Legal
Privacy Policy
Last updated: July 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
TUM-BWL e.V.
c/o Fachschaft TUM SOM
Arcisstraße 21
80333 Munich
Germany
Represented by the Board: Florian Huber, Sophia Oberhuber
Phone: +49 (0)89 289-28221
Email: fachschaft@tum-som.com
2. General Information on Data Processing
We process personal data only to the extent necessary to provide a functional website and our services. Processing is carried out on the basis of your consent (Art. 6(1)(a) GDPR), for the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR), to comply with a legal obligation (Art. 6(1)(c) GDPR), or on the basis of our legitimate interests (Art. 6(1)(f) GDPR).
Personal data is deleted as soon as the purpose of storage no longer applies and no statutory retention obligations prevent deletion.
3. Rights of Data Subjects
With regard to your personal data, you have the following rights: access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and objection to processing (Art. 21 GDPR).
Where you have consented to processing, you may withdraw that consent at any time with effect for the future. The lawfulness of processing carried out until withdrawal remains unaffected. To exercise your rights, a message to the contact details above is sufficient.
4. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
5. Provision of the Website and Server Log Files
Each time our website is accessed, technical access data is collected automatically: the IP address of the requesting device, the date and time of access, the file or page requested, the browser and device type used, and the previously visited page (referrer). This data is required to deliver the website, ensure its stability and security, and trace malfunctions.
The legal basis is our legitimate interest in secure and trouble-free operation (Art. 6(1)(f) GDPR). The log files are deleted as soon as they are no longer required for these purposes; storage follows the technical settings of our hosting provider (see Section 6).
6. Hosting
Our website is delivered via the Lovable platform. The provider is Lovable Labs Incorporated (Dover, Delaware, USA) or Lovable Labs AB, Regeringsgatan 25, 111 53 Stockholm, Sweden. When the website is accessed, the resulting access data (see Section 5) is processed on Lovable's infrastructure.
Lovable processes this data on our behalf on the basis of a data processing agreement pursuant to Art. 28 GDPR. The legal basis is our legitimate interest in the secure and efficient provision of the website (Art. 6(1)(f) GDPR). Where data is transferred to a third country, this is done on the basis of the EU Standard Contractual Clauses.
7. User Accounts, Authentication, Database and Storage (Lovable Cloud)
For the registration and login of user accounts, as well as for storing the data collected via the website (database and file storage), we use the managed backend "Lovable Cloud" from our provider Lovable (provider details in Section 6). Lovable Cloud is technically based on the Supabase platform (Supabase, Inc., USA), which acts as a sub-processor in this respect. The backend for this project is operated in the EU (region EU-West, Ireland).
When you register and use an account, we process in particular your email address, login data, and the session and usage data arising during use. To maintain your login, technically necessary information (session tokens) is stored in your browser.
The legal basis is the performance of the usage contract or the implementation of pre-contractual measures (Art. 6(1)(b) GDPR), as well as our legitimate interest in secure technical provision (Art. 6(1)(f) GDPR). Processing is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR; for any transfers to third countries, the EU Standard Contractual Clauses apply.
8. Bot Protection on the Login Pages (Cloudflare Turnstile)
On our authentication pages (registration and password reset) we use Cloudflare Turnstile to distinguish whether an input is made by a human or by an automated program. The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.
For this purpose, Turnstile analyses technical characteristics of the access (including IP address, browser and device information, and interaction signals). The legal basis is our legitimate interest in protecting our login processes against misuse, spam and automated attacks (Art. 6(1)(f) GDPR). Cloudflare is certified under the EU-US Data Privacy Framework; in addition, the EU Standard Contractual Clauses from the Cloudflare DPA apply. Further information: https://www.cloudflare.com/privacypolicy/
9. Error Reporting (Lovable)
If an error occurs in our application, technical error and diagnostic data (including IP address, browser/device information, timestamp, and error/debugging information) is transmitted to Lovable (provider details in Section 6) in order to detect and fix errors. The legal basis is our legitimate interest in the stability, security and error-free operation of the application (Art. 6(1)(f) GDPR). Processing is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR; for transfers to third countries, the EU Standard Contractual Clauses apply.
