Legal

Privacy Policy

Last updated June 17, 2026

This Privacy Policy explains how PAINTSESSIONS.COM ("PAINTSESSIONS", "we", "us" or "our") processes personal data when you use our website, account system, multiplayer painting rooms, community features, artwork publishing features, reporting tools, supporter billing features and related services.

1. Controller

The controller responsible for PAINTSESSIONS.COM is:

Yannick Stephan Rot
c/o POSTFLEX PFX-290-492
Emsdettener Straße 10
48268 Greven
Germany

Email: [email protected]

Legal Notice:
https://paintsessions.com/legal-notice

We have not appointed a data protection officer.

2. What PAINTSESSIONS.COM is

PAINTSESSIONS.COM is a web-based creative multiplayer and social platform.

Users can create an account, paint in shared 3D rooms, publish artwork snapshots, view profiles, comment on and upvote artworks, and participate in community features.

The platform also includes account authentication, social login, supporter billing, report and takedown workflows, moderation tools and internal administration tools.

3. Personal data we process

Account data:
username, display name, user ID, email address, password hash, account status, email verification status, profile information, avatar, bio, profile links, account settings and supporter status.

Authentication and security data:
login method, session identifiers, authentication cookies, security tokens, email verification tokens, password reset tokens, login timestamps, failed login attempts, IP address, browser information and device information.

Social login data:
if you log in with Google or Discord, we may receive data required to create or access your PAINTSESSIONS account, such as provider user ID, email address, username, display name or avatar, depending on your provider settings and the permissions granted.

User-generated content:
artwork snapshots, image data, artwork titles, descriptions, tags, comments, upvotes, profile content, public profile information, timestamps, room participation data and related metadata.

Multiplayer room data:
data required to operate shared 3D rooms, such as user identifiers, room participation, painting actions, synchronization data, room state, timestamps and technical metadata.

Moderation and report data:
reports, reported content, reported URLs or identifiers, reporter contact details if provided, moderation notes, review records, decisions, enforcement actions and communications about reports, takedown requests or appeals.

Payment and supporter data:
billing email address, Stripe customer ID, payment status, subscription status, invoice information, tax-related information where applicable, transaction identifiers, refund or chargeback information, supporter entitlement status, withdrawal declarations and cancellation declarations.

Communication data:
emails and messages you send to us, support requests, privacy requests, moderation-related communications, timestamps and our responses.

Technical logs and network data:
IP address, request time, requested host names and URLs, browser type, operating system, device information, referrer URL where available, request headers, server logs, application logs, error logs, security events, rate-limiting data, cache metadata and diagnostic data.

4. Processing activities, legal bases, recipients and retention

The following overview explains the main purposes for which we process personal data. Where we rely on legitimate interests under Article 6(1)(f) GDPR, our legitimate interests are stated in the relevant entry. Retention periods may be extended where this is required or permitted by law, for example for security incidents, abuse investigations, accounting records, legal disputes or the establishment, exercise or defense of legal claims.

Edge delivery, DNS proxy, CDN and security

Data and purpose:
IP address, request time, requested host name and URL path, request headers, TLS and browser metadata, cache metadata and security signals are processed to resolve domain names, deliver pages and assets, protect the service against attacks and abuse, operate TLS edge delivery, cache static content and route traffic to our origin infrastructure.

Legal basis:
Article 6(1)(f) GDPR. Our legitimate interests are secure, reliable and efficient delivery of PAINTSESSIONS.COM, DDoS protection, abuse prevention and platform availability. Article 6(1)(b) GDPR also applies where this processing is necessary to deliver pages or features you request.

Recipients, transfers and retention:
We use Cloudflare for DNS, CDN, security and edge delivery services. Where Cloudflare processes personal data on our behalf, this processing is governed by Cloudflare's customer data processing terms incorporated into Cloudflare's self-serve terms. Cloudflare may process data outside the European Economic Area under applicable transfer safeguards. Cloudflare-related retention depends on the configured service, account settings and security-log criteria. Our own technical logs are normally stored for up to 180 days.

Provision:
This processing is technically required to access PAINTSESSIONS.COM where Cloudflare edge services are active.

