Privacy Policy

Controller within the meaning of Art. 4(7) GDPR:

Email: [email protected]

If you have questions about data protection, you can contact us using the above contact details. Appointment of a data protection officer is not required under Section 38 BDSG.

This privacy policy applies to the website hipo-registry.com (the "Website") and the services offered on it by HiPo Registry.

The Website operates an online registry for Ford High Performance Mustangs (model years 1965–1967). Registered users can create an account, submit vehicle data, technical information, and images, and purchase a paid membership (Silver, Gold).

Parts of the submitted registry content may be published and visible to the public (see Section 9).

We process personal data in compliance with:

• the General Data Protection Regulation (GDPR),
• the German Federal Data Protection Act (BDSG), and
• German rules on privacy in electronic communications and the storage/access of information on end-user devices (Germany's TDDDG, formerly TTDSG) where applicable.

"Personal data" means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

Some vehicle-related information (e.g., VIN, engine stampings, technical specifications) is not necessarily personal data by itself, but may become personal data if it is linked to an identifiable person (e.g., through an owner name, a precise vehicle location, or other identifying context).

We follow the principles of data minimisation, purpose limitation, integrity/confidentiality, and storage limitation (Art. 5 GDPR).

We process personal data based on the following legal bases, depending on the context:

• Art. 6(1)(b) GDPR (contract / pre-contractual steps): providing the registry service, user accounts, authentication, membership, and core features.
• Art. 6(1)(c) GDPR (legal obligation): tax, accounting, and compliance obligations (e.g., invoice and payment record retention, duties arising from the Digital Services Act).
• Art. 6(1)(f) GDPR (legitimate interests): IT security, abuse prevention, error/stability analysis, defending legal claims, and providing an informative historical vehicle registry.
• Art. 6(1)(a) GDPR (consent): where you actively choose optional publication of owner-related data or where consent is otherwise required (see Sections 9.3 and 17).

Where we rely on consent, you may withdraw it at any time with effect for the future (see Section 23).

Note on the right to object (Art. 21 GDPR): You have the right, on grounds relating to your particular situation, to object at any time to processing of your data based on Art. 6(1)(f) GDPR.

6.1 Server log files

When you access the Website, the browser automatically transmits data that is technically required to deliver the Website. This information may be processed in server log files, including:

• IP address
• date and time of access
• requested URL / page
• referrer URL
• browser type/version and operating system
• status codes and transmitted data volume

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable operation).

6.2 Hosting (RelAix Networks GmbH)

The Website is hosted by RelAix Networks GmbH, located in Aachen, Germany. Server location: Germany.

RelAix processes personal data as a processor on our behalf (Art. 28 GDPR).

Legal basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (secure operation).

We use services of Cloudflare, Inc. as reverse proxy and Content Delivery Network (CDN), and for security measures including the Cloudflare Turnstile bot protection on the sign-in, sign-up, and contact form pages.

Depending on your interaction with the Website, Cloudflare may process: IP address, request and connection metadata, device/browser information, security-relevant signals (e.g., behavioural heuristics for bot detection), and strictly necessary cookies/local storage (see Section 17).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, abuse prevention, and efficient delivery); Section 25(2)(2) TDDDG for strictly necessary security storage on end-user devices.

Because Cloudflare is a US provider, transfers to the USA cannot be ruled out (see Section 20). Cloudflare is certified under the EU–U.S. Data Privacy Framework and provides additional contractual safeguards (Standard Contractual Clauses) for transfers. We have entered into a data processing agreement with Cloudflare.

Use of the registry requires registration.

8.1 Mandatory registration data

When you create an account, we process your email address and password (stored in a secure hashed form; we do not store your password in plain text).

Legal basis: Art. 6(1)(b) GDPR.

8.2 Optional profile data

You may optionally provide:

• name
• country of residence
• phone number
• short biography
• external forum username
• display option: show name in registry (default: enabled)

Legal basis: Art. 6(1)(b) GDPR (service features), and Art. 6(1)(a) GDPR where the optional data is made public (see Section 9.3).

