Privacy notice

The German version is the legally authoritative one; this English translation is provided for convenience.

This notice describes which personal data tilt-profile processes, on which legal basis, for which purposes, and which rights you have as a data subject. A separate section "IFPA profiles and profile claiming" covers the specifics that result from displaying publicly available IFPA data.

1. Controller

The controller responsible for the processing of personal data on this website is:

Daniel Schmidt-Richert

Virginia Str. 4

35510 Butzbach

Germany

Email: daniel@tilt-profile.com

Contact form: https://tilt-profile.com/kontakt

No data protection officer has been appointed; there is no legal obligation to do so for this service.

2. Hosting and server log files

The website is operated on our own servers in a German data centre (Hetzner); a data processing agreement is in place with the data centre operator. When you visit the website the web server, for technical reasons, processes the IP address of your device, date and time of the request, the requested URL, the HTTP status code, the amount of data transferred, the referrer and your browser's user agent, and stores these in server log files.

The legal basis is Art. 6 (1) f GDPR; the legitimate interest lies in delivering the content, ensuring operational security and defending against attacks and abuse. Server log files are deleted after 14 days at the latest. They are not merged with other data sources and not evaluated for marketing purposes.

3. Cookies

tilt-profile only uses strictly necessary cookies (§ 25 (2) no. 2 German TDDDG). A consent banner is therefore not required. No tracking, analytics or advertising cookies are set; the audience measurement (section 13) also works without cookies. In detail:

  • Session cookie — keeps your session (in particular the login state) alive; lifetime: until the end of the session, at most 2 hours.
  • XSRF/CSRF token — protects forms against cross-site request forgery attacks; lifetime: same as the session cookie, at most 2 hours.
  • Stay logged in ("remember_web_…") — only set when you actively tick "Remember me" at login; keeps you signed in beyond the end of the session; lifetime: up to 400 days or until you log out.
  • locale — stores the language you actively selected (German/English); lifetime: 12 months. Only set when you pick a language via the language switcher.

The legal basis for the associated processing is Art. 6 (1) f GDPR (functional, secure operation of the website) or Art. 6 (1) b GDPR insofar as the cookies are required to provide the user account.

4. Data sources

Part of the profile data shown on the platform does not come directly from the data subjects but from publicly available sources of the International Flipper Pinball Association (IFPA) as well as related publicly visible competition data. The data may include first and last name, ranking information, place of residence, tournament participations, placements and comparable sport-related profile data. The platform aggregates and re-presents these data in its own layout and — depending on the profile's status — shows them in full or in part.

Public tournament results (tournament, date, placement per IFPA player number) are additionally obtained via the weekly data export provided by the IFPA and kept as a local copy so that statistics such as head-to-head comparisons can be computed efficiently and filtered by period. For profiles subject to an implemented objection or erasure these data are not imported or are removed.

5. Purposes of processing for unclaimed profiles

The platform processes publicly available IFPA profile data to make pinball-related player profiles findable, to present publicly available competition information in a user-friendly form, and to give data subjects the opportunity to claim their profile and add voluntary details. For unclaimed profiles the visible data is intentionally reduced to limit display to what is necessary for these purposes.

6. Legal basis for unclaimed profiles

Insofar as unclaimed profiles with IFPA-sourced data are shown on the platform, processing is carried out on the basis of Art. 6 (1) f GDPR. The legitimate interest lies in providing a specialised, user-friendly profile and directory service for competitive pinball, and in the technical and editorial preparation of publicly available competition information. The visible scope of unclaimed profiles is limited to selected base data. Data subjects may object to this processing on grounds relating to their particular situation (see section 17).

7. Profile claiming and user account

When a person claims a profile, the account data and any evidence provided are processed in order to verify the right to claim the profile, attach it to the correct user account, and prevent abusive claims. To that extent the processing is based on the performance of the contractual or pre-contractual relationship (Art. 6 (1) b GDPR) and additionally on legitimate interests (Art. 6 (1) f GDPR) in the security and integrity of the platform.

When a password is set or changed we check whether the chosen password appears in known data breaches. For this we query the "Pwned Passwords" service (haveibeenpwned.com) using the k-anonymity scheme: our server transmits only the first five characters of a hash computed locally from the password, and the comparison against the returned candidates happens entirely on our server. Neither the password nor its full hash nor the user's email address, IP address or any other personal data is transmitted to the service. The legal basis for this check is our legitimate interest in account security (Art. 6 (1) f GDPR).

To protect against abusive registrations and to secure user accounts we store the IP address from which a registration is made, and, for failed login attempts against an existing account, the time and IP address of the attempt. Records of failed login attempts are deleted automatically after 30 days; the IP address recorded at registration is stored for the lifetime of the user account. The legal basis is our legitimate interest in preventing and tracing abuse (Art. 6 (1) f GDPR).

8. Voluntary extras and the extended public profile

After a successful claim the data subject may voluntarily add further details to the profile — biographical text, social media links, preferred tournament/pinball information, and other self-selected content. These extras are only processed and displayed publicly to the extent the data subject has explicitly consented (Art. 6 (1) a GDPR). Consent is voluntary and can be withdrawn at any time with effect for the future. The lawfulness of processing up to the moment of withdrawal is not affected.

