Privacy Policy

Privacy policy of TUDSaT e. V.
TU Darmstadt Space Technology e. V.
c/o: TU Darmstadt Space Technology e. V.
64289 Darmstadt,
Germany

Published Revision 1.1,
Date: 16.10.2025

The following chapters contain the Privacy Policy of TUDSaT e.V.
All users of TUDSaT services must agree to this Privacy Policy in order to get or maintain access to TUDSaT services.
You can close this website to disagree in case you have not agreed to our privacy policy before or contact us via e-mail to datenschutz@tudsat.space to withdraw from prior agreements.

Definitions

Terminology, definitions:

Terms

Definitions / Explainations

TUDSaT, TUDSaT e.V., the association

TU Darmstadt Space Technology, the association this privacy policy belongs to and originates from. Under german law our Organisation is an e.V., meaning "eingetragener Verein".

TUDSaT services, services

View the "Usage of personal data" chapter for a complete list of services provided by TUDSaT. These services aim to enable TUDSaT to fulfill its purposes as an association.

personal data, usage data

Personal Data under the definition of article 4 paragraph 1 GDPR.

Board of directors, Executive Board, Board of Management, Association Board

In german "Vorstand", the board of the top executive position in the TUDSaT e.V. Contact via e-mail to vorstand@tudsat.space

appointed association personnel, appointed personnel, appointed TUDSaT personnel, legitimised TUDSaT-internal-entity, legitimised personnel

Any entity or natural person who has been appointed by the Association Board to the task of processing personal data. These appointments are documented in the official Association Board meeting minutes (Protocol).

IT Administrators, Administrators, IT-Office

TUDSaT personnel responsible for all IT affairs, maintaining the TUDSaT services. Due to the nature of having admin permissions they can access all data saved. Contact via e-mail to admin@tudsat.space

data protection officer, data protection office

Person responsible for personal data protection matters of TUDSaT, contact via e-mail to datenschutz@tudsat.space

German Federal Data Protection Act / Data Protection Basic Regulation, GDPR

View website: https://gdpr-info.eu/

TUDSaT personnel

All persons participating in tasks of the association (TUDSaT), legitimised either by the Association Board or a branch Board, if such branch is allowed to gather personnel by its own.

external contacts

All contacts who are not explicitly part of TUDSaT, but make use of at least one of the TUDSaT services.

Information, datapoints

Umbrella-terms referring to all processed data which may or may not include personal data. Mind context.

persons / organisations concerned, concerned person

Used to give context, meaning the person whose personal data or other information is meant in used paragraph or the organisation whose information is meant in used paragraph. Only legal ownership, meaning original ownership of data is referred to by calling a party concerned, parties who have gained data by illegal means are not legal owners of said data.

Uploadee

Person who uploads media to any TUDSaT service.

service user (active / inactive), individual user, user

Any legal user of TUDSaT services. This means having agreed to a privacy policy. Active users are those whose last interaction with the association or its services is less than 6 months ago. As of now TUDSaT does not log which users are active and which users are inactive, but the time of last use of any online TUDSaT service is logged for each user.

anonymization

The act of altering any piece of media in such a way that personal data is removed. For example: blurring a person in a video or photo.

Hochschulrechenzentrum, HRZ

IT service centre for information technology at TU Darmstadt. They are housing provider for the servers of BVSR and TUDSaT. View website: https://www.hrz.tu-darmstadt.de/

TU Darmstadt

University, where TUDSaT is located and finances the housing of servers. View website: https://www.tu-darmstadt.de/

Zentrum für IT-Sicherheit, CYSEC

The data center is located at the CYSEC institute. View website: https://www.cysec.tu-darmstadt.de/

hosting entities (explaination of "co-shared rackspace")

The rackspace used by TUDSaT is shared with several other entities assigned by the HRZ. For more information contact the HRZ.

Admins of BVSR e.V., BVSR e.V., BVSR

“Bundesverband studentischer Raumfahrt”. Due to TUDSaT Services running on the same hardware as the IT Services of the BVSR e.V., Administrators of this association also have access to the room with the TUDSaT services servers. BVSR is also an association in the form of an “eingetragener Verein”. Contact via e-mail to vorstand@bvsr.space

administrative rights, root permissions, administration

Admins of the TUDSaT Services have so called root permissions enabling them to view, modify and delete any data on the server.

security incident, breach in data security, data breach, unlawful conduct, unlawful use

Describes scenario of personal data and or other confidential data leaving the scope of the data processing parties mentioned in this privacy policy and their legitimisations as described by german law and this privacy policy, and the probable suspicion (from log-data) that such happening occured or is intended to occur. May or may not include third party involvement.

treasury management

Financial department of TUDSaT. Contact via e-mail to: finanzen@tudsat.space

tax regulations (regarding data storage of up to 10 Years)