Account registration and account management

Data and purpose:
Account data, email address, username, password hash, account status, profile information, settings and supporter status are processed to create and manage your account, provide logged-in features, manage account settings and identify your account inside the platform.

Legal basis:
Article 6(1)(b) GDPR for providing the account and related services. Article 6(1)(f) GDPR for maintaining platform integrity, preventing duplicate or abusive accounts and protecting user accounts.

Recipients, transfers and retention:
Account systems run on infrastructure hosted by Oracle Cloud, with Cloudflare processing request metadata at the edge where active. Account data is stored while your account exists. If your account is deleted or deletion is requested, we generally anonymize the account within 30 days unless longer retention is required for legal, billing, security, moderation or abuse-prevention reasons.

Provision:
Providing this data is contractually required if you want to use account-based features.

Authentication, sessions and security

Data and purpose:
Login method, session identifiers, authentication cookies, refresh tokens, email verification tokens, password reset tokens, OAuth state data, login timestamps, failed login attempts, IP address, browser and device information are processed to authenticate users, maintain sessions, verify email addresses, reset passwords, prevent unauthorized access and investigate security incidents.

Legal basis:
Article 6(1)(b) GDPR for login and session management. Article 6(1)(f) GDPR for account security, abuse prevention, fraud prevention, rate limiting and platform protection. Article 6(1)(c) GDPR may apply where security or legal obligations require processing.

Recipients, transfers and retention:
The authentication system is operated by us on Oracle Cloud infrastructure. Cloudflare may process request metadata at the edge. Authentication and security logs are normally stored for up to 180 days. Token and cookie retention is described in our Cookie Policy.

Provision:
This processing is technically and contractually required for login, account security and logged-in service use.

Optional social login with Google or Discord

Data and purpose:
If you choose Google or Discord login, we process provider user ID, email address, username, display name, avatar and related login data received from the provider to create or access your PAINTSESSIONS account and complete the login flow.

Legal basis:
Article 6(1)(b) GDPR because you request this login method. Article 6(1)(f) GDPR for account security, abuse prevention and login integrity.

Recipients, transfers and retention:
Google or Discord are recipients and independent controllers for their own side of the login flow. They may process data under their own privacy policies, account settings and transfer mechanisms. We store social-login identifiers while the login method is linked to your account and retain related security logs as described above.

Provision:
Social login is optional. Where available, you may use email/password registration instead.

Paint sessions, multiplayer rooms and local client data

Data and purpose:
Room participation data, user identifiers, painting actions, synchronization data, room state, timestamps, technical metadata, local paint saves and client preferences are processed to operate shared 3D painting rooms, synchronize multiplayer state, provide paint tools, keep local saves and remember app preferences on your device.

Legal basis:
Article 6(1)(b) GDPR for providing paint and multiplayer features. Article 6(1)(f) GDPR for platform reliability, room integrity, abuse prevention and troubleshooting.

Recipients, transfers and retention:
Runtime infrastructure is hosted on Oracle Cloud, with Cloudflare processing request metadata at the edge where active. Other room participants may receive the data necessary to display shared room state and user actions. Local browser data remains on your device until overwritten, replaced or cleared through browser or app actions. Server-side technical logs are normally stored for up to 180 days.

Provision:
This data is required to use paint and multiplayer features. Local preferences are required only for the specific continuity or preference feature.

Public community content and profile interactions

Data and purpose:
Artwork snapshots, image data, artwork titles, descriptions, tags, comments, upvotes, profile information, public profile links, timestamps and related metadata are processed to publish and display community content, profile pages and interactions.

Legal basis:
Article 6(1)(b) GDPR for providing publishing and community features. Article 6(1)(f) GDPR for operating a public creative community, preserving public community context, maintaining platform integrity and protecting legal interests.

Recipients, transfers and retention:
Public content may be visible to users, visitors, search engines and third parties outside our direct control. Infrastructure is hosted on Oracle Cloud and delivered through Cloudflare where active. Public content is stored until deleted, hidden, moderated, anonymized or no longer needed, subject to legal, security, moderation and backup exceptions.

