1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

2. General Information on Data Processing

This system is an internal library management system for educational institutions. Personal data is only collected and processed to the extent necessary to provide the functionality. Processing is carried out on the basis of the GDPR.

3. Data Collected During Registration and Use

The following data is processed during registration and use of the system:

• First name and last name
• Username
• Email address
• Password (stored encrypted, not in plain text)
• Billing and delivery address (optional)
• Loan history (borrowed books, loan dates, return dates)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in the secure operation of the system).

4. Email Sending

The system sends transactional emails (e.g. email verification, password reset, loan confirmations). Your email address is used for this purpose. Email sending is handled via a configurable SMTP server. No marketing emails are sent.

Legal basis: Art. 6(1)(b) GDPR.

5. Hosting by Vercel

This application is hosted on the platform Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA. Vercel acts as a data processor pursuant to Art. 28 GDPR.

Data automatically processed by Vercel

When accessing this website, Vercel automatically processes the following data as part of its technical operations:

• IP address of the requesting device (for geolocation at city/country level)
• Requested URL, HTTP method and HTTP status code
• Timestamp of the request and response times
• Browser type and operating system (User-Agent)
• Error messages and diagnostic data

This data is required by Vercel for the technical operation, security and stability of the hosting service. The retention period of access logs depends on the Vercel plan booked (Hobby: 1 hour, Pro: 1–30 days).

Data Transfer to the USA

Vercel is a US company. The server infrastructure uses AWS, Microsoft Azure and Google Cloud Platform worldwide. Serverless functions are operated in the USA by default; static content is delivered via a global CDN with locations also in the EU.

For data transfers to the USA, Vercel relies on:

• EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
• EU-U.S. Data Privacy Framework (Vercel is DPF-certified)

Legal basis for processing by Vercel: Art. 6(1)(f) GDPR (legitimate interest in technical operation and security).

Further information: Vercel Privacy Policy | Vercel DPA

6. Cookies and Session Data

The system uses only technically necessary cookies to manage the login session (session token). No tracking or analytics cookies are used. No data is transmitted to advertising networks.

Legal basis: Art. 6(1)(f) GDPR.

7. Retention Period

Personal data is only stored for as long as necessary to fulfil the purposes or as required by statutory retention obligations. After leaving the educational institution or upon request, the data will be deleted.

8. Your Rights

You have the following rights with respect to your personal data vis-à-vis the controller:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)

You also have the right to lodge a complaint with the competent data protection supervisory authority. The competent authority for Baden-Württemberg is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg.

9. Changes to this Privacy Policy

This Privacy Policy may be updated as needed to reflect changes to the system or legal requirements. The current version is always available on this page.