Laws in relation to §257 of the German Commercial Code "Handelsgesetzbuch, HGB", german explaination on this website: ( https://www.frankfurt-main.ihk.de/recht/uebersicht-alle-rechtsthemen/steuerrecht/abgabenordnung/aufbewahrung-von-geschaeftsunterlagen-5195530 )

Media material

Videos, Photos, Audio recordings etc.

third parties

Any person, group or organisation not related to TUDSaT and its way of processing data.

server-logfiles

All interactions with TUDSaT services are logged for auditing purposes and will be deleted within a year.

controller of IT-Systems, controllers

The Organisation responsible for operating referred IT-Systems (BVSR e.V. or TUDSaT e.V.).

branch board (such as "Networking committee")

Branch Boards are created by the Association Board to aid in specific tasks such as managing all external contacts ("Networking committee"). This enables the Association Board to better focus on other subjects.

deletion notice, notice, notice of compliance

E-mail sent by appointed TUDSaT personnel or an automated IT-System in order to inform a concerned party about the status of their personal data or datapoints belonging to them within the services and publications of TUDSaT.

hessian data protection authorities, supervisory authority

Direct authority in regards to data security of TUDSaT e.V.. View website: https://datenschutz.hessen.de/

German Name of authority: "Hessischer Beauftragter für Datenschutz und Informationssicherheit"

TUDa-CERT

Computer Emergency Response Team of TU Darmstadt, responsible for coordination in case of IT security incidents. View website: https://www.tu-darmstadt.de/it-sicherheit/itsecurity_ueberuns/itsecurity_tuda_cert/.

Contact via E-mail to: cert@tu-darmstadt.de

data subjects

All who have agreed to any TUDSaT privacy policy or are otherwise convinced that TUDSaT holds personal data belonging to them.

Access to personal data

Access to all personal data collected by TUDSaT e.V. is granted to the Board of Directors, association personnel appointed by the Board of Directors, IT Administrators and the data protection officer of the association. The data protection officer is elected annually and is the association's internal contact person for data processing. The current composition of the Board of Management and the current data protection officer are listed on the association's website (https://tudsat.space).

Personal data needed for the functions of services applied by the user can be seen by other users of the same service. View services sheet in the "usage of personal data" chapter. This does not apply for services where users use the service independent of each other (communication / information platforms vs. direct contact to TUDSaT).

The Executive Board can be contacted via the e-mail address (vorstand@tudsat.space) and the data protection officer via the e-mail address ( datenschutz@tudsat.space )

Within the framework of the provisions of the German Federal Data Protection Act / Data Protection Basic Regulation, each person has the right to obtain information about the personal data stored about them by the association. In the event of incorrect data, each person has the right of correction. Contact: datenschutz@tudsat.space via e-mail to do so.

Collection of personal data

TUDSaT e.V. collects and stores the necessary usage data of and for all the used services provided by TUDSaT e.V. and BVSR e.V. to ensure all functionalities, which includes personal data such as, but not limited to:

Name
Username
Email address
Mobile phone number

This privacy policy is used equally for the collection of personal data from TUDSaT personnel and the collection of personal data of external contacts, when they want to make use of TUDSaT services.

Other information about persons and organizations is only collected by the association if it is useful for the fulfillment of the association's purpose and the person or organization has given explicit consent for the collection and use of their informations.

Information that is non-personal and public by the intent of the owner (only concerning organisations) will be collected if deemed useful for the purpose of the association and unlikely to be opposed by the owner.

The deletion of these and other datapoints of persons or organisations will be done:

after 10 years of no interaction with the association
as soon as possible after instructing the association to delete via e-mail to: datenschutz@tudsat.space
as soon as possible after instructing the association to delete via letter to:
TU Darmstadt Space Technology e.V.
c/o: TU Darmstadt Space Technology e. V.
64289 Darmstadt,
Germany
when appointed association personnel notices that the reason for the collected datapoint is no longer in effect
when an automated IT system determines that the reason for the collected datapoint is no longer in effect

With the exception of "10 years of no interaction", all stated above reasons for data deletion will cause association personnel or an automated IT system to inform the person or organisation concerned, about which data was deleted via e-mail. In case the e-mail address is part of the data to be deleted the association assures that appointed personnel or automated IT systems deletes this data immediately after sending the notice.

In case no e-mail address was given to the association, no deletion notice will be sent.

In case a person or organisation wishes data such as pictures and videos (only data that has been provided by them) should remain for use by the association indefinitely, this wish must be stated via e-mail to: datenschutz@tudsat.space It is expected that alteration of the data for the purpose of anonymization might be necessary and that work required for this anonymization should be done by the persons / organisations concerned.