Provision:
Publishing public content is optional. If you choose to publish or interact publicly, this data is required for those features.

Reports, takedowns, moderation and legal enforcement

Data and purpose:
Reports, reported content, reported URLs or identifiers, reporter contact details if provided, moderation notes, review records, decisions, enforcement actions and related communications are processed to review reports, handle takedown requests, enforce our terms, comply with legal duties and protect users, rights holders and the platform.

Legal basis:
Article 6(1)(f) GDPR. Our legitimate interests are platform safety, lawful operation, abuse prevention, rights protection, enforcement of our terms and defense of legal claims. Article 6(1)(c) GDPR applies where legal obligations require processing. Article 6(1)(b) GDPR may apply where processing is necessary to enforce or administer the user contract.

Recipients, transfers and retention:
Recipients may include authorized administrators or moderators, Oracle Cloud, Cloudflare where relevant for request or security metadata, affected users, reporting parties, legal advisors, rights holders, courts, authorities or law enforcement where necessary. Moderation and report data is normally stored for up to one month after the case is closed, unless longer retention is necessary because of repeated violations, serious abuse, legal disputes, statutory obligations or ongoing investigations.

Provision:
Providing report data is required if you submit a report, takedown request or appeal.

Supporter billing, Stripe payments, withdrawal and cancellation

Data and purpose:
Billing email address, Stripe customer ID, subscription status, payment status, invoice information, tax-related information where applicable, transaction identifiers, refund or chargeback information, supporter entitlement status, cancellation declarations, withdrawal declarations, timestamps, IP address and user-agent data are processed to offer supporter access, process payments and refunds, manage subscriptions, handle withdrawal and cancellation requests, comply with consumer, tax and accounting obligations and defend legal claims.

Legal basis:
Article 6(1)(b) GDPR for supporter contracts, payment processing, subscription administration, withdrawals and cancellations. Article 6(1)(c) GDPR for tax, accounting, consumer-law and legal documentation obligations. Article 6(1)(f) GDPR for fraud prevention, chargeback handling, accounting control and legal defense.

Recipients, transfers and retention:
We use Stripe for payment processing. Stripe may act partly as our processor and partly as an independent controller where required for payment processing, fraud prevention, regulatory compliance, financial reporting and Stripe's own legal obligations. Complete payment card numbers are processed by Stripe and are not stored by us on our own servers. Infrastructure records are hosted on Oracle Cloud and may pass through Cloudflare where active. We retain billing and payment records for the duration of the contractual relationship and thereafter for statutory retention periods required under tax, accounting and commercial law. Withdrawal, cancellation, refund, chargeback and legal-request records are retained as long as necessary for compliance, evidence and legal claims.

Provision:
Payment and billing data is contractually required for paid supporter access. Some billing, tax and legal request data is required by law.

Email contact, privacy requests and legal requests

Data and purpose:
Sender email address, message content, mail metadata, request identifiers, account identifiers if provided, timestamps and our responses are processed to answer messages, handle support, privacy, legal and abuse requests, document communications and comply with legal duties.

Legal basis:
Article 6(1)(b) GDPR where communication relates to your account, supporter contract or requested service. Article 6(1)(c) GDPR where processing is required for privacy, consumer, DSA, legal or authority requests. Article 6(1)(f) GDPR for support handling, documentation, abuse handling and legal defense.

Recipients, transfers and retention:
Inbound emails sent by users to PAINTSESSIONS inboxes are processed by mailbox.org / Heinlein Hosting GmbH in Germany. Application-hosted request records are stored on Oracle Cloud where applicable. Recipients may also include legal advisors, authorities, affected users or rights holders where necessary. Emails and request records are retained for as long as necessary to answer the request, handle follow-up questions, comply with legal duties or defend legal claims.

Provision:
Providing contact data is required if you want us to process and answer your request.

Transactional and service emails

Data and purpose:
Recipient email address, account identifiers, email verification information, password reset information, supporter billing notifications, request confirmations, delivery metadata and message content are processed to send necessary service emails.

