Privacy Policy

Controller within the meaning of Art. 4(7) GDPR:

Email: [email protected]

If you have questions about data protection, you can contact us using the above contact details.

This privacy policy applies to the website hipo-mustang.com (the "Website") and the services offered on it.

The Website operates an online registry for Ford High Performance Mustangs (model years 1965–1967). Registered users can create an account and submit vehicle data, technical information, and images.

Parts of the submitted registry content may be published and visible to the public (see Section 9).

We process personal data in compliance with:

• the General Data Protection Regulation (GDPR), and
• German rules on privacy in electronic communications and the storage/access of information on end-user devices (Germany's TDDDG, formerly TTDSG) where applicable.

"Personal data" means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

Some vehicle-related information (e.g., VIN, engine stampings, technical specifications) is not necessarily personal data by itself, but may become personal data if it is linked to an identifiable person (e.g., through an owner name, a precise vehicle location, or other identifying context).

We follow the principles of data minimisation, purpose limitation, integrity/confidentiality, and storage limitation (Art. 5 GDPR).

We process personal data based on the following legal bases, depending on the context:

• Art. 6(1)(b) GDPR (contract / pre-contractual steps): providing the registry service, user accounts, authentication, and core features.
• Art. 6(1)(c) GDPR (legal obligation): tax, accounting, and compliance obligations (e.g., invoice and payment record retention).
• Art. 6(1)(f) GDPR (legitimate interests): IT security, abuse prevention, service stability, and defending legal claims.
• Art. 6(1)(a) GDPR (consent): where you actively choose optional publication of owner-related data or where consent is otherwise required (see Sections 9.3 and 16).

Where we rely on consent, you may withdraw it at any time with effect for the future (see Section 22).

6.1 Server log files

When you access the Website, the browser automatically transmits data that is technically required to deliver the Website. This information may be processed in server log files, including:

• IP address
• Date and time of access
• Requested URL / page
• Referrer URL
• Browser type/version and operating system
• Status codes and transmitted data volume

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable operation).

6.2 Hosting (RelAix Networks GmbH)

The Website is hosted by RelAix Networks GmbH, located in Aachen, Germany. Server location: Germany.

RelAix processes personal data as a processor on our behalf (Art. 28 GDPR), in particular for infrastructure and hosting-related processing.

Legal basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (secure operation).

We use Cloudflare as a reverse proxy and Content Delivery Network (CDN) and for security measures such as bot protection / CAPTCHA during registration.

Depending on your interaction with the Website, Cloudflare may process IP address, request and connection metadata, device/browser information, security-related signals, and in some cases cookies required for security features (see Section 16).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, abuse prevention, and efficient delivery).

Because Cloudflare is a US provider, transfers to the USA cannot be ruled out (see Section 18). Cloudflare is certified under the EU–U.S. Data Privacy Framework and provides contractual safeguards (e.g., SCCs) for transfers as needed.

Use of the registry requires registration.

8.1 Mandatory registration data

When you create an account, we process your email address and password (stored in a secure hashed form; we do not store your password in plain text).

Legal basis: Art. 6(1)(b) GDPR.

8.2 Optional profile data

You may optionally provide: name, country of residence, external forum username.

Legal basis: Art. 6(1)(b) GDPR (service features), and Art. 6(1)(a) GDPR where the optional data is made public (see Section 9.3).

8.3 Email verification (double opt-in)

We use double opt-in to verify that the email address belongs to you. We process your email address, verification token/link data, time of verification, and (where technically necessary) IP address associated with the verification request.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

9.1 Data you can submit

Registered users can create registry entries and may submit:

• VIN (Vehicle Identification Number)
• Engine stamps and other technical markings
• Vehicle specifications and technical data
• Photos of the vehicle, engine, or details
• Vehicle location (as provided by the user)
• Original documents (e.g., scanned documentation)

Do not upload documents that contain unnecessary personal data (e.g., private addresses, phone numbers).

Legal basis: Art. 6(1)(b) GDPR (providing the registry service).

9.2 Publicly visible content

Vehicle data (technical/specification information) and vehicle images may be publicly visible on the Website. Public pages may be indexed by search engines.

Even after deletion, cached copies may remain temporarily with third parties beyond our control.

Legal basis: Art. 6(1)(b) GDPR (publication as part of the registry service chosen by the user) and Art. 6(1)(f) GDPR (legitimate interest in providing an informative historical registry).

9.3 Optional public owner-identifying information (consent)

Owner name and forum username are not public by default and are only shown publicly if you actively choose/consent.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time by changing your settings or contacting us (see Section 22).

Uploaded images are intended to show vehicles and technical details. Images should not contain identifiable persons.

Users are informed that uploaded images and certain registry content may be publicly visible. If you upload images that include personal data of third parties (e.g., faces, license plates), you must ensure you have a valid legal basis to do so.

We reserve the right to remove content that violates legal requirements or our rules.

Legal basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (maintaining a lawful and safe platform).

We use Supabase for database and authentication services, including user accounts, authentication data, vehicle registry data, and optional profile data.

