Privacy Policy

BrickContests.com

Last updated: 30 May 2026
Effective: 30 May 2026
Version: v1.0

This Privacy Policy explains what personal data BrickContests.com (the “Service”) collects, why, on what legal basis, with whom we share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The Service is a privately operated, non-commercial community project.

1. Controller

The data controller responsible for the processing described here is:

Daniel Bodky
c/o NETWAYS GmbH
Deutschherrnstraße 15-19, 90429 Nürnberg
Germany
Contact: contact@brickcontests.com

There is no statutory obligation to appoint a Data Protection Officer for this Service, and none has been appointed. You can reach the controller directly with any privacy question at the address above.

2. Summary at a glance

  • We collect only what we need to run the Service.
  • We do not use third-party analytics, advertising, or tracking cookies.
  • We do not sell your data, and we do not share your email address with other users.
  • Our infrastructure is hosted in the EU (Hetzner, Germany). Transactional email is sent through Resend (USA) under appropriate safeguards.
  • You can access, correct, export, or delete your data at any time.

3. What data we process, why, and on what legal basis

3.1 Account data (required)

When you register, we collect and store:

  • your email address (used for sign-up confirmation, account recovery, security notices, and service-essential notifications),
  • a username (publicly visible),
  • your password (stored only as a salted cryptographic hash).

Purpose: creating and maintaining your account, authenticating you, and communicating about the Service.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract represented by our Terms of Service.

3.2 Profile data (optional)

You may voluntarily add:

  • first and/or last name,
  • country,
  • biography,
  • avatar image,
  • links to other social profiles or a website.

Purpose: letting you present yourself to other members of the community.
Legal basis: Art. 6(1)(a) GDPR — your consent, given by entering the information. You can remove this data at any time from your profile settings.

3.3 Contest content

When you submit to a contest or organize one, we process:

  • the images you upload,
  • titles, descriptions, captions, and other text you provide,
  • contest metadata you create as an organizer (categories, criteria, thumbnails, example images),
  • the link between submissions and the user who submitted them,
  • comments you post on submissions, including the link between a comment and the user who wrote it.

Purpose: displaying the contest and its entries to other users, enabling judging and discussion.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract; for any element that goes beyond what is strictly required to run a contest, Art. 6(1)(a) GDPR — your consent.

3.4 Server logs and security data

Our servers automatically record:

  • IP address,
  • request timestamp, URL, HTTP method, status code, user-agent.

Purpose: keeping the Service running, diagnosing errors, and detecting and mitigating abuse (brute-force attempts, spam, scraping, denial-of-service).
Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating a secure, functioning service, balanced against your interest in minimal logging.

3.5 Email confirmation and notifications

When we need to send you an email (sign-up confirmation, password reset, security notice, account-related communication), we transmit the relevant message and your email address to our email-sending provider.

Legal basis: Art. 6(1)(b) GDPR (contract performance) for transactional mail; Art. 6(1)(a) GDPR (consent) for any optional notifications you can opt into.

3.6 Reactions

When you react to a submission, we store a record linking your account to the submission and the reaction type.

Purpose: letting users express engagement with submissions. The record is used solely to calculate and display aggregate counts; individual reactions are never attributed to you publicly — other users and visitors see only totals, not who reacted.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract.
On account deletion: your reaction records are deleted automatically.

3.7 Donations and optional public acknowledgement

Donations are handled by Buy Me a Coffee on their own platform. We do not collect or process payment data on the Service. If you choose to donate, the donation platform’s privacy policy applies to that interaction. We display aggregate donation totals, anonymised donations, and a transparent breakdown of running costs on the Service; these figures contain no personal data.
If, when donating, you separately and explicitly opt in, we additionally publish your chosen display name and donation amount as an individual entry on the public donation page. We do not publish your email address, your payment details, or any other information about you.

Purpose: transparency about how the Service is funded and acknowledgement of contributors who wish to be named.
Legal basis: Art. 6(1)(a) GDPR — your consent.
Retention: the public entry remains on the donation page until you withdraw your consent. You can withdraw at any time, with no need to give a reason, by writing to contact@brickcontests.com. Withdrawal does not affect the lawfulness of the processing before withdrawal and does not affect the aggregate totals.

4. Cookies and similar technologies

We currently use only strictly necessary cookies and local storage, set by the underlying technologies we rely on. These are required to keep you logged in and to protect the Service against common attacks. Under § 25(2) TDDDG and the relevant EU guidance, strictly necessary cookies and storage do not require consent, and we do not display a cookie banner.