For the fulfillment of stated deletion obligations users of the BVSR/TUDSaT-Cloud, -Wiki and other services must mark the persons and organisations visible and audible in footage. They (the service user / uploadee) are also responsible for ensuring the consent of all recorded parties (consent for storage on used service).

Storage of personal data

The so called tudsat-cluster of TUDSaT e. V. consists of multiple servers operating from the "Hochschulrechenzentrum" (HRZ) at the TU Darmstadt in a data center. All data stored and offered by services of BVSR e. V. or TUDSaT e.V. are currently physically stored on the cluster. The location is as follows:

S2|20 Zentrum für IT-Sicherheit CYSEC
Pankratiusstraße 2,
64289 Darmstadt
Germany

The cluster itself is locked inside a co-shared rackspace with two other (currently unknown) hosting entities. The admins of TUDSaT e. V. do have direct access to the hardware and can administrate those. The employees of the HRZ and admins of the other hosting entities of the co-shared rackspace are also able to access the locked rack with a key. The data center itself is only accessible to hosting entities and employees of the HRZ as well as fire figthers and contractors employed by the HRZ via a transponder locksystem from SimonsVoss.

Administrators of the BVSR and TUDSaT have administrative rights, so called root permissions, to manage the nodes of the tudsat-cluster and the cluster itself as well as all the services running on them.

The cluster and the operating systems on the nodes are enclosed in a local subnet behind the Firewall of the HRZ and TUDSaT and are only reachable for administration via a wireguard VPN access providing sufficient security through cryptographical means. Services of the BVSR and TUDSaT are only reachable after passing through an isolated reverse proxy (traefik), which enforces modern encryption standards for https requiring at least TLS1.2 for all web connections (list of supported cypher suits).

All data that is stored on the tudsat-cluster is by default not encrypted by software.

Since access to personal data will, in most cases, not be done at the tudsat-cluster directly, it is to be expected that personal data will exist in cached form on personal devices. Depending on the software and hardware used, this can have varying standards of IT security.

In case of a breach in data security, the data protection officer will inform the parties concerned and hessian authorities immediately. View the chapter titled "Notice on the revocation of consent to processing or publication concerning personal data" for more information on the procedure for such security incidents.

In case of technical questions concerning the storage of personal data contact our IT-Office via e-mail to: admin@tudsat.space

Within the scope of the provisions of the German Federal Data Protection Act and related laws the right to information about the personal data stored about the concerned person can be used by contacting the data protection officer via e-mail: datenschutz@tudsat.space

When a user leaves the association their personal data will be deleted as soon as possible, unless explicit consent is given by the user (in case their information is still of use for the purpose of the association) before leaving the association.

In the event of withdrawal or expiration of permission to use personal data, the personal data concerned will be deleted, unless it has to be stored in accordance with legal requirements. Personal data relating to the association's treasury management will be stored in accordance with the provisions of the tax regulations for up to ten calendar years, starting from the withdrawal of the usage permit. After this period, the data will be deleted.

For media material stored on BVSR/TUDSaT services a general deletion time of ten years after its upload exists, if the uploadee marks the media for such automation, which they are obliged to do by agreeing to this privacy policy. The uploadee must not mark media for automated deletion when all concerned parties gave their explicit permission for indefinite storage.

The Contact Form on TUDSaT’s website for the BVSR-Conference 2026 will store data on google services. The data will be stored by google, but is intended to be only accessable by the TUDSaT Association Board. The website’s contact form: https://bvsr.tudsat.space/contact

Transmission of personal data

Personal data may be disclosed to internal and external natural persons or even organizations with the appropriate consent. The transmission of personal data takes place in a data-technical, encrypted procedure.

In the context of transfers of personal data, the right exists to know to whom which data has been passed on (to make use of this right contact this e-mail: datenschutz@tudsat.space). A data transmission outside of the explicitly granted consent to other third parties does not take place.

For this reason the IT-Office will log all usage of personal data via server-logfiles in order to archive who has made use of personal data stored for the association at any given time. These server-logfiles will be kept for 6 months after their generation. In case of a data breach, these server-logfiles will be used for forensic investigation, thus being kept longer in accordance with concerned authorities.

Use of personal data for the purpose of advertising or any other commercial intent does not occur, unless the user gave explicit consent.

Usage of personal data

By consenting to this Privacy Policy you agree that the TUDSaT e.V. can process your personal data according to the methods stated in this Policy, with BVSR e.V. and TUDSaT e.V. as the controllers of IT-Systems. All collection and use of personal data must be presented explicitly, in order for you to be able to agree. This is why we have listed our services and the purpose that they cover. For each purpose, the data used / needed is indicated and the processing procedure is explained. You will be able to decide by yourself whether or not you want to use all, a selection of or none of our services after agreeing to this Policy. If you wish to disagree with this policy at any point in time contact this e-mail: datenschutz@tudsat.space and express that you want to disagree (this will result in the immediate deletion of your personal data from all our records and will also end your ability to use our services). In case you have not agreed to a TUDSaT Privacy Policy before, we should not have any of your personal data, unless you have interacted with the association before the making of this privacy policy. This case will not exempt you from your right to disagree and have your data deleted.

