the_last_billboard_

Privacy Policy

Introduction

We take the protection of your personal data seriously. This privacy policy explains what data we collect, how we use it, and what rights you have.

This privacy policy applies to all users. For users residing in Switzerland, the revised Federal Act on Data Protection (revFADP, in force since 1 September 2023) applies. For users residing in the EEA/EU, the General Data Protection Regulation (GDPR) additionally applies.

Data We Collect

We collect the following types of data:

Personal data you provide:

Email address: Required for authentication and account management

Payment data: Securely processed by Stripe (we never store credit card data)

Bid data: Display name, link URL, brand color and bid amount for your slots

Uploaded images: Images you upload for your advertising slots

Data collected automatically:

Cookies: Only essential cookies for authentication and language preferences

IP address: Temporarily logged for security and abuse prevention

Browser data: User agent and browser information for compatibility

Legal Bases for Processing

We only process your personal data on the basis of a legal ground (Art. 31 revFADP / Art. 6 GDPR):

Performance of contract: Processing your email, bids, payments and content to deliver the service (Art. 31(2)(a) revFADP / Art. 6(1)(b) GDPR).

Consent: Certain processing is based on your voluntary consent, which you may withdraw at any time (Art. 31(1) revFADP / Art. 6(1)(a) GDPR).

Legitimate interests: Abuse prevention, IT security, content moderation and technical improvement of the service (Art. 31(2)(d) revFADP / Art. 6(1)(f) GDPR).

Legal obligations: Retention of business and payment records pursuant to Art. 958f of the Swiss Code of Obligations and tax/accounting regulations (Art. 6(1)(c) GDPR).

How We Use Your Data

We use your data for the following purposes:

> User authentication and account management

> Processing bids and payments

> Displaying your advertising slots on the billboard

> Content moderation and abuse prevention

> Compliance with legal obligations (tax, accounting)

Data Recipients (Processors / Third Parties)

We share your data with the following trusted service providers:

Supabase (Backend & Database)

Authentication, database and file storage (EU/US servers, GDPR-compliant).

Privacy Policy

Stripe (Payment Processing)

Payment processing and refunds (PCI-DSS Level 1 certified).

For payment processing, Stripe acts as an independent controller (not as our processor). Stripe's privacy policies apply additionally.

Privacy Policy

Vercel (Hosting)

Hosting and content delivery (global edge network).

Privacy Policy

International Data Transfers

Your data may be transferred to countries outside Switzerland and the EEA, in particular to the USA (Supabase, Stripe, Vercel).

Such transfers rely on the EU Standard Contractual Clauses (SCC), the EU-US Data Privacy Framework (for certified recipients) and the Swiss-US Data Privacy Framework. We thereby ensure an adequate level of protection within the meaning of Art. 16 revFADP and Art. 46 GDPR.

Your Rights

You have the following rights:

Right of access: You may request a copy of all data we hold about you.

Right to rectification: You may request correction of inaccurate data.

Right to erasure: You may request deletion of your account and data (excluding records subject to statutory retention).

Right to data portability: You will receive your data in a structured, commonly used and machine-readable format.

Right to object: You may object to processing based on legitimate interests.

Right to lodge a complaint: Switzerland: lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch). EU/EEA: lodge a complaint with your competent national data protection authority.

To exercise your rights, contact us at info@vgt.energy

Cookies

We use only essential cookies:

Authentication cookies: Session management (expires after logout)

Preference cookies: Language selection and UI preferences

We do NOT use tracking, analytics or advertising cookies.

Data Retention

Account and bid data are retained as long as your account is active.

Business and payment records are retained for 10 years pursuant to Art. 958f of the Swiss Code of Obligations.

Security and server logs (including IP addresses) are deleted or anonymised within 90 days.

Security Measures

We implement industry-standard security measures including encryption (TLS/SSL), secure authentication (magic links), encryption of the database at rest, and regular security audits.

Automated Decisions

We do not make automated individual decisions producing legal effects on you (Art. 21 revFADP / Art. 22 GDPR). Slot allocation is deterministic based on bid amount and is transparently documented.

Policy Updates

We may occasionally update this policy. Material changes will be communicated by email or through the platform.

Last updated: 2026-05-22

Contact

For data protection inquiries, contact us at:

Email: info@vgt.energy

For full contact details, see our Imprint