8.3 Email verification (double opt-in)

We use double opt-in to verify that the email address belongs to you. We process your email address, verification token/link data, time of verification, and (where technically necessary) the IP address associated with the verification request.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

8.4 Login activity (lastLoginAt)

To detect dormant accounts and prevent abuse, we store the timestamp of your most recent login (lastLoginAt). First and occasional login events are additionally recorded in our internal audit log (see Section 15). This information is visible only to administrators.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security, abuse prevention, and clean-up of orphaned accounts).

9.1 Data you can submit

Registered users can create registry entries and may submit:

• VIN (Vehicle Identification Number)
• engine and transmission stamps and other technical markings
• vehicle specifications, provenance, and technical data
• photos of the vehicle, engine, or details
• vehicle location (as provided by the user)
• original documents (e.g., scanned title, build sheet)

Do not upload documents that contain unnecessary personal data (e.g., private addresses, phone numbers, dates of birth).

Legal basis: Art. 6(1)(b) GDPR (providing the registry service).

9.2 Visibility tiers (3-tier)

What is shown depends on the viewer's status. Hidden content is never silently dropped, but is always indicated by clear hints with options to unlock.

• Tier 1 (anonymous / no own vehicle): basic technical data, masked VIN, a selection of photos.
• Tier 2 (registered with active vehicle): additionally full VIN and location information.
• Tier 3 (active membership): additionally search across the entire registry, all photos, owner info (where consented), specifications, provenance, and verification evidence.

Public pages may be indexed by search engines. Even after deletion, cached copies may remain temporarily with third parties beyond our control.

Legal basis: Art. 6(1)(b) GDPR (publication as part of the registry service chosen by the user) and Art. 6(1)(f) GDPR (legitimate interest in providing an informative historical registry).

9.3 Optional public owner-identifying information (consent)

Owner name, forum username, and country of residence are only shown publicly or to members if you actively choose/consent.

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time by changing your profile settings or contacting us (see Section 23).

9.4 Private messages

Active members can send private messages to other owners within the registry. We store the message content, the participants, and read/notification status in order to deliver the conversation, and we may send the recipient an email notification of a new message. Messages are visible only to the two participants; administrators can see a reported message only if you report it. Your messages are erased when you delete your account.

Legal basis: Art. 6(1)(b) GDPR (operating the messaging function you choose to use) and Art. 6(1)(f) GDPR (legitimate interest in a safe platform, e.g. handling abuse reports).

Uploaded images are intended to show vehicles and technical details. Images should not contain identifiable persons.

Users are informed that uploaded images and certain registry content may be publicly visible. If you upload images that include personal data of third parties (e.g., faces, license plates), you must ensure you have a valid legal basis to do so.

We reserve the right to remove content that violates legal requirements or our rules.

Legal basis: Art. 6(1)(b) GDPR (service provision) and Art. 6(1)(f) GDPR (maintaining a lawful and safe platform).

We use Supabase (Supabase, Inc.) for database and authentication services, including user accounts, authentication data, vehicle registry data, and optional profile data.

Data hosting location: EU (AWS Frankfurt region, eu-central-1, as configured). Supabase acts as a processor (Art. 28 GDPR). We maintain a data processing agreement (DPA) with Supabase, which incorporates Standard Contractual Clauses (SCCs) for relevant transfers.

Supabase states that customer data is encrypted in transit (TLS) and at rest and that it maintains security controls (e.g., SOC 2 Type 2).

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

Uploaded files (images and documents) are stored in an S3-compatible storage environment provided by RelAix Networks GmbH. Server location: Germany. Objects are stored privately; access is exclusively server-side via our authenticated photo proxy.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

13.1 Authentication and security emails via Supabase

We send emails such as registration verification (double opt-in), password reset, and security-related account notifications via Supabase's email functionality.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

13.2 Transactional and membership emails via Amazon SES

Other system emails (e.g., membership confirmations, cancellation and expiry notifications, vehicle status emails, edit requests, admin messages) are sent via Amazon Simple Email Service (Amazon Web Services EMEA SARL). Region used: EU (eu-central-1, Frankfurt).

AWS states it is certified under the EU–U.S. Data Privacy Framework and uses Standard Contractual Clauses for relevant transfers. Transfers cannot be fully ruled out due to global support/admin structures (see Section 20).

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

If you use our contact form, we process name, email address, message content, and the data required for spam/bot prevention (Cloudflare Turnstile, see Section 7).