Data hosting location: EU (AWS eu-central region, as configured). Supabase acts as a processor (Art. 28 GDPR). We maintain a data processing agreement with Supabase, which incorporates Standard Contractual Clauses (SCCs) for relevant transfers.

Supabase states that customer data is encrypted in transit (TLS) and at rest and that it maintains security controls (e.g., SOC 2 Type 2).

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Uploaded files (e.g., images and documents) are stored in an S3-compatible storage environment provided by RelAix. Server location: Germany.

Legal basis: Art. 6(1)(b) GDPR.

13.1 Authentication and transactional emails via Supabase

We send emails such as registration verification (double opt-in), password reset, and security-related account notifications via Supabase's email functionality.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

13.2 Other system emails via Amazon SES

We send additional system emails via Amazon Simple Email Service (Amazon SES). Server region used: EU (eu-central), as configured.

AWS states it is certified under the EU–U.S. Data Privacy Framework. Transfers cannot be fully ruled out due to the nature of global service providers (see Section 18).

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

If you use our contact form, we process name, email address, and message content.

Legal basis: Art. 6(1)(b) GDPR (if related to the registry service) or Art. 6(1)(f) GDPR (general inquiries).

We use Stripe as payment service provider for paid digital services (if/where offered on the Website).

When you make a payment, Stripe processes payment details (e.g., card data), transaction data, billing/contact data, and technical data (IP address, device/browser information).

We generally do not receive your full payment instrument data (e.g., full card number). We receive confirmation data (e.g., payment status, transaction reference) and store only what is necessary for billing and tax compliance.

Stripe is certified under the EU–U.S. Data Privacy Framework for relevant transfers.

Legal basis: Art. 6(1)(b) GDPR (contract and payment processing) and Art. 6(1)(c) GDPR (legal obligations, e.g., accounting/tax).

16.1 No analytics / marketing cookies

We do not use analytics services, marketing trackers, affiliate tracking, or advertising technologies on the Website.

16.2 Technically necessary cookies

We use only technically necessary cookies and similar technologies required to operate the Website and provide core functions, such as login/session cookies and security cookies related to bot protection / CAPTCHA (Cloudflare).

You can generally configure your browser to block cookies. However, blocking necessary cookies may prevent login and core registry functions.

Legal basis: Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR. Strictly necessary cookies typically do not require consent under Germany's TDDDG.

We share personal data only where necessary:

Processors (Art. 28 GDPR)

• RelAix Networks GmbH (hosting and storage, Germany)
• Supabase (database/authentication, EU hosting configured)
• Cloudflare (CDN/security)
• Amazon SES / AWS (system email delivery)

Independent controllers

• Stripe (payment processing)

Authorities / third parties

Where required by law, court order, or to assert/defend legal claims (Art. 6(1)(c) and/or Art. 6(1)(f) GDPR).

Some service providers (especially Cloudflare, Stripe, and Amazon/AWS) are headquartered in the United States. Even when EU regions are selected, access from third countries or support/administration processing cannot be fully ruled out.

Where personal data is transferred to third countries, we apply Chapter V GDPR. In particular:

1. Adequacy decisions (Art. 45 GDPR): The European Commission adopted an adequacy decision for the EU–U.S. Data Privacy Framework (DPF) in July 2023.
2. Standard Contractual Clauses (Art. 46 GDPR): Where the recipient is not covered by an adequacy decision, we rely on the European Commission's SCCs.
3. Transfer assessments (Schrems II): Following the Schrems II case (C-311/18), transfers based on SCCs require an assessment of the third-country legal environment and, where needed, supplementary measures.

We store personal data only as long as necessary for the purposes stated in this privacy policy, and we delete or anonymise it thereafter unless legal retention obligations apply.

• Account data: stored for as long as your account exists.
• Registry content: stored until you delete it, delete your account, or request deletion.
• Support/contact inquiries: typically deleted after completion, unless retention is needed for evidence or follow-up.
• Billing/tax records: retained for statutory retention periods under German law (generally 6, 8, or 10 years depending on document type).

You can delete your account yourself.

Upon account deletion, we delete or anonymise personal data associated with your account, unless retention is required by law or is necessary to establish, exercise, or defend legal claims.

If your registry entries contain optional owner-identifying information (name/forum username), this will be removed/hidden when you withdraw consent or delete your account.

Vehicle-related technical content may remain as part of the historical registry unless you delete the entry or request removal, insofar as no overriding reasons require retention.

We implement appropriate technical and organisational measures (Art. 32 GDPR), including:

• TLS encryption for data transmission
• Access controls and least-privilege concepts
• Backup and recovery processes
• Security measures against automated abuse (bot protection / CAPTCHA)
• Processor agreements (Art. 28 GDPR) with relevant service providers

If the GDPR applies to you, you have the following rights, subject to the statutory requirements:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
• Right to withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR)

To exercise your rights, contact us using the details in Section 1.

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement.

The competent supervisory authority for this website is:

You are not legally required to provide personal data. However, without the mandatory registration data (email, password), we cannot provide an account and the registry submission features.

Without payment data, paid services cannot be processed.

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

We may update this privacy policy to reflect legal, technical, or operational changes. The current version is published on hipo-mustang.com.