Privacy Policy
Effective Date: June 5, 2026 | Frankfurt Operations Compliance
SASS-Y operates its data infrastructure out of Frankfurt, Germany. We are strictly committed to the high standard of protection established by the General Data Protection Regulation (GDPR). This privacy policy governs how we collect, process, and protect your information.
1. Data Controller & Frankfurt Operations
The data controller responsible for the processing of your personal data on this platform under GDPR is:
Frankfurt Executive Suites, Mainzer Landstraße 250
60326 Frankfurt am Main, Germany
Email: hello@sass-y.com
2. Information We Collect & Biometrics
Information You Provide
- Registration Details: Legal name, email address, phone number, date of birth, and credentials.
- Identity Verification Docs: Government-issued ID card or passport scans.
- Biometric Data (Liveness): 3D face liveness scan templates generated during onboarding. This biometric template is used strictly to verify that the person uploading the ID matches the ID photo, and is stored in a heavily encrypted, non-reversible hashed state.
- Financial & Payment Information: Billing details, card information (processed securely via PCI-DSS compliant partners).
Information Collected Automatically
- Technical Details: IP addresses, browser agent, device fingerprints, and operating systems.
- Geofenced Safety Data: Coordinates, timestamp markers for verified check-ins (processed locally or with explicit consent).
3. Legal Basis for Processing (GDPR)
We process your personal data in accordance with the provisions of GDPR and the German Federal Data Protection Act (BDSG):
- Art. 6(1)(b) GDPR: For the performance of contractual obligations (e.g., executing bookings, routing payouts, managing subscriptions).
- Art. 6(1)(c) GDPR: For compliance with legal requirements (e.g., tax bookkeeping, record keeping under the German Prostitute Protection Act - ProstSchG).
- Art. 6(1)(f) GDPR: For the protection of legitimate interests (e.g., maintaining platform safety, fraud prevention, forensic watermarking of media).
- Art. 9(2)(a) GDPR: Consent for special categories of data (specifically, explicit consent for biometric liveness verification).
4. Data Storage, Location & Transfers
Your personal data is hosted and processed on secure servers located in Frankfurt, Germany (using AWS and Supabase EU-central zones). Databases are fully encrypted at rest using AES-256 and in transit using TLS 1.3.
We minimize international data transfers. If a third-party processor (such as Stripe or Mapbox) handles data outside the European Economic Area (EEA), we enforce Standard Contractual Clauses (SCCs) to guarantee GDPR-equivalent protection.
5. Your GDPR Rights
As a data subject, you hold the following rights under GDPR which can be exercised by contacting our Data Protection Officer:
- Right to Access (Art. 15 GDPR): Request confirmation and copy of all personal data we store about you.
- Right to Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete personal records.
- Right to Erasure (Art. 17 GDPR): Request deletion of your data when it is no longer needed or if consent is withdrawn.
- Right to Restrict Processing (Art. 18 GDPR): Request limiting data processing under specific conditions.
- Right to Data Portability (Art. 20 GDPR): Request transmission of your data in a structured, machine-readable format.
- Right to Object (Art. 21 GDPR): Object to processing carried out under legitimate interests.
- Right to Withdraw Consent (Art. 7(3) GDPR): Revoke consent at any time for optional processes (e.g., biometric verification consent).
6. Retention & Automatic Deletion
We adhere to strict data minimization principles:
- Account Information: Retained for the duration of your active profile. Following account deletion, standard records are purged within 30 days.
- Biometric Data: The raw biometric scan data is processed instantly and never stored permanently. Hashed face verification templates are deleted automatically within 24 hours of profile verification.
- Billing Records: Retained for 10 years to comply with German Commercial Code (HGB) and Tax Code (AO) retention requirements.
7. Supervisory Authority
If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with the competent data protection supervisory authority:
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Phone: +49 (0) 611 1408 0
Web: https://datenschutz.hessen.de
8. Contact & DPO Details
For any questions concerning this Privacy Policy, your rights, or data protection in general, you can reach our Data Protection Officer directly at:
Email: dpo@sass-y.com