Legal basis: Art. 6(1)(b) GDPR (if related to the registry service) or Art. 6(1)(f) GDPR (general inquiries).

15.1 Audit log

We maintain an internal audit log of security- and privacy-relevant events (e.g., logins, vehicle approvals/rejections, profile changes, membership transitions, content edits). Stored in particular: action type, actor ID, timestamp, old/new values (for data edits), and metadata where applicable.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in traceability, security and abuse prevention) and Art. 6(1)(c) GDPR (accountability under Art. 5(2) GDPR).

15.2 K-Number assignment and reservation

Approved vehicles are assigned a sequential K-Number (e.g. K-0028). Gold members may reserve free K-Numbers; a reservation stores user ID, the chosen number, and a timestamp.

Legal basis: Art. 6(1)(b) GDPR.

We use Stripe Payments Europe, Limited(Ireland) and its affiliates (collectively "Stripe") as payment service provider for paid memberships (Silver/Gold).

When you make a payment, Stripe processes payment details (e.g., card data or bank account), transaction data, billing/contact data, tax information, and technical data (IP address, device/browser information). We generally do not receive your full payment instrument data (e.g., the full card number); we receive confirmation and subscription data (payment status, transaction reference, billing periods, cancellation dates, MVLZ end), and store only what is necessary for contract execution and tax/accounting compliance.

Stripe sends payment-related emails (e.g., receipts, failed payments, 3-D Secure prompts) directly to you on our behalf.

Stripe partly processes data as an independent controller (e.g., for fraud prevention and regulatory compliance). Stripe is certified under the EU–U.S. Data Privacy Framework; where required, Standard Contractual Clauses additionally apply. More information: stripe.com/privacy.

Legal basis: Art. 6(1)(b) GDPR (contract and payment processing) and Art. 6(1)(c) GDPR (legal obligations, e.g., accounting/tax, anti-money-laundering).

17.1 No analytics / marketing cookies

We do not use analytics services, marketing trackers, affiliate tracking, or advertising technologies on the Website. No social-media plugins are used either.

17.2 Strictly necessary cookies and storage

We use only technically necessary cookies and similar technologies required to operate the Website and provide core functions:

• session/login cookies (Supabase authentication)
• security / bot protection cookies (Cloudflare, Cloudflare Turnstile)
• language and tab selection on the legal pages (local storage)

You can generally configure your browser to block cookies. However, blocking necessary cookies may prevent login and core registry functions.

Legal basis: Section 25(2)(2) TDDDG (strictly necessary for the telemedia service expressly requested by the user) and Art. 6(1)(b)/(f) GDPR. Consent is not required for these storage operations under applicable law.

To detect and fix technical errors, we use Sentry (Functional Software, Inc., dba Sentry, San Francisco, USA). Sentry processes only error and performance telemetry:

• error messages and stack traces
• browser/device/OS information (user agent)
• routes/URL accessed on the Website
• technical performance metrics (sampled at 10% in production)

Data minimisation: We have disabled sendDefaultPii — IP addresses and request headers are not sent to Sentry. Before sending, VINs (17-character vehicle identification numbers) and email addresses are additionally replaced with placeholders server-side. Session Replay is not used.

Sentry acts as a processor (Art. 28 GDPR); we have entered into a DPA with Sentry which incorporates Standard Contractual Clauses. Sentry is certified under the EU–U.S. Data Privacy Framework.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stability, debugging, and security of the Service).

We share personal data only where necessary:

Processors (Art. 28 GDPR)

• RelAix Networks GmbH (hosting and storage, Germany)
• Supabase, Inc. (database/authentication, EU hosting configured)
• Cloudflare, Inc. (CDN, security, Turnstile bot protection)
• Amazon Web Services EMEA SARL (Amazon SES, EU region)
• Functional Software, Inc. dba Sentry (error/performance monitoring)

Independent controllers

• Stripe Payments Europe, Limited (payment processing, fraud prevention)

Authorities / third parties

Where required by law, court order, or to assert/defend legal claims (Art. 6(1)(c) and/or Art. 6(1)(f) GDPR).

