Privacy policy
Last updated: 9 June 2026
1. Controller
The controller for data processing on this website within the meaning of the GDPR is:
Cleo Mußul
LUME Club
Leibnizstraße 93
10625 Berlin
Email: cleo.mussul@gmx.de
2. General principles
We only process personal data of our users to the extent necessary to provide a functioning website and our content and services. Processing is based on the legal grounds stated in each section below.
3. Web hosting (Vercel)
This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you visit the site, technical data (IP address, timestamp, requested URL, data volume, browser information) is processed by Vercel. Servers for EU users are located in the European Union. Vercel processes this data on our behalf (Art. 28 GDPR).
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in stable and secure operation). More: vercel.com/legal/privacy-policy.
4. Database and authentication (Supabase)
User data, bookings, and class information are stored with Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992. Database servers are located in the EU (Frankfurt am Main, Germany). A data processing agreement under Art. 28 GDPR is in place.
Legal basis: Art. 6 (1) (b) GDPR (performance of a contract). More: supabase.com/privacy.
5. Account creation and bookings
When you register we process: name, email address, and your (hashed) password. These data are required to provide the booking service under Art. 6 (1) (b) GDPR.
For bookings we additionally store: the booked session, booking and cancellation status, Stripe payment reference, and generated invoices. Data are deleted as soon as no longer required, subject to legal retention obligations (e.g. 10 years under § 147 AO for accounting records).
6. Payment processing (Stripe)
Payments are processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. During payment the required data (payment method, amount, email) are sent directly to Stripe. We do not store card or account details.
Legal basis: Art. 6 (1) (b) GDPR. More: stripe.com/privacy.
7. Email delivery (Brevo)
Transactional emails (booking confirmations, reminders, password resets, invoices) are sent via Sendinblue GmbH (Brevo), Köpenicker Str. 126, 10179 Berlin, Germany. Name and email address are transmitted to Brevo, which processes them on our behalf (Art. 28 GDPR).
Legal basis: Art. 6 (1) (b) GDPR or Art. 6 (1) (f) GDPR. More: brevo.com/legal/privacypolicy.
8. Contact form
When you use the contact form, the following data are collected: name, email address, subject, and message text. These are stored in our database and forwarded to us by email so that we can handle your enquiry.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in handling enquiries) or Art. 6 (1) (b) GDPR where the enquiry relates to a contract. Data are deleted once the enquiry has been fully resolved, unless legal retention obligations apply.
9. Maps embed (Google Maps)
On class detail pages a Google Maps embed can be shown (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The map is only loaded after an explicit click. When loaded, your IP address is sent to Google, which may process it in the United States.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in displaying class locations). Privacy policy: policies.google.com/privacy.
10. Cookies and local storage
We use only strictly necessary cookies and localStorage for:
- Authentication cookie after sign-in (set by Supabase)
- Language preference (cookie and/or URL prefix)
No consent is required for these (§ 25 (2) (2) TTDSG). We do not run analytics, tracking, or retargeting.
11. Retention periods
- Account data: until you delete your account
- Booking, payment, and invoice records: 10 years (§ 147 AO, statutory retention)
- Contact enquiries: until the enquiry is fully resolved
- Server log files: max 30 days
12. Your rights
You have the right at any time to:
- Access your processed data (Art. 15 GDPR)
- Rectify incorrect data (Art. 16 GDPR)
- Erase your data (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Receive data portability (Art. 20 GDPR)
- Object to processing based on legitimate interest (Art. 21 GDPR)
You can delete your account and all related data at any time via "My account → Delete account". Accounting records remain stored for the statutory retention period.
13. Right to lodge a complaint
You have the right to lodge a complaint with a data protection authority — for example, the Berlin Commissioner for Data Protection and Freedom of Information.
14. Changes to this policy
We may update this privacy policy when legal requirements or our processing activities change. The current version is always available on this page.
This privacy policy has been prepared with care but does not replace legal advice. For questions, please use the contact details in the imprint.