10. Contact Form
If you contact us via the contact form, we process the data you provide (in particular name, email address and your message) to handle your enquiry. The legal basis is our legitimate interest in responding to your request (Art. 6(1)(f) GDPR) or, where directed at concluding a contract, Art. 6(1)(b) GDPR. The data is deleted once your enquiry has been conclusively dealt with and no statutory retention periods prevent deletion.
11. Newsletter
To subscribe to our newsletter we use the double opt-in procedure: after signing up, you receive an email in which you must confirm your subscription. We store your email address and the time of sign-up and confirmation in our backend (see Section 7). The legal basis is your consent (Art. 6(1)(a) GDPR). You can unsubscribe from the newsletter at any time via the unsubscribe link in every newsletter email and withdraw your consent; your address is then deleted from the distribution list.
12. Registration for Events, Ticket Sales and Applications
For registration to events and within the scope of application or selection processes, we process the data you provide (e.g. name, email address and further information required for the respective event or application). The legal basis is the implementation of pre-contractual or contractual measures (Art. 6(1)(b) GDPR) or your consent (Art. 6(1)(a) GDPR). The data is stored for the duration of the event or selection process and is subsequently deleted unless statutory retention obligations apply.
Ticket sales and payment processing via Eventbrite. We sell tickets for paid events and process the associated payments via the Eventbrite platform. The provider is Eventbrite, Inc. (San Francisco, USA). When you purchase a ticket, you enter your data (including name, email address, order and payment data) directly on the Eventbrite platform; payment is processed by Eventbrite. We ourselves do not receive or store full payment data.
From Eventbrite we receive the registration and order data required to run the event (in particular name, email address and ticket information). For this data we are the controller, and Eventbrite acts as our processor on the basis of a data processing agreement (Art. 28 GDPR). For payment processing as well as for its own purposes and the administration of any Eventbrite account, Eventbrite acts as an independent controller; in this respect Eventbrite's own privacy policy applies. The legal basis for the processing is the performance of the contract for the ticket purchase or event participation (Art. 6(1)(b) GDPR). Eventbrite is certified under the EU-US Data Privacy Framework, so an adequacy decision applies to transfers to the USA; in addition, the EU Standard Contractual Clauses apply. Further information is available in Eventbrite's privacy policy.
13. External Links and Social Media Profiles
Our website contains links to external sites and third-party profiles (including Instagram, Facebook, LinkedIn, WhatsApp, Eventbrite, TUM pages, and partner initiatives). These are exclusively simple links; no content from these providers is embedded on our site, and no data is transmitted to them unless you click the link. Only after clicking are you taken to the respective site, for whose data processing solely the respective provider is responsible. We have no influence over their content or data protection practices.
14. Cookies and Consent Management
Our website uses exclusively technically necessary cookies or comparable storage technologies that are required for operation (in particular login/session management, language selection and storage of your consent status). These do not require consent. Should consent-requiring services be added in the future, they will only be activated after your consent via a consent banner; you can then change or withdraw your choice at any time.
15. Transfers to Third Countries
The backend of this project is operated in the EU (Ireland). For some of the services mentioned above, personal data may nonetheless be transferred to the USA, or access from the USA cannot be excluded. For Cloudflare and Eventbrite, which are certified under the EU-US Data Privacy Framework, an adequacy decision by the European Commission applies. For the remaining transfers (in particular Lovable and the sub-processor Supabase), we rely on the EU Standard Contractual Clauses and – where necessary – supplementary protective measures. As some providers have parent companies in the USA, a residual risk of access under US law cannot be entirely excluded despite EU hosting.
16. Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy so that it always complies with current legal requirements or to implement changes to our services. The current version applies to your next visit.