We do not use third-party analytics, advertising, social-media tracking, or fingerprinting.

5. Recipients and processors

We share personal data only with the following processors, each engaged under a data-processing agreement as required by Art. 28 GDPR:

ProviderRoleLocation
Hetzner Online GmbHServer hosting, networking, encrypted backups (self-hosted Supabase runs on Hetzner infrastructure)Germany / EU
ResendTransactional email deliveryUnited States

We do not sell or rent personal data, and we do not transfer it to anyone else except where legally required (for example, in response to a binding order from a competent authority).

Transfers outside the EU/EEA

Resend is based in the United States. When we send you an email, your email address and the contents of the message are transferred to Resend in the United States.
Resend is certified under the EU–US Data Privacy Framework, so the transfer is covered by the European Commission's adequacy decision of 10 July 2023 under Art. 45 GDPR. As an additional safeguard, our data-processing agreement with Resend incorporates the European Commission's Standard Contractional Clauses(Commission Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor) under Art. 46(2)(c) GDPR, together with supplementary measures regarding access requests from public authorities.
Resend engages sub-processors to deliver the service; the current list is published at https://resend.com/legal/subprocessors. You can request a copy of the safeguards by emailing contact@brickcontests.com.

6. Visibility of your data to other users

  • Your username, avatar, biography, country, social profile links, and any contest submissions are visible to other users and visitors of the Service.
  • Your email address is never shown to other users or to contest organizers.
  • Your first and last name are visible to other users if you provided them during sign-up or in your profile.
  • Comments you post on submissions, along with your username as the author, are visible to other users and visitors.
  • Individual reactions are never attributed to you publicly — other users and visitors see only aggregate counts, not who reacted.

If a contest involves a prize, the Contest Administrator is responsible for collecting any shipping address directly from the winner — we do not transmit user addresses on their behalf.

7. Retention

We retain personal data only as long as we need it:

  • Account and profile data: for as long as your account exists. When you delete your account, this data is deleted from active systems automatically.
  • Contest submissions (images and their descriptions): retained as part of the contests they belong to even after you delete your account, in order to preserve the integrity of completed contests. The submitter attribution is removed so the images can no longer be linked to your identity. If you object to this, delete submissions manually before deleting your account.
  • Comments and reactions: deleted automatically when you delete your account.
  • Server logs: retained for 90 days, then deleted automatically.
  • Encrypted backups: kept on a rolling basis for 7 days, then overwritten. Data deleted in production may persist in backups until the rolling window expires.
  • Email-sending records held by Resend: Resend retains email-sending records for up to 90 days after termination of our agreement with them, in line with their DPA

We may retain specific data longer where mandatory legal retention obligations apply (for example, tax-related records for donations), in which case the data is restricted to that purpose.

8. Your rights

Under the GDPR you have the right to:

  • access your personal data (Art. 15),
  • rectify inaccurate or incomplete data (Art. 16),
  • request erasure of your data (Art. 17), subject to the retention exceptions above,
  • request restriction of processing (Art. 18),
  • receive your data in a portable format (Art. 20),
  • object to processing based on legitimate interests (Art. 21),
  • withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).

To exercise any of these rights, write to contact@brickcontests.com. We will respond within one month (extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR).

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your residence, place of work, or place of the alleged infringement. The competent authority for the Operator is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach, Germany (https://www.lda.bayern.de) .

9. Automated decision-making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

10. Security

We apply reasonable technical and organizational measures appropriate to the nature, scope, and risk of the processing — including TLS encryption in transit, encryption of backups at rest, password hashing, restricted server access, and regular updates of our software stack. No system on the internet is perfectly secure; if we become aware of a personal-data breach that creates a risk to your rights, we will notify the competent authority and, where required, affected users in accordance with Art. 33 and 34 GDPR.

11. Children

The Service is intended for teen and adult LEGO fans from the age of 13. Younger children should not register. If you become aware that a child has provided personal data without appropriate consent, please contact us and we will delete the account.

12. Changes to this Policy

We may update this Privacy Policy when the way we process data changes. We will publish the updated version on this page and update the “Last updated” date. Material changes will be announced through the Service or by email.

If you have questions about this Privacy Policy or how your data is handled, please contact us at contact@brickcontests.com.