Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process for what purposes and to what extent in the context of our AI-generated Murder Mystery Dinner Service "Crime & Dine .io" .

The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our website crime-and-dine.io as well as in our web application for mobile devices.

Last updated: November 11, 2025

Preamble
Responsible Party
Processing Overview
Relevant Legal Bases
Security Measures
Transmission of Personal Data
International Data Transfers
General Information on Data Storage and Deletion
Rights of Data Subjects
Business Services - AI-Generated Murder Mystery Games
Payment Procedures
AI Content Generation with Google Vertex AI
Email Delivery and Communication
Provision of Online Services and Web Hosting
Use of Cookies and Local Storage
Contact and Inquiry Management
Management, Organization and Support Tools

Responsible Party

Thomas Weber

AI Services - Thomas Weber

Margeritenweg 14

83109 Großkarolinenfeld

Email Address: support@crime-and-dine.io

Imprint: https://crime-and-dine.io/imprint

Business Activity: Small business according to § 19 UStG - Development and provision of AI-generated Murder Mystery Dinner games

Processing Overview

The following overview summarizes the types of data processed and the purposes of their processing in the context of our Crime & Dine .io Services :

Types of Data Processed

Master Data (Name, Email Address)
Payment Data (via Stripe payment service provider)
Configuration Data (Game Settings, Themes, Number of Players)
Generated Content (AI-created Stories and Characters)
Usage Data (Website Access, Download Activities)
Technical Data (IP Addresses, Browser Information)
Communication Data (Email Traffic, Support Requests)

Categories of Affected Persons

Customers (Buyers of Murder Mystery Games)
Prospects (Website Visitors, Test Customers)
Players (Users of the Generated Web App)
Support Requesters

Purposes of Processing

AI-Supported Generation of Personalized Murder Mystery Games
Payment Processing and Contract Fulfillment
Email Delivery of Generated Game Content
Provision of Mobile Web App (90 Days Access)
Customer Support and Communication
Technical Provision and Security of the Website
Legal Compliance and Documentation

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data:

✅ Contract Fulfillment (Art. 6 Para. 1 S. 1 lit. b) GDPR)

Main legal basis for the generation and delivery of your personalized Murder Mystery games, payment processing and email delivery.

📋 Legal Obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR)

Fulfillment of tax and commercial retention obligations, compliance with payment service provider regulations.

⚖️ Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f) GDPR)

Technical security, fraud protection, server logs for system stability, support communication and business operations.

National Data Protection Regulations: In addition to the GDPR, the regulations of the Federal Data Protection Act (BDSG) as well as other national data protection regulations in Germany apply.

AI Content Generation with Google Vertex AI

🤖 Important Notice on AI Data Processing

To generate your personalized Murder Mystery games, we use Google Vertex AI (Gemini models). Your configuration data is transmitted to Google in the USA.

Data Processed by Google Vertex AI:

Configuration Data: Selected Theme, Number of Players, Complexity Level
Inputs: Optional Descriptions of Characters or Settings
Culinary Preferences: Dietary Forms, Allergies, Cooking Time
Technical Metadata: Story Token, Language, Generation Parameters

Purpose of AI Processing:

Generation of Individual Crime Stories
Creation of Character Sheets with Secrets
Development of Thematic Recipes and Shopping Lists
Adaptation to Your Number of Players and Preferences

✅ Legal Basis

Contract Fulfillment (Art. 6 Para. 1 lit. b GDPR) - AI processing is required for the creation of your ordered product.

🔒 Data Protection at Google

• Data Privacy Framework (DPF) Certified
• EU Standard Contractual Clauses as Additional Protection
• No Storage for Google's Own Purposes
• Data Processing Agreement According to Art. 28 GDPR

⚠️ Data Transfer to the USA

By placing an order, you consent to the transmission of your data to Google in the USA. This is technically necessary for the generation of your games.