Legal basis:
Article 6(1)(b) GDPR for account, security and supporter-contract emails. Article 6(1)(c) GDPR where legal confirmations or notices are required. Article 6(1)(f) GDPR for secure account operation, documentation and abuse prevention.

Recipients, transfers and retention:
Outbound application email is sent using infrastructure hosted by Oracle Cloud. Email-related logs are retained according to the relevant account, security, billing or request-retention criteria.

Provision:
This processing is required for account security, legal notices and service operation.

Technical logs, backups and administration

Data and purpose:
IP address, request time, requested URLs, browser type, operating system, device information, referrer URL where available, server logs, application logs, error logs, security events, rate-limiting data, diagnostics, backups and administrator activity logs are processed to operate, debug, secure, monitor and restore the platform.

Legal basis:
Article 6(1)(f) GDPR. Our legitimate interests are secure and reliable operation, troubleshooting, incident response, fraud and abuse prevention, system integrity and business continuity. Article 6(1)(c) GDPR may apply where security, accounting or legal obligations require processing.

Recipients, transfers and retention:
Technical infrastructure is hosted on Oracle Cloud and may be delivered through Cloudflare where active. Authorized administrators may access logs where required for their role. Technical logs are normally stored for up to 180 days. Deleted or anonymized data may remain in protected backups until overwritten or deleted, normally for up to 90 days.

Provision:
This processing is technically required for a secure and reliable online service.

Necessary cookies and browser storage

Data and purpose:
Necessary cookies, localStorage and IndexedDB records are processed for login, session continuity, OAuth login completion, logout, account security, local paint saves, local player identity, renderer and quality preferences, pressure settings and other necessary app behavior.

Legal basis:
Article 6(1)(b) GDPR where storage is needed to provide requested account or app features. Article 6(1)(f) GDPR for secure session handling, abuse prevention and stable app operation.

Device storage under German law:
In addition to the GDPR legal bases above, storing information on your device and accessing information already stored on your device, including cookies, localStorage and IndexedDB, are governed in Germany by § 25 TDDDG. We use these technologies without separate consent only where they are strictly necessary to transmit communications, provide a digital service expressly requested by you, or provide requested security, login, session, local-save or app-functionality features. If we introduce non-essential storage, analytics, advertising or tracking technologies, we will request consent where required before using them.

Recipients, transfers and retention:
Most browser storage is first-party or local to your device. External providers such as Google, Discord or Stripe may use their own cookies or browser storage when you use their services. Details and retention information are available in our Cookie Policy.

Provision:
Necessary cookies and storage are technically required for the relevant feature. Disabling or clearing them may break login, session continuity, paint saves, app preferences, renderer choices, local player identity or multiplayer operation.

5. Data not collected directly from you

Most personal data is provided by you or collected when you use PAINTSESSIONS.COM. In some situations, we may receive personal data about you from other users, reporting parties, rights holders, authorities, social-login providers or publicly available sources.

This may happen, for example, when content is reported, a takedown request is submitted, a rights-holder complaint is sent, a moderation case is reviewed, an authority contacts us, or you use Google or Discord login. The data may include account identifiers, public profile information, reported URLs or content, allegations, evidence submitted by a reporting party, provider identifiers, contact details, moderation notes and related timestamps.

Where required by law, we provide information to affected users. Exceptions may apply, for example where providing information would seriously impair an investigation, legal claim, moderation action or rights-enforcement process, where notification would be impossible or involve disproportionate effort, or where confidentiality or legal obligations prevent disclosure.

6. Public content

PAINTSESSIONS.COM includes public and community features. If you publish artwork snapshots, comments, profile information or other public content, this content may be visible to other users, visitors and the public. Public content may also be indexed by search engines, archived by third parties, copied by users or otherwise become available outside our direct control.

Please do not publish private information, confidential information or personal data about other people unless you are legally allowed to do so.

If we are required to erase public personal data that we have made public, we will take reasonable steps, taking account of available technology and implementation costs, to inform other controllers processing that data that erasure has been requested, where Article 17 GDPR requires this. We cannot guarantee deletion of independent third-party copies, archives, search-engine caches or content copied by other users outside our control.

