Privacy Policy

1. Data Controller

The data controller responsible for your information is:
Sophie ("Soph-Hub")
Contact: info@soph-hub.com

2. Information We Collect

We collect information you provide directly to us and data generated through your use of the site:

2.1. Information You Provide:

• Account Registration: Username, email address, hashed password.
• Profile Information (Optional): "About Me" description, Discord username, Twitter/X handle, profile picture, preferred timezone.
• Content Submissions:
  • BBCode Entries (Profiles, Gifts, Snippets): Title, BBCode content, description, content type, tested status.
  • Assets (Avatars, Rooms): Title, description, categories, gender, asset file, original filename, optional screenshot.
  • Tutorials: Title, content, category, difficulty level.
  • Comments: Text content on entries or assets.
  • Feedback: Subject, description, type.
• Groups & Events Data:
  • Group Details: Name, description, visibility, type, settings, images, encrypted webhook URLs, labels.
  • Membership: Join requests (with reason), roles, functional roles.
  • Group Content: Wall posts, outfit links, themes.
  • Event Details: Title, description, time, location, settings, flyer image, webhook URL.
  • Interactions: RSVPs, notes, LFG/LFM/LFJ posts, partnership requests/messages.
• Direct Messages (DMs): Encrypted message content.
• Reports: Reason and details when reporting content/users.

2.2. Information Collected Automatically:

• Log Data: Server logs (IP address, browser, OS, access times, pages viewed via Strato), Application logs (actions like logins, submissions, admin actions, potentially including IP for security events).
• Cookies: Essential session cookie (PHPSESSID).
• Interaction Data: Records of ratings, BBCode copies, asset downloads.

2.3. Information We Do Not Collect:

• We do not intentionally collect sensitive personal data (e.g., health information, political opinions).
• We do not process payments or collect financial information.

3. Legal Basis and Purpose of Processing

We process your data based on the following legal grounds under the GDPR:

• Performance of a Contract (Art. 6(1)(b) GDPR): Much of our processing is necessary to provide the core services you request when you create an account and use the platform. This includes:
  • Account creation, authentication, and management.
  • Allowing you to submit, display, and manage your content (entries, assets, tutorials).
  • Enabling core features like the editor, profile showcase, groups, events, and direct messaging.
  • Processing your ratings, comments, and interactions.
• Legitimate Interests (Art. 6(1)(f) GDPR): We process some data based on our legitimate interests in operating, securing, and improving the platform, provided these interests are not overridden by your rights. This includes:
  • Ensuring website security and stability (e.g., processing log data, IP addresses for security events).
  • Debugging technical issues.
  • Analyzing anonymized or aggregated usage data to improve features.
  • Moderating content, handling reports, and enforcing site rules to maintain a safe community environment.
  • Providing community features like public group listings or event calendars.
  • Communicating necessary service updates or responding to your inquiries.
  • Implementing security measures like encryption for DMs and webhooks.
• Consent (Art. 6(1)(a) GDPR): For optional data you provide freely, such as your "About Me" description, social links, or profile picture, the processing is based on your consent, implied by providing the information. You can withdraw this consent by removing the information from your profile/settings.
• Legal Obligation (Art. 6(1)(c) GDPR): We may process data if required to comply with a legal obligation (e.g., responding to lawful requests from authorities).

The specific purposes for using your information are:

• To provide, maintain, and personalize the Soph-Hub service.
• To enable sharing, discovery, and interaction within the community.
• To manage user accounts, groups, and events.
• To secure the platform and prevent abuse.
• To communicate with users regarding their account, content, or platform updates.
• To analyze usage (primarily in aggregated/anonymized form) for service improvement.
• To fulfill legal requirements.

4. Data Security

We implement technical and organizational measures (Art. 32 GDPR) to protect your data:

• Password Hashing: Using PHP's `password_hash()` (bcrypt).
• Encryption: End-to-end encryption (AES-256-CBC) for Direct Messages and encryption-at-rest for user-provided webhook URLs, using a securely stored secret key.
• Secure Connections: Enforcing HTTPS (TLS encryption).
• Database Security: Using prepared statements against SQL injection.
• Access Control: Restricting access based on roles and permissions.
• Secure Cookies: Using `HttpOnly`, `Secure`, and `SameSite=Lax` attributes.

However, no system is 100% secure.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information.

• Publicly Visible Information: Username, profile picture, "About Me", public content, comments, public group memberships/posts, public event participation.
• Group/Event Visibility: Information in private groups/events is restricted to members/invitees.
• Direct Messages: Encrypted content is only accessible to participants. We cannot read them.
• Service Providers: We use Strato AG (Germany) for hosting. We have a Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag - AVV) in place as required by Art. 28 GDPR. Strato processes data like server logs based on this agreement and their own privacy policy.
• Legal Requirements: Disclosure if required by law (based on Art. 6(1)(c) GDPR) or necessary to protect vital interests or rights (Art. 6(1)(d) or (f) GDPR).

6. Data Retention

We retain data only as long as necessary for the purposes it was collected (Art. 5(1)(e) GDPR):

• Account Data: While your account is active. Deleted/anonymized upon account deletion, subject to legal holds.
• Submitted Content: May be retained (often anonymized) after account deletion unless deletion is requested beforehand.
• Group/Event Data: While the group/event exists.
• Direct Messages: Until deletion by all participants or account deletion.
• Log Data: According to hosting provider policy (Strato) or for limited periods for security/debugging (based on Art. 6(1)(f) GDPR).

7. Your Rights (GDPR)

You have rights regarding your personal data under the GDPR:

• Right to Access (Art. 15 GDPR): Request a copy of your data.
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate data.
• Right to Erasure (Art. 17 GDPR): Request deletion of your data under certain conditions.
• Right to Restrict Processing (Art. 18 GDPR): Request limitation of processing under certain conditions.
• Right to Data Portability (Art. 20 GDPR): Request your data in a machine-readable format.
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw consent where processing is based on consent.
• Right to Lodge a Complaint (Art. 77 GDPR): Complain to a supervisory authority.

To exercise these rights, please contact us at info@soph-hub.com. We may need to verify your identity.

8. Cookies

We only use one technically necessary session cookie (PHPSESSID) based on Art. 6(1)(f) GDPR (legitimate interest in providing login functionality). No tracking or analytics cookies are used.

9. Changes to This Policy

We may update this Privacy Policy. We will notify you of significant changes by posting the new policy on this page and updating the "Last Updated" date.