Privacy Policy (GDPR)

1. Data Controller

Data controller: Christian von Bothmer
Contact: admin@sverigesstarkaste.se

2. Purposes of Processing

• Creating and managing accounts, login and access.
• Displaying and managing content you create yourself (posts, comments, competitions, gyms, stones, records).
• Administrative actions, review and moderation.

3. Legal Basis

• Account (Article 6.1 b): to provide account features and user services.
• Legitimate interest (Article 6.1 f): for moderation, security and service improvement.
• Consent (Article 6.1 a): for optional profile content (e.g. description, profile picture) when provided by the user.

4. Categories of Personal Data

• Account (ASP.NET Identity): email, username, phone number, password hash, security stamps, login providers, and reset/confirmation data.
• Profile: name (optional), description (optional), and profile picture (filename in upload directory).
• Permissions: admin flag, ban flag, and editor permissions.
• Posts and comments: text, timestamps, and link to user ID.
• Gyms: name, address, coordinates, city, website, description, logo, and owner ID.
• Gym requests: request details, requested equipment, status, admin notes, and link to user ID.
• Governing groups: name, description, email, and members (user ID or text-based name).
• Competitions: name, date, location, coordinates, city, contact info, web and social links, registration info, image, and owner ID.
• Competition registrations: if a competition has enabled online registration, your user ID, registration date, and approval status are stored. Your contact information is not shared directly with the organiser. The organiser may send emails via the platform to all registered participants.
• Stones: name, weight, location, coordinates, city, description, image, and creator (user ID).
• Records: person name, date, weight class, optional video link, and review/administration of submissions.
• Audit log: user ID, action, entity, timestamp, and IP address.

5. Recipients of Personal Data

• Hosting and infrastructure provider(s) processing data on our behalf.
• Email provider for system messages and verification.
• External map services (e.g. OpenStreetMap) for geocoding/map tiles.

6. International Transfers

If services from providers outside the EU/EEA are used, personal data may be transferred to third countries. In that case, appropriate safeguards are ensured (e.g. standard contractual clauses).

7. Retention Period

There is no automatic data cleanup in the code. Data is retained until deleted by the user or an administrator.

Videos submitted as part of a qualifier application are retained until the user removes them, or until we determine a need to free up storage space.

8. Technical and Organisational Security Measures

• HTTPS and HSTS are used in production.
• Authentication cookie is HttpOnly, Secure, and SameSite=Strict.
• CSRF protection via anti-forgery token and strict cookie configuration.
• Strong password requirements and account lockout on repeated failed login attempts.
• Content Security Policy (CSP) and security headers to reduce XSS and clickjacking risk.
• Uploads are validated (file type, MIME, size) and images are re-encoded before storage.
• Audit logging of critical actions including user ID and IP address.

9. Cookies

The website uses an authentication cookie for login and an anti-forgery cookie for CSRF protection.

10. Your Rights

• You can download your personal data via the profile page.
• You can delete your account via the profile page. (Note that related content may remain depending on the database's relationship rules.)
• You can request rectification, restriction, or object to processing where applicable.