PAINTSESSIONS.COM is not intended for the upload or publication of special categories of personal data, such as health information, political opinions, religious beliefs, biometric data for identification, or information about sexuality, unless you are legally allowed to publish that information. Please do not publish special-category data about other people. We may remove such content where required by law, our Terms of Service or moderation rules.

7. Cookies and similar technologies

We currently use only technically necessary cookies and similar technologies for authentication, logged-in sessions, login flows, email verification, password reset flows, form and request protection, security, abuse prevention, essential interface settings, multiplayer room functionality, and technical platform operation.

In Germany, cookies and browser storage are also subject to § 25 TDDDG. We use cookies, localStorage and IndexedDB without separate consent only where they are strictly necessary to transmit communications, provide a digital service expressly requested by you, or provide requested security, login, session, local-save or app-functionality features.

We do not currently use non-essential analytics cookies, advertising cookies or third-party tracking cookies.

8. Analytics and advertising

PAINTSESSIONS.COM does not currently use Google Analytics, Google Ads or similar non-essential analytics or advertising technologies. If we introduce analytics or advertising technologies in the future, we will update this Privacy Policy and our cookie information before activating those services. Where required, such technologies will only be used after consent.

9. Hosting, email and infrastructure

PAINTSESSIONS.COM origin infrastructure is hosted on Oracle Cloud. Oracle Cloud infrastructure may be used for website hosting, application hosting, database hosting, storage, backups, security, logging, technical operations, transactional email infrastructure and self-hosted authentication infrastructure. We have entered into data processing terms or a data processing agreement with Oracle where required.

We use Cloudflare for DNS, CDN, security and edge delivery services where active for the production domain. Cloudflare is not our origin host, but it may process request and security metadata before traffic reaches our origin infrastructure.

10. Authentication

We use an authentication system operated by us for account registration, email/password login, social login integration, session management, authentication cookies, email verification, password reset, account security and login security logs. The authentication system runs on infrastructure hosted by Oracle Cloud.

11. Social login providers

You may register or log in using Google or Discord. If you use Google or Discord login, the provider may process personal data according to its own privacy policy and account settings and may provide us with data required to create or access your PAINTSESSIONS account.

Google Privacy Policy:
https://policies.google.com/privacy

Discord Privacy Policy:
https://discord.com/privacy

Social login is optional. Where available, you may use email/password registration instead.

12. Payments through Stripe

We use Stripe for supporter billing, subscriptions and payments. Stripe may process payment-related data, including billing email address, payment method information, transaction information, subscription information, fraud prevention information and regulatory compliance information. Stripe may act partly as our processor and partly as an independent controller where required for payment processing, fraud prevention, regulatory compliance, financial reporting and Stripe's own legal obligations. Complete payment card numbers are processed by Stripe and are not stored by us on our own servers.

Stripe Privacy Policy:
https://stripe.com/privacy

13. Recipients of personal data

We may share personal data where necessary with Oracle Cloud, Cloudflare, Stripe, Google or Discord if you use social login, mailbox.org / Heinlein Hosting GmbH if you send email to one of our inboxes, legal advisors, tax advisors, auditors, courts, authorities, law enforcement agencies, rights holders or affected parties where necessary to handle reports or legal claims, and other users or visitors where you publish content or make profile information public. We do not sell personal data.

Provider information:

Oracle Cloud: Oracle Services Privacy Policy
Cloudflare: Cloudflare Privacy Policy and Cloudflare Customer DPA information
Stripe: Stripe Privacy Policy
Google: Google Privacy Policy
Discord: Discord Privacy Policy
mailbox.org / Heinlein Hosting GmbH: mailbox.org Data Protection

14. International data transfers

Some recipients or their subprocessors may process personal data outside the European Economic Area, in particular in the United States. For US recipients certified under the EU-US Data Privacy Framework, transfers may rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework, but only for certified recipients and covered transfers. Where no adequacy decision applies, we use EU Standard Contractual Clauses and, where required, supplementary safeguards. You may contact [email protected] to obtain further information about transfer safeguards relevant to a specific provider, including how to obtain copies of safeguards where available.