Email Delivery and Communication

For the delivery of your generated Murder Mystery games and for support communication, we use the email service Resend:

📧 Resend Email Service

Purpose: Automated Email Delivery of PDF Files

Processed Data:

Recipient's Email Address
Story Token for Unique Assignment
ZIP Files with Generated Game Content
Download Links with Time Limitation
Delivery Timestamps and Status

Legal Basis: Contract Fulfillment (Art. 6 Para. 1 lit. b GDPR)

Location: EU Servers, GDPR-Compliant

Retention: Email Logs 30 Days, Then Automatic Deletion

💬 Support Communication

support@crime-and-dine.io support@crime-and-dine.io

Processed Data in Support Requests:

Your Email Address
Name (if provided)
Content of Your Request
Story Token (for Problem Resolution)
Communication Timestamps

Purpose: Customer Support, Problem Resolution, Quality Improvement

Retention: 90 Days After Completion of Request

ℹ️ Email Security

Emails are transmitted encrypted (TLS), but not end-to-end encrypted. Therefore, please only send confidential information via secure channels.

General Information on Data Storage and Deletion

We delete personal data in accordance with legal requirements as soon as the underlying contractual relationships are fulfilled or no further legal bases for processing exist.

🗑️ Crime & Dine .io Specific Deletion Periods

Generated Game Content:90 Days

Web App Access:90 Days

Email Addresses:90 Days

Configuration Data:90 Days

📋 Legal Retention Periods

Invoices and Receipts:10 Years

Contract Documents:6 Years

Payment Documents:According to Stripe Guidelines

🔧 Technical Data

Server Logs:30 Days

IP Addresses:24 Hours (then anonymized)

Error Logs:7 Days

⚙️ Automatic Deletion

Our system performs automatic deletion runs daily. After the 90-day period expires, all game content and associated data are irrevocably deleted. This corresponds to our Privacy-by-Design approach.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

📊 Right of Access (Art. 15 GDPR)

You have the right to request confirmation as to whether data concerning you is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.

✏️ Right to Rectification (Art. 16 GDPR)

You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of incorrect data concerning you.

🗑️ Right to Erasure (Art. 17 GDPR)

You have the right, in accordance with legal requirements, to request that data concerning you be deleted immediately, or alternatively, to request restriction of processing of the data.

📦 Right to Data Portability (Art. 20 GDPR)

You have the right, in accordance with legal requirements, to receive data concerning you that you have provided to us in a structured, common and machine-readable format or to request its transmission to another controller.

⚠️ Right to Object (Art. 21 GDPR)

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of Art. 6 Para. 1 lit. f GDPR.

📧 Contact for Data Protection Requests

support@crime-and-dine.io support@crime-and-dine.io

Response Time: Weekdays within 24 Hours

Processing Time: At Latest Within One Month of Receipt

🏧 Complaint to Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority:

Bavarian State Office for Data Protection Supervision

Promenade 27, 91522 Ansbach

www.lda.bayern.de: www.lda.bayern.de

Use of Cookies and Local Storage

The term "Cookies" refers to functions that store and read information on users' end devices. We use cookies in accordance with legal requirements only to the extent necessary for the functionality of our service.

✅ Technically Necessary Cookies

Session Cookies: For Payment Process and Story Token Management

Purpose: For Payment Process and Story Token Management

Storage Duration: Until Browser is Closed (Session)

Security Cookies: CSRF Protection and Rate Limiting

Purpose: CSRF Protection and Rate Limiting

Storage Duration: 24 Hours

📱 Local Storage (localStorage)

UI State:

Data: characterSheetActiveTab, hostGuideActiveTab

Purpose: User-Friendliness - Tabs Remain Active After Reload

Access: Local Only, No Transmission to Server

❌ What We Do NOT Use

• Tracking Cookies: No Tracking of User Behavior
• Analytics Cookies: No Google Analytics or Similar Tools
• Advertising Cookies: No Marketing or Retargeting Cookies
• Social Media Cookies: No Integration of Social Networks
• Third-Party Cookies: Only Mandatory for Payment Processing

⚙️ Cookie Management

Browser Settings: You can manage cookies in your browser settings

Function Restriction: Disabling technical cookies may impair functionality

No Consent Required: Since we only use technically necessary cookies

🔒 Privacy-Friendly by Design

Crime & Dine .io consciously refrains from all non-essential cookies and tracking mechanisms. Your privacy comes first.

