FlipSync Logo FLIPSYNC_OS
arrow_back Back
DATA_PROTOCOL

Privacy Statement

Last updated: 2026-04-18

translate Auf Deutsch lesen

Age restriction. This service is not directed at persons under the age of 16. By registering, you confirm that you are at least 16 years old. If you become aware that a person under 16 has registered, please contact us at trailbornemedia@gmail.com.

shield 1. Data Controller

The data controller responsible for this application within the meaning of Art. 4(7) DSGVO is:

Dominik Baumann - Trailborne Media

(Kleingewerbe gem. § 19 UStG)

Stadtberger Str. 2
86356 Neusäß
Germany

E-mail: trailbornemedia@gmail.com

database 2. Categories of Personal Data

Account Data

Your e-mail address and an optional display name, collected during signup. Used for authentication and to identify your account.

Server Log Data

Our hosting provider (Railway) automatically records for every request: IP address, browser user-agent, requested URL, HTTP status code, and timestamp. These logs are used solely for operating, monitoring, and securing the service.

Google Login Data

If you choose "Continue with Google", the following data is received from your Google account via Supabase OAuth: e-mail address, Google account ID (sub), display name, and profile picture URL. For Google-side processing please refer to Google's own privacy policy: https://policies.google.com/privacy .

User-Uploaded Files

You may upload Quad thumbnail images and Betaflight CLI dump files. These files are stored on Supabase Storage (S3-compatible, EU region Frankfurt, eu-central-1).

Note on image EXIF metadata: Uploaded images may contain EXIF metadata, including GPS coordinates if the photo was taken on a smartphone with location services enabled. This application does not automatically strip EXIF data at this time. If you wish to protect your location, please remove EXIF data from images before uploading.

Quad Sharing Data

If you opt in to Quad Sharing, selected portions of your Quad data (component list, All-Up Weight, Betaflight PIDs and rates) are made publicly accessible to anyone who has the share URL without requiring a login.

Sharing is fully opt-in and disabled by default. You control which sections are visible and can revoke sharing at any time — the public URL then returns a 404.

Owner name masking is enabled by default: your display name is hidden from the public share page unless you explicitly unmask it as the owner.

Quad View Counter

Public Quad share pages record a session-deduplicated view count. A session identifier is used to avoid counting the same visitor multiple times during a single browsing session. No persistent tracking cookie is set; the session identifier expires when the browser session ends. This is technically necessary for the sharing feature to provide owners with aggregate visit statistics.

gavel 3. Legal Basis for Processing

Account Data

Art. 6(1)(b) DSGVO — contract fulfillment. Your e-mail address is necessary to provide the service you registered for.

Server Log Data

Art. 6(1)(f) DSGVO — legitimate interest in operating, monitoring, and securing the service.

Google Login Data

Art. 6(1)(b) DSGVO — contract fulfillment. Google account data is processed to enable login to the service.

User-Uploaded Files

Art. 6(1)(b) DSGVO — contract fulfillment. Quad images and Betaflight dumps are processed to enable the core Quad management features.

Quad Sharing Data

Art. 6(1)(a) DSGVO — explicit consent, given via the in-app Quad Sharing toggle. Consent can be withdrawn at any time.

Quad View Counter

Art. 6(1)(f) DSGVO — legitimate interest in providing the Quad owner with aggregate visit statistics without tracking individual visitors.

schedule 4. Data Retention

Account Data

Your account data is retained until you request deletion of your account. You can request deletion of your account and all associated data directly within the application via your Profile page → Delete Account. This triggers the 3-step GDPR erasure workflow (confirmation e-mail + final confirmation page).

Server Log Data

Server logs are retained by the hosting provider (Railway) for a maximum of 7 days and are then automatically deleted.

User-Uploaded Files

Uploaded Quad images and Betaflight dump files are retained until you delete the associated Quad, or until you delete your account.

verified_user 5. Your Rights Under the DSGVO

Under the DSGVO / GDPR you have the following rights regarding your personal data:

  • Right of Access (Art. 15 DSGVO) — you may request information about the personal data we hold about you.
  • Right to Rectification (Art. 16 DSGVO) — you may request correction of inaccurate personal data.
  • Right to Erasure (Art. 17 DSGVO) — you may request deletion of your personal data. An in-app deletion flow is available via your Profile page → Delete Account.
  • Right to Restriction (Art. 18 DSGVO) — you may request restriction of processing of your personal data.
  • Right to Data Portability (Art. 20 DSGVO) — you may request your personal data in a structured, machine-readable format.
  • Right to Object (Art. 21 DSGVO) — you may object to the processing of your personal data based on legitimate interest.
  • Right to Withdraw Consent (Art. 7(3) DSGVO) — where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing. For Quad Sharing, disabling the in-app sharing toggle withdraws your consent.
  • Right to Lodge a Complaint (Art. 77 DSGVO) — you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. The competent authority for this application is:
    Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
    Promenade 27, 91522 Ansbach, Germany
    https://www.lda.bayern.de

No automated decision-making. This application does not use automated decision-making or profiling as defined in Art. 22 DSGVO.

mail 6. Contact for Data Protection Requests

To exercise any of the above rights, or for questions regarding the handling of your personal data, please contact us at:

email trailbornemedia@gmail.com

A Data Protection Officer is not required for this organization under Art. 37 DSGVO (Einzelunternehmer, no large-scale systematic processing of sensitive data).

hub 7. Third-Party Service Providers (Art. 28 DSGVO)

The application uses the following processors to operate its services. Data processing agreements (Art. 28 DSGVO) have been or will be concluded with each provider listed below.

Provider HQ Purpose Data region Safeguard
Supabase, Inc. San Francisco, CA, USA Auth, database, file storage EU (Frankfurt, eu-central-1) EU Standard Contractual Clauses
Railway Corp. San Francisco, CA, USA Application hosting, server logs EU region EU Standard Contractual Clauses
Brevo SAS Paris, France Transactional e-mail sending EU EU-based processor
Google LLC Mountain View, CA, USA OAuth ("Continue with Google") USA EU–US Data Privacy Framework + SCCs
public 8. International Data Transfers

Some of our processors are headquartered outside the EU/EEA (Supabase, Railway, Google). Data transfers to these providers are safeguarded by EU Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU–US Data Privacy Framework (DPF) where applicable (Art. 44+ DSGVO).

Supabase database and file storage data is physically hosted in the EU (Frankfurt, eu-central-1) and does not leave the EU in standard operation.

cookie 9. Cookies and Local Storage (§ 25 TDDDG)

The following cookies are set by this application. All cookies listed are technically necessary; no prior consent is required under § 25(2) Nr. 2 TDDDG.

Name Purpose Lifetime Legal basis
sessionid Maintains the authenticated user session Browser close or 30 days § 25(2) Nr. 2 TDDDG — technically necessary
csrftoken CSRF attack protection for all state-mutating requests 1 year (reset on login) § 25(2) Nr. 2 TDDDG — technically necessary
cookie_consent Records that the cookie consent banner has been acknowledged 365 days § 25(2) Nr. 2 TDDDG — technically necessary

This application does not use analytics cookies, advertising cookies, or any tracking cookies. No third-party cookies are set.

lock 10. Technical & Organizational Measures (Art. 32 DSGVO)
  • All data in transit is encrypted via TLS.
  • Data at rest is encrypted by the respective storage provider.
  • Access to personal data is restricted to authorized personnel only.
  • Authentication is handled via Supabase Auth with JWT tokens; session tokens are stored in httpOnly cookies and are not accessible to JavaScript.