Privacy Policy

The body responsible for data processing on FCC Connect is Frankfurt Conservation Center (FCC) gGmbH.

Phone: +49 (0)69 94 34 46-0

Email: info@frankfurtconservation.org

Register court: Amtsgericht Frankfurt am Main

Register number: HRB 123956

Represented by: Felix Gaschick, PhD (Managing Director)

Our external data protection officer can be reached at: External data protection officer from TUV Hessen, datenschutz@frankfurtconservation.org.

If you have questions about data protection, wish to exercise your rights, or wish to lodge a complaint, you may contact FCC or the data protection officer directly. You also have the right to contact the competent supervisory authority at any time:

This privacy policy applies to all personal data processed by FCC in connection with FCC Connect, including the public landing and legal pages, login and signup, registered user areas, member profiles, initiatives, matchmaking, events, notifications, feedback, and administrative tools.

It does not apply to third-party websites that we link to. Those services are responsible for their own privacy policies.

When you visit FCC Connect, technical request data may be processed to deliver the website and keep it secure. This may include IP address, date and time of access, requested URL, HTTP status code, browser and device information, referring URL, and similar server log data.

Purpose: Delivering the website, ensuring technical stability, detecting misuse, and protecting the platform.

Legal basis: Art. 6(1)(f) GDPR - legitimate interest in operating a secure website and platform.

Retention: Technical logs are retained only as long as necessary for operation, troubleshooting, security, and legal documentation.

FCC Connect uses technically necessary browser storage to keep users signed in, protect sessions, remember authentication state, and support administrative functions. Supabase Auth may store session information in the browser. Administrators using impersonation tools may also have a temporary impersonation marker stored locally in their browser.

Purpose: Authentication, session management, access control, security, and basic platform operation.

Legal basis: Art. 6(1)(b) GDPR where storage is necessary to provide the logged-in service; Art. 6(1)(f) GDPR for security and abuse prevention.

To create and use an account, users provide an email address and password. Passwords are handled by Supabase Auth and are stored in hashed form, not as readable plain text. FCC Connect also stores account identifiers, user roles, consent records for the data protection notice and Code of Conduct, login-related session data, and password reset requests where users request manual support.

Purpose: Creating and managing accounts, authenticating users, enforcing access rights, recording required acknowledgements, and supporting password reset workflows.

Legal basis: Art. 6(1)(b) GDPR - processing necessary to provide FCC Connect under the applicable terms; Art. 6(1)(f) GDPR for platform security and administration.

Retention: Account data is retained for as long as the account remains active and then deleted or anonymised when it is no longer required, subject to legal retention duties and security documentation needs.

FCC Connect stores member profile information entered by users or administrators, including name, organisation, role or position, location, email address, alternative email address, phone number, LinkedIn URL, expertise tags, additional expertise, availability or support types, account status, account kind, and optional profile picture.

Active member profiles are visible within FCC Connect so other authorised users can find expertise and identify potential collaborators. External profiles may be reviewed by administrators before full access is granted.

Purpose: Building a member directory, enabling collaboration, supporting matchmaking, reviewing external profiles, and administering the FCC network.

Legal basis: Art. 6(1)(b) GDPR for profile data needed to provide FCC Connect; Art. 6(1)(a) GDPR for optional profile information such as alternative contact details, LinkedIn URL, and profile picture; Art. 6(1)(f) GDPR for moderation and network integrity.

Users may create and manage initiatives. Initiative data may include title, summary, description, stage, status, kind, needs, expertise tags, owner information, moderation notes, documents, likes, expressions of interest, invitations, collaborators, and activity records.

Initiative owners and authorised managers can review interested members, invite members to collaborate, add or remove collaborators, upload documents, and manage initiative details. Collaborators and other authorised users may see information needed to support collaboration.

Purpose: Developing initiatives, matching expertise to needs, documenting collaboration, and coordinating teams.

Legal basis: Art. 6(1)(b) GDPR where these features form part of the platform service; Art. 6(1)(f) GDPR for moderation, auditability, and protecting legitimate FCC collaboration processes.

FCC Connect compares expertise information on member profiles with expertise needs on initiatives. The platform may show matching initiatives or members, pending invitations, accepted or declined invitations, collaborator changes, unread notifications, and activity log entries.

Notifications may include a title, message, event or initiative reference, actor profile reference, read status, and timestamps. Activity logs may record platform actions such as initiative creation, document uploads, invitation handling, and collaboration changes.

Purpose: Enabling relevant matches, informing users about collaboration activity, and maintaining a clear operational history.

Legal basis: Art. 6(1)(b) GDPR for providing the platform; Art. 6(1)(f) GDPR for accountability, security, and platform administration.

FCC Connect may provide event pages and registration workflows. Event registrations may include event reference, user reference, attendee name, attendee email, registration status, responses to event-specific registration fields, timestamps, and internal administrative notes.

Event managers and administrators may access registration data where necessary to organise and administer events.

Purpose: Publishing events, managing registrations, communicating with attendees, and administering event participation.

Legal basis: Art. 6(1)(b) GDPR where registration is requested by the user; Art. 6(1)(f) GDPR for event organisation, attendance management, and security.

