PRIVACY POLICY
Last updated: 3 June 2026
1. Overview
KNKR GmbH («KINKER», «we», «us», or «our») operates the website knkr.ch. We take the protection of your personal data very seriously. This Privacy Policy informs you in accordance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP) about the processing of your personal data when you use our services.
This policy applies to all processing of personal data in connection with our website, ticket shop, merchandise store, user accounts, newsletter, and VIP bookings.
2. Data Controller
KNKR GmbH
Barcelona-Strasse 4
4142 Münchenstein
Switzerland
Email: info@knkr.ch
Commercial Register: CHE-491.863.600
Data Protection Officer (DPO): We are not legally required to appoint a DPO under Art. 37 GDPR. For data protection inquiries, please contact us at info@knkr.ch.
3. What Data We Collect and Why
We process personal data only for specific, explicit, and legitimate purposes. The following table provides an overview of the data we collect, the purposes, and the legal bases under Art. 6 GDPR:
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Website operation & security | IP address, browser type, device info, session cookies | Art. 6(1)(f) GDPR (legitimate interest: fraud prevention, security) |
| User account creation & login | Name, email, password (hashed), phone (optional), avatar (optional) | Art. 6(1)(b) GDPR (contract) |
| Ticket & merchandise purchases | Name, email, phone, billing/shipping address, payment reference, order history | Art. 6(1)(b) GDPR (contract) |
| Payment processing | Payment data is processed directly by our payment providers; we only receive payment status & reference | Art. 6(1)(b) GDPR (contract) |
| Merchandise fulfillment (Printful) | Name, shipping address, email, phone, order items | Art. 6(1)(b) GDPR (contract) |
| Newsletter | Email address, subscription timestamp, consent record | Art. 6(1)(a) GDPR (consent) |
| VIP room booking | User ID, selected event, package, special requests | Art. 6(1)(b) GDPR (contract) |
| Loyalty program (rewards) | Points balance, tier level, purchase history references | Art. 6(1)(b) GDPR (contract) / Art. 6(1)(a) (consent, if profiling) |
| Customer support | Name, email, order details, correspondence | Art. 6(1)(b) GDPR (contract) / Art. 6(1)(f) (legitimate interest) |
| Website analytics | Anonymized performance metrics (only with your consent) | Art. 6(1)(a) GDPR (consent) |
4. Cookies and Similar Technologies
We use cookies and similar technologies. Cookies are small text files stored on your device. You can manage your preferences via the cookie banner or the "Cookie Settings" link in the footer.
4.1 Necessary Cookies
These cookies are essential for the website to function and cannot be disabled. They are set based on Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in secure operation).
| Name | Purpose | Duration |
|---|---|---|
| user_session | Authentication and user session management | 7 days |
| session_id | Shopping cart functionality for non-logged-in users | 30 days |
4.2 Analytics Cookies (Consent Required)
These cookies are only set with your explicit consent (Art. 6(1)(a) GDPR). You can revoke your consent at any time via the Cookie Settings.
| Provider | Purpose | Data |
|---|---|---|
| Vercel Speed Insights | Page performance measurement and Core Web Vitals tracking | Anonymized performance metrics (no personal data) |
5. Data Recipients and Third-Party Processors
We only share your data with third parties when necessary for the purposes stated above or when legally required. All processors are contractually bound by Data Processing Agreements (Art. 28 GDPR).
| Processor | Location | Purpose | Legal Basis for Transfer |
|---|---|---|---|
| Supabase Inc. | USA | Database hosting, user authentication, data storage | Standard Contractual Clauses (SCC) Art. 46(2)(c) GDPR |
| Resend Inc. | USA | Transactional emails (order confirmations, verification) | Standard Contractual Clauses (SCC) Art. 46(2)(c) GDPR |
| Vercel Inc. | USA | Website hosting, Edge network delivery | EU-U.S. Data Privacy Framework (DPF) certified + SCC |
| Printful LLC | Latvia (EU) / USA | Merchandise printing, packaging, and shipping | Adequacy decision (Latvia, EU); SCC for USA transfers |
| Eventfrog AG | Switzerland | Event data synchronization (public event information only) | Adequacy decision (Switzerland) |
6. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA), particularly in the USA. In such cases, we ensure an adequate level of data protection through:
- EU-U.S. Data Privacy Framework (DPF): For providers certified under the DPF (e.g., Vercel), data transfers are based on the European Commission's adequacy decision of 10 July 2023.
- Standard Contractual Clauses (SCC): For providers without DPF certification (e.g., Resend, Supabase), we have concluded EU Commission Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Additional technical safeguards (TLS encryption, access restrictions) are implemented.
- Switzerland: Switzerland has been recognized by the EU Commission as providing an adequate level of data protection (Adequacy Decision 2000/518/EC).
7. Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (active users) | Until account deletion | Contract performance |
| Unverified accounts | 30 days after registration | Data minimization |
| Order & payment data | 10 years | Swiss commercial law (OR 958f), tax obligations |
| Ticket data | 10 years | Proof of purchase, tax obligations |
| Newsletter subscriptions | Until unsubscribe + 3 years | Proof of consent |
| Shopping cart sessions | 30 days | Technical necessity |
| Server logs | 30 days | Security, troubleshooting |
| Email correspondence | 2 years after last contact | Legitimate interest (documentation) |
After the retention period expires, data is either deleted or anonymized (e.g., replacement of names with "Deleted User" and removal of contact details), unless longer retention is required by law.
8. Your Data Protection Rights
Under the GDPR and the Swiss nFADP, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): Request deletion of your data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18 GDPR): Request limitation on how we use your data.
- Right to data portability (Art. 20 GDPR): Receive your data in a structured, commonly used format.
- Right to object (Art. 21 GDPR): Object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent (Art. 7(3) GDPR): Withdraw consent at any time without affecting the lawfulness of prior processing.
Exercising your rights: To exercise any of these rights, please contact us at info@knkr.ch. We will respond within one month (extendable by two months for complex requests). Requests are generally free of charge.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).
9. Data Security
We implement appropriate technical and organizational measures (TOMs) to protect your data:
- Encryption: All data transmission uses TLS 1.2+ encryption (HTTPS).
- Password security: Passwords are hashed using bcrypt with a cost factor of 12.
- Two-factor authentication (2FA): Available for user accounts via TOTP.
- Signed sessions: User sessions are cryptographically signed with HMAC-SHA256.
- HttpOnly cookies: Session cookies are not accessible via JavaScript.
- Row Level Security (RLS): Database access is restricted per user.
- Access controls: Role-based access for administrative functions.
Despite these measures, no electronic transmission or storage method is 100% secure. We continuously review and improve our security practices.
10. Newsletter
Our newsletter is sent only with your explicit consent (Art. 6(1)(a) GDPR). When you subscribe, we use a double opt-in process: After entering your email address, you will receive a confirmation email with a verification link. Only after clicking this link will your subscription be activated.
We store your consent record (timestamp, IP address hashed, confirmation email content) to demonstrate compliance. You can unsubscribe at any time by clicking the unsubscribe link in every newsletter email or by contacting us at info@knkr.ch.
11. Children's Privacy
Our services are intended for users who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at info@knkr.ch. We will delete such data promptly.
12. Automated Decision-Making and Profiling
Our loyalty program calculates points and tiers based on your purchase history. This constitutes automated decision-making under Art. 22 GDPR. However, it does not produce legal effects or similarly significantly affect you. The tier calculation is based on objective criteria (points total). You have the right to object to such processing (Art. 21 GDPR) and can contact us to discuss your tier status.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For material changes, we may also send you an email notification.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us: