Privacy policy
Last updated: 2026-07-18
Data controller
Elektro Rottensteiner GmbH
Am Zagglermoos 10, 39054 Ritten (BZ), Italien
Legal representative: Alexander Rottensteiner
Email: privacy@zomk.app
No data protection officer has been appointed as we are not required to do so under Art. 37 GDPR.
Scope
This policy explains how we process personal data when you use zomk.app, our web app and our POS terminals as an organiser, helper or guest.
Which data we process
- Account data: name, email, password hash, language, role.
- Transaction data: sales, top-ups, refunds, wallet balances, payment method (never raw card data — handled by Stripe).
- Fiscal data: receipt number, VAT split, event and terminal — required for legal receipt duties (Italy: fiskaly).
- Technical data: IP address, browser / device type, error logs, minimal usage metrics for stability.
- Support communication: emails and messages you send us.
Legal basis
- Art. 6 (1) b GDPR — performance of the contract with organisers and end users.
- Art. 6 (1) c GDPR — legal obligations (fiscal, accounting, anti-money-laundering).
- Art. 6 (1) f GDPR — legitimate interest in operating and securing the service.
- Art. 6 (1) a GDPR — consent, e.g. for marketing emails (revocable at any time).
Processors and third parties
We use the following processors within the EU / EEA on the basis of data processing agreements (Art. 28 GDPR):
- Supabase Inc. (Backend/DB/Auth) — EU (Frankfurt)
- Stripe Payments Europe Ltd. (Zahlungen) — Irland / EU
- fiskaly GmbH (fiskalische Signatur) — Österreich / EU
- Google Ireland Ltd. (OAuth-Login) — Irland / EU
- Resend / E-Mail-Versand — EU
- Cloudflare / Lovable Hosting — EU / global
For transfers to third countries we rely on the EU Standard Contractual Clauses where applicable.
Retention
Account data is kept while your account exists. Fiscal and accounting data is kept for the legal retention periods (in Italy typically 10 years). Support communication is deleted after 24 months. Error logs are rotated after 30 days.
Your rights
You have the right to access, rectification, erasure, restriction of processing, data portability and to object to processing (Art. 15–22 GDPR).
To exercise your rights, contact us at privacy@zomk.app.
You may also lodge a complaint with a supervisory authority — in Italy the Garante per la protezione dei dati personali (www.garanteprivacy.it).
Cookies
We only use technically necessary cookies (session, language, security). No tracking, no advertising cookies, no third-party analytics on our marketing site.
Security
Data is encrypted in transit (TLS) and at rest. Access is protected by authentication, role-based permissions and row-level security. Payment data is processed exclusively by Stripe — we never see your full card number.