If you submit feedback, request a password reset, or contact FCC by email, we process the information you provide, such as email address, category, message content, notes, status, timestamps, and administrator responses.

Purpose: Responding to requests, improving FCC Connect, resolving technical or account issues, and documenting support activity.

Legal basis: Art. 6(1)(f) GDPR - legitimate interest in responding to correspondence, supporting users, and improving the platform; Art. 6(1)(b) GDPR where the request relates to use of FCC Connect.

Retention: Feedback and support records are retained as long as needed for follow-up, quality improvement, security, or legal documentation.

FCC Connect includes users from FCC and Partner Organisations. Staff of FCC and registered representatives or members of Partner Organisations may view profile information that is visible within FCC Connect, including names, organisations, roles, expertise, availability, and contact details such as email addresses where these are part of a user's profile or required for collaboration.

This access is provided within FCC Connect for the purpose of identifying relevant expertise, building initiative teams, coordinating collaboration, contacting users about FCC Connect activities, and communicating about initiatives, events, invitations, feedback, administration, or other platform-related matters. It is not intended as an unrestricted public disclosure of data outside the platform.

Email addresses may be used by FCC and, where relevant for collaboration, by authorised Partner Organisation users to contact users about FCC Connect, initiatives, events, member matching, collaboration requests, administrative notices, or related FCC network activities. Users should not use contact details obtained through FCC Connect for unrelated private, commercial, recruiting, or competitive purposes.

FCC does not sell personal data. External sharing outside FCC Connect takes place only where necessary for platform operation, user-requested communication, legal obligations, or with the user's separate consent.

Legal basis: Art. 6(1)(b) GDPR where visibility and communication are necessary to provide FCC Connect; Art. 6(1)(f) GDPR for FCC's legitimate interest in enabling collaboration across FCC and Partner Organisations.

FCC Connect is a web application hosted on Vercel. Vercel processes data needed to serve the application, route requests, run server-side API routes, deploy the application, and maintain technical logs. Vercel acts as a technical service provider where it processes personal data on FCC's behalf. Vercel's current data processing terms and subprocessor information are available from Vercel.

FCC Connect uses Supabase for authentication, database storage, file storage, and server-side data access. Structured platform data is stored in a Supabase PostgreSQL database. Uploaded profile pictures and documents are stored in Supabase Storage buckets. Member avatars are public where displayed as profile images; member documents and initiative documents are stored in non-public buckets and are access controlled for authenticated users according to the platform's permission model.

Supabase provides security controls such as authentication, database access policies, Row Level Security, and storage access policies. FCC configures these controls for FCC Connect. Supabase states in its documentation that hosted projects are deployed in the region selected by the customer and that data remains in that chosen region unless the customer configures additional regions. Supabase's current data processing terms, security information, and subprocessor information are available from Supabase.

FCC Connect uses Resend for transactional email delivery, including email address confirmation, password reset emails, and other platform-related notifications. Resend processes recipient email addresses, message content, delivery metadata, and related technical data for the purpose of delivering these emails on FCC's behalf.

FCC does not sell personal data. Technical service providers process data only for the operation of FCC Connect and, where required, under data processing agreements under Art. 28 GDPR.

FCC Connect is not intended as an unrestricted public directory. Access to most platform areas requires login. Some approved profile and initiative information may be visible to authenticated users for the purpose of finding expertise and collaboration opportunities. Public landing page statistics may show aggregated counts only.

Administrative users may access profiles, initiatives, feedback, events, password reset requests, roles, notifications, and other platform data where needed to operate, moderate, repair, or secure FCC Connect. Administrators may use impersonation tools for support and quality assurance; password changes remain disabled while impersonating.

FCC retains personal data only for as long as necessary for the purposes described in this policy. Upon account closure, account and profile data will be deleted or anonymised within a reasonable period unless retention is required for legal obligations, security, dispute resolution, legitimate platform records, or preserving the context of collaboration history.

Documents, profile pictures, event registrations, feedback records, notifications, initiative records, collaboration records, and activity logs are deleted or anonymised when no longer required. Backup archives may retain deleted data for a limited technical overwrite period.

Under the GDPR you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection to processing based on legitimate interests (Art. 21), withdrawal of consent (Art. 7(3)), and the right to lodge a complaint with a supervisory authority (Art. 77).

To exercise your rights, contact datenschutz@frankfurtconservation.org. We will respond within one month, extendable by a further two months for complex requests where permitted by law.

FCC uses appropriate technical and organisational measures to protect personal data against unauthorised access, misuse, loss, alteration, or disclosure. These measures include authenticated access, role-based permissions, Supabase Row Level Security and storage policies, backend handling of service-role operations, environment-variable protection for secrets, encrypted transport via HTTPS, and administrative access controls.

Users are responsible for using strong passwords, keeping login credentials confidential, and not uploading or sharing data that they are not authorised to disclose.

FCC may update this policy to reflect changes in FCC Connect, service providers, data processing activities, or applicable law. The current version is available on FCC Connect. Where material changes affect registered users, FCC may notify users through the platform or by email.

This policy was last updated in April 2026.

© 2026 Frankfurt Conservation Center gGmbH