (operational)
Session purpose, data minimization
AI images (“Magic Highlight”)
3 years
Re-downloads/reprints
Final poster
3 years
Re-downloads/reprints
Order/invoice data
10 years
Tax/commercial laws (AO/HGB)
Business correspondence
6 years
HGB
Email events (Brevo)
24 months
Delivery proof/support
Tracking IDs/shipping data
up to statutory retention
Proof/warranty/returns
Automatic deletion: enforced via S3 lifecycle rules (no “Object Lock/Legal Hold” for customer assets). Deletion on request: see Rights below.
7. International Transfers
Where processing occurs outside the EEA, we rely on EU SCCs and complementary measures. We minimize data (no GPX or payment data in prompts; prompt text only).
8. Security (TOMs)
TLS/HTTPS; least-privilege access; HttpOnly/Secure/SameSite cookies; signed webhooks (Stripe); access controls/logging; S3 presigned URLs; regular updates/backups.
9. Your Rights
You have the rights of access, rectification, erasure, restriction, portability, and objection (Art. 15–21 GDPR).
Contact: info@mementomap.com — we usually respond within 30 days.
You may also lodge a complaint with the BayLDA. Erasure without an account: Email us with your order ID and email.
We will delete GPX, AI images, and final posters and stop further processing, subject to legal retention obligations.
10. Children
Our service is not directed at children under 16.
11. Third-party content & consent (media/forms)
External content (e.g., YouTube; surveys) is loaded only after your click. Until then, no third-party requests or non-essential cookies are triggered. When you click, the third party’s terms and privacy notice apply.
Product feedback: The feedback form is first-party/native (no automatic third-party embed).
12. Changes to this Notice
We update this notice when our technology, legal requirements, or processes change. The current version is published here; the effective date is shown at the top.
© 2026 MementoMap. All rights reserved.