Provider overview:

Oracle Cloud: origin hosting, storage, backups, application infrastructure and outbound app email. Transfers outside the EEA may be covered by Oracle contractual transfer safeguards, Standard Contractual Clauses, adequacy decisions, the EU-US Data Privacy Framework where certified and applicable, or another lawful mechanism.
Cloudflare: DNS, CDN, security and edge delivery. Transfers outside the EEA may be covered by Cloudflare's customer data processing terms, Standard Contractual Clauses, adequacy decisions, the EU-US Data Privacy Framework where certified and applicable, or another lawful mechanism.
Stripe: payment processing, supporter billing, subscription administration, fraud prevention and regulatory compliance. Transfers outside the EEA may be covered by Stripe's data processing terms, Standard Contractual Clauses, adequacy decisions, the EU-US Data Privacy Framework where certified and applicable, or another lawful mechanism.
Google: optional social-login provider and independent controller for Google's side of the login flow. Google is responsible for its own transfer mechanisms, which may include adequacy decisions, Standard Contractual Clauses or the EU-US Data Privacy Framework where certified and applicable.
Discord: optional social-login provider and independent controller for Discord's side of the login flow. Discord is responsible for its own transfer mechanisms, which may include adequacy decisions, Standard Contractual Clauses or the EU-US Data Privacy Framework where certified and applicable.
mailbox.org / Heinlein Hosting GmbH: inbound email handling in Germany. We do not make regular third-country transfers through mailbox.org for inbound mailbox handling. If mailbox.org or its subprocessors transfer data outside the EEA, legally required safeguards apply.

15. Retention

We store personal data only for as long as necessary for the purposes described in this Privacy Policy, unless longer retention is required or permitted by law.

Account data: stored while your account exists. If you delete your account or request deletion, we generally anonymize your account within 30 days, unless longer retention is required for legal, billing, security, moderation or abuse-prevention reasons.

Authentication and security logs: normally stored for up to 180 days, unless longer retention is necessary to investigate abuse, fraud, unauthorized access, security incidents or legal claims.

Moderation and report data: normally stored for up to one month after the case is closed, unless longer retention is necessary because of repeated violations, serious abuse, legal disputes, statutory obligations or ongoing investigations.

Billing and payment records: stored for the duration of the contractual relationship and thereafter for statutory retention periods required under tax, accounting and commercial law.

Technical logs: normally stored for up to 180 days. Deleted or anonymized data may remain in protected backups until overwritten or deleted, normally for up to 90 days.

16. Account deletion and anonymization

You may request account deletion by contacting [email protected]. Where account deletion is available through account settings, you may also use that function. When your account is deleted, we generally anonymize your account instead of deleting every technical record immediately to preserve platform integrity, public community context, moderation history, security records and billing records where necessary.

17. Your rights

Subject to applicable data protection law, you may have the right to access your personal data, correct inaccurate personal data, request deletion, restrict processing, receive certain data in a portable format, object to certain processing, withdraw consent where processing is based on consent, and lodge a complaint with a data protection supervisory authority. To exercise your rights, contact [email protected].

Right to object:
Where we process personal data on the basis of Article 6(1)(f) GDPR, you may object at any time on grounds relating to your particular situation. We will then stop processing the data unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or unless processing is necessary for legal claims.

18. Supervisory authority

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
Germany

Phone: +49 211 38424-0
Email: [email protected]
Website: https://www.ldi.nrw.de

19. Automated decisions

We do not use personal data for automated decisions that produce legal effects concerning you or similarly significantly affect you. Moderation decisions are currently reviewed by authorized human moderators or administrators.

20. Children and minors

PAINTSESSIONS.COM is not intended for children under 16 years of age unless use is permitted by applicable law and, where required, parental consent has been obtained. If you believe that a child has provided us with personal data without appropriate permission, contact [email protected].

21. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration or disclosure. No online service can be completely secure. You are responsible for keeping your login credentials confidential and for using secure passwords.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our platform, service providers, legal requirements or data processing practices. The latest version is always available at:
https://paintsessions.com/privacy