Some service providers (especially Cloudflare, Stripe, Amazon/AWS, and Sentry) are headquartered in the United States or process there. Even when EU regions are selected, access from third countries or support/administration processing cannot be fully ruled out.

Where personal data is transferred to third countries, we apply Chapter V GDPR. In particular:

1. Adequacy decision EU-U.S. DPF (Art. 45 GDPR): The European Commission adopted an adequacy decision for the EU–U.S. Data Privacy Framework (DPF) in July 2023. Note: in January 2025, the new US administration announced a review of the underlying executive orders; the DPF may also be re-tested before the CJEU. We monitor developments on an ongoing basis.
2. Standard Contractual Clauses (Art. 46 GDPR): Where the recipient is not covered by an adequacy decision or where additional safeguards are advisable, we additionally rely on the European Commission's SCCs.
3. Transfer impact assessment (Schrems II): Following the Schrems II case (C-311/18), we have assessed the legal environment in the relevant third countries and, where necessary, implemented supplementary technical and organisational measures (e.g., encryption, data minimisation, PII scrubbing).

We store personal data only as long as necessary for the purposes stated in this privacy policy, and we delete or anonymise it thereafter unless legal retention obligations apply.

• Account data: stored for as long as your account exists.
• Registry content: stored until you delete it, delete your account, or request deletion.
• Membership and billing data: Stripe customer data is deleted when the account/membership ends (Stripe customer object deletion under Art. 17 GDPR); invoice/tax records are retained as required by law (see below).
• Audit log: retained for evidentiary and security reasons typically up to 36 months; longer statutory retention applies where linked to membership/tax data.
• Server log files: typically retained for up to 14 days unless security incidents require longer retention.
• Sentry telemetry: automatically deleted in accordance with Sentry's standard retention periods (typically 90 days).
• Support/contact inquiries: typically deleted after completion, unless retention is needed for evidence or follow-up.
• Billing/tax records: retained for statutory retention periods under German law (typically 8 or 10 years under Section 257 HGB / Section 147 AO; for consumer invoices since 2025 typically 8 years).

You can delete your account yourself in the logged-in area.

Upon account deletion, we delete or anonymise personal data associated with your account, unless retention is required by law or is necessary to establish, exercise, or defend legal claims. An active membership is automatically terminated (see Terms of Service Section 15.4).

If your registry entries contain optional owner-identifying information (name/forum username/country of residence), this will be removed/hidden when you withdraw consent or delete your account.

Vehicle-related technical content may remain in anonymised form as part of the historical registry, unless you delete the entry or request removal, insofar as no overriding reasons require retention.

We implement appropriate technical and organisational measures (Art. 32 GDPR), including:

• TLS encryption for data transmission
• password hashing, access controls, and least-privilege concepts
• private storage of uploaded files behind an authenticated proxy
• backup and recovery processes
• security measures against automated abuse (Cloudflare, Turnstile, rate limiting)
• PII scrubbing in error telemetry (see Section 18)
• processor agreements (Art. 28 GDPR) with relevant service providers

If the GDPR applies to you, you have the following rights, subject to the statutory requirements:

• right of access (Art. 15 GDPR)
• right to rectification (Art. 16 GDPR)
• right to erasure (Art. 17 GDPR)
• right to restriction of processing (Art. 18 GDPR)
• right to data portability (Art. 20 GDPR)
• right to object (Art. 21 GDPR)— you have the right, on grounds relating to your particular situation, to object at any time to processing based on Art. 6(1)(f) GDPR
• right to withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR)

To exercise your rights, contact us using the details in Section 1.

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the EU Member State of your habitual residence, your place of work, or the place of the alleged infringement.

The competent supervisory authority for this Website is:

You are not legally required to provide personal data. However, without the mandatory registration data (email, password), we cannot provide an account and the registry submission features. Without payment data, paid memberships cannot be processed.

We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR. Stripe may apply risk scoring as part of fraud prevention; this does not constitute solely automated decision-making with legal effect on you.

We do not use generative AI systems on the Website that process your personal data. AI systems may be used in internal development and review tooling; no personal registry content is sent to those providers.

We may update this privacy policy to reflect legal, technical, or operational changes. The current version is published on hipo-registry.com. For material changes affecting paid memberships, we will additionally notify you by email.