Privacy Policy

This privacy policy (version 19 June 2026) applies to the YourNextStories platform at yournextstories.com and yournextstory.at (development environment).

The controller is OIDA Freizeit GmbH, Talgasse 11/22, 1150 Vienna, Austria, email: office@oida.app.

Company details are listed in the legal notice (Impressum).

This document explains which personal data we process, for what purposes, on what legal basis, and which rights you have.

When you visit our website, our web server and reverse proxy automatically process technical data such as IP address, date and time, requested URL, referrer, browser type, operating system, and HTTP status.

This is necessary to provide the site, ensure stability and security, and detect abuse.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

Log data is retained only as long as needed for these purposes and then deleted or anonymised.

We transmit data over the internet exclusively via encrypted HTTPS (TLS).

You can recognise a secure connection by the lock icon in your browser and the https:// prefix in the URL.

YourNextStories does not use third-party marketing or analytics cookies (e.g.

Google Analytics, Meta Pixel, or Google Tag Manager).

We only use essential first-party cookies: yns_session_id (anonymous session for recommendations, tracking, and personalisation), yns_device_id (device ID for cross-device guest tracking, HttpOnly), yns_lang (language preference de/en), and after login HttpOnly auth cookies (yns_access_token, yns_refresh_token, or partner/artificer variants).

Legal basis: Art. 6(1)(f) GDPR for essential cookies, Art. 6(1)(b) GDPR for login.

No consent is required for these cookies.

See also the cookie info dialog in the footer.

You can delete or block cookies in your browser settings; some features (login, personalisation) may then be limited.

In addition to cookies, your browser stores data locally (localStorage/sessionStorage) for convenience features such as search-agent drafts, recently viewed detail pages, onboarding preferences, pain-survey status, or cached city lists.

This data stays on your device, is not sold to third parties, and serves site functionality.

Legal basis: Art. 6(1)(f) GDPR (usability).

When you create an account or use your profile, we process the data you provide (e.g. email address, username, language, favourites, search agents, newsletter settings, onboarding answers, consents).

Passwords are stored only as cryptographic hashes.

Legal basis: Art. 6(1)(b) GDPR (contract/account use).

You can delete your account in profile settings; associated personal data will be removed according to our retention rules unless legal obligations require retention.

To improve recommendations, statistics, and product quality, we record interactions server-side in our own infrastructure (tables including yns_tracking, yns_impressions, yns_sessions).

This includes page views, clicks, favourites, filters, map interactions, affiliate clicks, onboarding steps, and — where available — a last chosen search location from your settings (not automatic GPS).

Data is linked to your session ID and, when logged in, your user ID.

No third-party tracking pixels are used.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a working recommendation system).

You may object at any time for reasons relating to your situation (Art. 21 GDPR), e.g. by email to office@oida.app.

Recommendations on the home feed, map, and in emails are based on your interactions, category preferences, and — for registered users — stored profile/vector data (Waldi recommendation system).

This is profiling to improve content selection, not automated decisions with legal effect under Art. 22 GDPR.

Legal basis: Art. 6(1)(f) GDPR.

The map view uses Leaflet with tiles from CARTO/OpenStreetMap (cartodb-basemaps-a.global.ssl.fastly.net).

Loading the map transmits your IP address to the tile provider; we do not set cookies for this.

Optionally you may share device location (browser Geolocation API); coordinates are used for map display and search.

Address search and reverse geocoding run via our API proxy to Nominatim (OpenStreetMap Foundation), transmitting search terms or coordinates to Nominatim.

Legal basis for location: your browser consent (Art. 6(1)(a) GDPR); for map use Art. 6(1)(f) GDPR.

Many listings link to external booking sites (affiliate partners such as Musement, Viator, Eventim).

When you click such links, you leave our website; the respective provider's privacy policy applies.

We log affiliate clicks in our first-party tracking to evaluate conversions.

If you subscribe to our newsletter, we store your email address, language, and signup time.

Delivery only follows double opt-in (confirmation link by email).

You can unsubscribe anytime via the link in each issue or in your profile; newsletter data is then deleted.

Legal basis after confirmation: Art. 6(1)(a) GDPR (consent).

Transactional emails (e.g. registration, password reset, newsletter confirmation, partner verification) are sent via Resend (Resend, Inc., USA).

Marketing emails (e.g. weekly newsletter, search-agent matches, partner marketing) are sent via Brevo (Sendinblue SAS, France).

Email address, name (if provided), and content data are transmitted to the respective provider.

Data processing agreements are in place with both providers.

Legal basis: Art. 6(1)(b) GDPR (transactional) or Art. 6(1)(a) GDPR (marketing with consent).

See https://resend.com/legal/privacy-policy and https://www.brevo.com/legal/privacypolicy/

We use the Hind Siliguri typeface via next/font in Next.js.

Font files are bundled at build time and served from our own server — there is no runtime request to Google Fonts and no data transfer to Google.

Website, API, and databases are hosted on servers we operate in the EU (Docker infrastructure with MySQL, Redis, Elasticsearch).

Event images may be delivered via CDN or object storage (Hetzner S3).

Access to production systems is restricted to authorised personnel.

To maintain event content we use server-side services such as DeepL and OpenAI (e.g. translations, metadata, image descriptions).

This processes listing content, not typically end-user personal data — unless you enter such data in forms (e.g. as a partner).

Legal basis: Art. 6(1)(f) GDPR (efficient content management).

Data processing agreements with providers are concluded where required.

If you contact us by email, we process your details to handle your request.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual/contractual communication) or Art. 6(1)(f) GDPR.

Please do not send highly sensitive data unencrypted by email.

Under the GDPR and Austrian data protection law you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent (Art. 7(3)).

Contact office@oida.app to exercise these rights.

You may lodge a complaint with the Austrian Data Protection Authority: https://www.dsb.gv.at/

We update this privacy policy when our services or the legal framework change.

The version published on this page applies.

We will inform you separately where required for material changes.