Privacy

1. Data controller

Responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) and applicable national data protection laws:

ThunderFrog Media
Kiekenberg 10
45359 Essen
Email: [email protected]

2. Overview of data processed

The BloggerNexus platform connects bloggers with brands, and enables the management of products, applications, chats and payment-related matters (e.g. brand subscription and featured status). The following categories of personal data are processed, among others:

2.1 Account data

• Email address
• Password (stored in hashed form only)
• Second Life first and last name
• Second Life UUID (if provided)
• Display name
• Active status, creation and update timestamps
• Time of first completion of the setup wizard, “last seen”

2.2 Profile data (optional)

• Discord, Instagram, Facebook, Flickr, blog and PrimFeed URLs
• Information in “About me”

2.3 Avatar

• Uploaded profile picture (URL/reference to stored image)

2.4 Brands and associations

• Brand name, description, requirements, rules
• Brand contact and social links, logo, SL owner UUID
• User membership of brands (roles: e.g. Owner, Co-Creator, Manager)
• Payment status (e.g. “paid until”, “featured paid until”) – no storage of card details etc.; payments are processed outside the platform (e.g. in Second Life)

2.5 Products and categories

• Product name, description, image URL, category, link to Second Life (product UUID)
• Custom product categories per brand

2.6 Applications and invitations

• User applications to brands (status, timestamps)
• Brand invitations to bloggers (status, inviter, timestamps)

2.7 Communication

• Inbox: System and brand messages to users (title, content, type, read/unread)
• Brand support chat: Messages between bloggers and brand staff
• System support chat: Messages between users and platform support (Super Admin)
• Team chat: Messages within brand teams

2.8 Tasks and ratings

• Product assignments to bloggers (deadlines, approval, review status, feedback, star rating, URLs to blog/Flickr etc.)

2.9 Other

• Blacklist entries (brand, user, reason, date)
• Uploaded files (e.g. product images, logos) linked to brands/users
• Technical data: session/login status, log data (e.g. on errors), where collected

3. Purpose of processing

• Provision and operation of the platform (registration, login, profile, roles)
• Management of brands, products, applications, invitations and product assignments
• Communication (inbox, support chat, team chat)
• Processing and documentation of payment periods (e.g. “paid until”) without storing payment method data on the platform
• Performance of contractual and pre-contractual obligations
• Security and stability (e.g. access control, abuse prevention)
• Compliance with legal retention and documentation requirements where applicable

4. Legal basis (Art. 6 GDPR)

• Contract performance (Art. 6(1)(b) GDPR): User account, brand management, products, applications, assignments, communication in the context of platform use.
• Legitimate interests (Art. 6(1)(f) GDPR): Operational security, platform optimisation, abuse prevention, support, internal analysis (e.g. usage statistics), where not overridden by the interests of the data subjects.
• Legal obligation (Art. 6(1)(c) GDPR): Storage and disclosure where required by law (e.g. retention, disclosure to authorities).
• Consent (Art. 6(1)(a) GDPR): Where explicitly obtained (e.g. for certain newsletters or extended use). Consent may be withdrawn at any time with effect for the future.

5. Retention period

• Account and profile data: Until account deletion or withdrawal/objection, unless legal retention obligations apply.
• Brands, products, applications, invitations, assignments: Generally for the duration of the business relationship and thereafter only where required by law or legitimate interests (e.g. legal defence).
• Chat and inbox messages: For the duration of use and any legal or contractual retention period.
• Payment-related data (e.g. “paid until”): For the duration of the contractual relationship and statutory retention periods.
• Log data: Only as long as necessary for security and error analysis (generally limited).

Specific periods may result from the contract, terms and conditions or applicable law.

6. Recipients and disclosure

• Internal: Only authorised personnel (e.g. technical operation, support, administration) have access to the extent necessary.
• Processors: Hosting, database and, where applicable, email services may act as processors; contractual arrangements under Art. 28 GDPR apply.
• Second Life: If you provide a Second Life UUID, related functions (e.g. delivery of objects, payment confirmations) may involve data to or via Second Life; processing on the platform is based on your details and the purposes stated.
• Authorities: Disclosure only where legally required or necessary to assert rights.
• No sale: Personal data is not sold to third parties.

7. Your rights (data subject rights)

Under the legal conditions you have:

• Access (Art. 15 GDPR) to your data,
• Rectification (Art. 16 GDPR) of inaccurate data,
• Erasure (Art. 17 GDPR) / “right to be forgotten”,
• Restriction of processing (Art. 18 GDPR),
• Data portability (Art. 20 GDPR) in a commonly used format where technically feasible,
• Objection (Art. 21 GDPR) to processing based on legitimate interests,
• Withdrawal of consent with effect for the future.

To exercise these rights, please contact the address given in section 1 (email is sufficient).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). In Germany, the competent state data protection authority for your place of residence may be responsible.

8. Session, cookies and technical storage

• Technically necessary storage (e.g. session information) is used for login and session management.
• Where cookies or similar technologies are used, this is for the operation and security of the platform; where required, you will be informed or asked for consent.
• You can set your browser to reject or delete cookies; some functions may then be limited.

9. Hosting and storage location

Data is processed and stored on servers operated by us or our processors. If these are located outside the European Economic Area (EEA), we ensure appropriate safeguards (e.g. EU Commission standard contractual clauses) where required by applicable law.

10. Changes to this policy

This privacy policy may be updated as needed (e.g. for new features or legal changes). The current version is available at the URL indicated. We will inform you of significant changes where required or appropriate.