9. Public visibility after claim

After a successful claim the data subject separately decides whether their extended profile is to be publicly visible. Without this separate authorisation the voluntary extras are not shown publicly. The authorisation can be changed or withdrawn at any time in the user account with effect for the future.

10. Contacting us (form and email)

When you contact us via the contact form or by email, we process the data you provide (name — optional in the form —, email address and message) in order to answer your enquiry. The legal basis is Art. 6 (1) f GDPR (answering enquiries) or Art. 6 (1) b GDPR where your enquiry relates to the user relationship. Messages remain in the controller's mailbox and are deleted once they are no longer needed for processing the enquiry. For requests submitted through the privacy form (correct, object to, or remove a profile) section 17 additionally applies.

11. Map display

Profile pages may contain a map of the "home spots" voluntarily added by the profile owner. The map material originates from Geoapify GmbH (Germany), based on OpenStreetMap data, but is cached and served by our own server. While viewing the map your browser only communicates with our server; neither your IP address nor any other data is transmitted to Geoapify or other third parties. The legal basis for the processing is Art. 6 (1) f GDPR; the legitimate interest lies in displaying the locations the profile owner has voluntarily published.

12. Images and static assets

Profile photos from IFPA profiles are retrieved once by our server from the IFPA and then stored and served locally. While viewing a profile page your browser only communicates with our server; neither your IP address nor any other data is transmitted to the IFPA or other third parties. The same applies to pinball machine artwork from the Open Pinball Database (OPDB), which — like the map display (section 11) — is cached and served by our own server. Fonts and all other static assets of the website are likewise served directly from our own servers without any third-party provider.

13. Audience measurement (Matomo)

For statistical analysis of how the website is used we employ the open-source software Matomo, operated on our own servers (see section 2). The data collected includes, in particular, the pages visited, the approximate origin (country/region), the browser type and the device type. Matomo is configured not to set any cookies and not to store or read any information on your device; the IP address is truncated (anonymised) before storage, so that it cannot be traced back to you. The data is processed exclusively on our own instance and is not shared with third parties.

The legal basis is Art. 6 (1) f GDPR; the legitimate interest lies in the statistical analysis and improvement of the service. Since no cookies are set and no information is stored on or read from your device, no consent under § 25 German TDDDG is required. You may object to this processing at any time (see section 17).

14. Recipients and service providers

Within the platform personal data is only made available to those parties that need it to fulfil the respective purpose. Beyond that technical service providers may be used for hosting, database operation, email delivery, content delivery, abuse prevention or support. Where such service providers process personal data on our behalf they do so under a data processing agreement pursuant to Art. 28 GDPR.

15. Transfers to third countries

Hosting, database, email delivery, the map display (section 11), image delivery (section 12) and the audience measurement (section 13) take place in Germany or the EU; no personal data is transferred to third countries.

16. Retention

Unclaimed base profiles are stored and displayed only for as long as is necessary for operating the platform and the purposes described above, or until a legitimate objection, correction request, or deletion request is honoured. Account data and claim-related evidence are stored only for as long as needed for account administration, abuse prevention or statutory retention obligations. Voluntary extras are stored until removed by the data subject, until consent is withdrawn, or until the user account is closed. Server log files are deleted after 14 days at the latest; records of failed login attempts after 30 days (see section 7); technical backups are overwritten on a rolling 30-day basis.

17. Data subject rights

Subject to the statutory requirements, data subjects have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data portability (Art. 20 GDPR). Where processing is based on consent, that consent can be withdrawn at any time with effect for the future.

Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) f GDPR. We will then no longer process the data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. For unclaimed profiles the objection form is sufficient — the objection is honoured automatically there.

There is also the right to lodge a complaint with a data protection supervisory authority. The authority responsible for the controller is: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany, datenschutz.hessen.de. You may also contact the supervisory authority of your place of residence.

For unclaimed profiles a dedicated form is available for correction, objection and removal requests: correction & removal form.

Objection and removal requests concerning unclaimed profiles are honoured automatically: the cached data for the IFPA profile in question is removed from the database, the profile is no longer displayed on the platform, and any automatic re-import from the IFPA data source is permanently blocked for that profile. In place of the profile page a short notice appears stating that display has been objected to. To prevent abuse, only one objection or removal request per IP address and per IFPA profile is accepted within 24 hours. If a request was submitted by mistake or by another person, the profile can be restored on request — via the same form or by emailing the controller directly.

Requests concerning claimed profiles and all correction requests are not handled automatically but are reviewed manually by the controller, so that an unrelated third party cannot use the public form to disable a claimed profile. The owner of a claimed profile can additionally disable public display and the publication of voluntary extras at any time via their profile settings, or delete the account itself.

18. Notice under Art. 14 GDPR

Where personal data is not collected directly from the data subject, the information required by Art. 14 GDPR is provided through this privacy notice together with supplementary notices inside the profile pages and the claim process. The source of the data is publicly available IFPA information and related publicly visible competition data.

Last updated: 2026-07-13