Payment Procedures

In the context of contractual relationships, we offer data subjects efficient and secure payment options and use the payment service provider Stripe for this purpose.

💳 Stripe Payment Service Provider

Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA

EU Branch: Stripe Payments Europe, Ltd., Dublin, Ireland

Purpose: Secure Processing of Online Payments

Privacy Policy: Stripe Privacy Policy

Processed Payment Data

• Credit/Debit Card Data (encrypted at Stripe)
• SEPA Direct Debit Data
• PayPal Transaction Data
• Billing Address
• Email Address
• Transaction Metadata (Story Token, Number of Players)

Important Notes

• No Card Data with Us: Payment Data is Only Stored at Stripe
• PCI-DSS Compliant: Stripe Meets Highest Security Standards
• 3D-Secure: Additional Authentication for Credit Cards
• Automatic Refunds: Automatic Refund in Case of Technical Errors

Legal Bases and Data Transfer

Legal Basis: Contract Fulfillment (Art. 6 Para. 1 lit. b GDPR)

Data Transfer USA: Data Privacy Framework (DPF) Certified

Additional Protection: EU Standard Contractual Clauses

Retention: According to Stripe Guidelines for Compliance Purposes

Management, Organization and Support Tools

We use services, platforms and software from other providers for the purposes of organization, management, planning and provision of our services. When selecting third-party providers, we observe legal requirements.

🌍 IONOS Web Hosting

Provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany

Purpose: Website Hosting, Server Infrastructure, Domain Management

Processed Data: Server Logs, IP Addresses, Technical Access Data

Location: Germany (EU)

Privacy Policy: IONOS Privacy Policy

Data Processing Agreement: DPA According to Art. 28 GDPR Concluded

☁️ AWS S3 / Cloudflare R2 - Cloud Storage

Purpose: Secure Storage of Generated PDF Files and Download Provision

Processed Data:

Generated PDF Documents (without Personal Reference)
Story Token for File Assignment
Upload/Download Metadata
Temporary Access URLs

📊 Monitoring & Error Tracking

Purpose: System Stability, Error Diagnosis, Performance Monitoring

Internal Tools: No External Tracking Services

Data: Anonymized Error Logs, Performance Metrics

Retention: 7 Days for Error Logs, 30 Days for Performance Data

✅ GDPR Compliance

We have concluded data processing agreements (DPA) according to Art. 28 GDPR with all third-party providers. These ensure that your data is only processed for the agreed purposes.

International Data Transfers

Data Processing in Third Countries: If we transfer data to a third country (beyond EU/EEA), this is always in accordance with legal requirements.

🇺🇸 USA - Data Privacy Framework (DPF)

For data transfers to the USA, we primarily rely on the Data Privacy Framework, which was recognized by the EU Commission's adequacy decision of July 10, 2023:

Google Vertex AI

DPF-Certified for AI Content Generation

Stripe Inc.

DPF-Certified for Payment Processing

📜 EU Standard Contractual Clauses (SCCs)

As an additional layer of security, we have concluded EU Standard Contractual Clauses with all third-country providers:

• AWS S3 (Cloud Storage for PDF Files)
• Cloudflare R2 (Content Delivery)
• Google Vertex AI (in addition to DPF)
• Stripe (in addition to DPF)

🔒 Double Protection

This double protection ensures comprehensive protection: The DPF forms the primary protection layer, while the Standard Contractual Clauses serve as additional security and act as a fallback option in case of any changes.

🔗 Further Information

DPF Details: Data Privacy Framework Details

EU Adequacy Decisions: EU Commission Adequacy Decision

Changes to This Privacy Policy

We reserve the right to update this privacy policy to adapt it to changed legal situations or changes to our services.

We will inform you of significant changes by email or through a clear notice on our website.

📅 Current Version

Last Updated: November 11, 2025

Adapted for Crime & Dine .io AI Service with Google Vertex AI, Stripe Payments and IONOS Hosting

Created based on the free privacy policy generator by Dr. Thomas Schwenke and specifically adapted for Crime & Dine .io.