If the controllers or any other legitimised TUDSaT-internal-entity intends to process personal data for a purpose other than listed or for other reasons than the data was collected for, they must reach out to the concerned party (owner of concerned personal data), inform them about the reasons which explain why this process would benefit them, what exactly each new use-case of their data is and wait until explicit consent or disagreement is given, before proceeding (disagreement by the party concerned or the lack of contact information will end such process). It is important to remember that implicit agreement does not exist when listing use-cases for personal data or in the legal handling of such data in general. Law and our Privacy Policy is intended to keep all agreements to the use of personal data explicit. If you suspect any TUDSaT agreement, including this Privacy Policy to be too unspecific or implicit, then please contact this e-mail: datenschutz@tudsat.space in order to request correction.

Services sheet:

Service

Purpose of processing

Affected personal data

Affected persons and recipients

Responsible authority

BVSR Wiki

Knowledge database of the BVSR. Data is used to prevent unauthorized access and maintain required functionality.

IP Time(s) of usage Browser Resources requested Name Username Published content Pictures and videos

All users of the BVSR Wiki

Association Board

BVSR Cloud

File storage and archive of the BVSR. Data is used to prevent unauthorized access and maintain required functionality.

IP Time(s) of usage Browser Resources requested Name Username Email Published content Pictures and videos

All users of the BVSR Cloud

Association Board

BVSR Chat

Internal communication platform within the BVSR e.V. to establish communication with a member (person) and preventing unauthorized access.

IP Time(s) of usage Browser Resources requested Name Username Email Published content Pictures and videos Online status Mobile phone number (optional)

All users of the BVSR Chat

Association Board

BVSR Antrag

Tool for voting on revision to texts and submitting changes. Data is used to prevent unauthorized access and maintain required functionality.

IP Time(s) of usage Browser Resources requested Name Username Email Published content

All users of the BVSR Antrag

Association Board

BVSR SSO

Ensuring functionality of the Single-Sign-On service and preventing unauthorized access in the BVSR services

IP Time(s) of usage Browser Resources requested Name Username Email Membership of member associations

All users of BVSR Services that require login

Association Board

BVSR Website

Presentation of the BVSR to the outside

IP Time(s) of usage Browser Resources requested

Every visitor

Association Board

BVSR Links

Collection of links to all services

IP Time(s) of usage Browser Resources requested

Every visitor

Association Board

BVSR Pad

Pad to write down protocols or other notes and preventing unauthorized access

IP Time(s) of usage Browser Resources requested Name Username Email Published content

All users of the BVSR Pad

Association Board

BVSR Status

View status of BVSR services

IP Time(s) of usage Browser Resources requested

Every visitor

Association Board

BVSR Pastebin

Anonymous pastebin service to share end-to-end encrypted text snippets

IP Time(s) of usage Browser Resources requested

All users of the BVSR Pastebin

Association Board

TUDSaT Cluster

Auditing changes to IT-Systems and preventing unauthorized access

IP Username Time & date of access Actions taken

BVSR admins

Association Board

TUDSaT Website

Presentation of the TUDSaT association to the public; hosted on Vercel with content managed via Prismic, data collected for monitoring interactions and ensuring functionality.

IP address, browser data, interaction data, device information

Every visitor

Association Board

TUDSaT Mattermost

Internal Communication Plattform

IP Time(s) of usage Browser Resources requested Name Username Email Published content Pictures and videos Online status Mobile phone number (optional)

All users of the TUDSaT Mattermost

Association Board

e-Mails

Direct method of communication

Email Name

All e-Mail contacts

Association or branch Board (example: Networking committee)

phone calls

Direct method of communication

Mobile and other phone numbers Name

All phone-call contacts

Association or branch Board (example: Networking committee)

postal Mailings

Direct method of communication, delivery and acceptance of hardware

Adress or PO Box Name

All postal contacts

Association or branch Board (example: Networking committee)

Fax

Legacy method of communication

Fax number Name

All fax contacts

Association or branch Board (example: Networking committee)

Google Forms on BVSR Conference 2026 website

Allows the public to initiate communication with TUDSaT

All Data entered by user in the google-forms

All forms-users

Association Board

TUDSaT personnel have the option of keeping their personal data longer inside the association than their membership duration via explicit agreement with the association board. This can be done verbally. It is advised to only use this arrangement for the enabling of long term reference capability, for example, enabling the association to be able to confirm that a key possition at the association was held by concerned person.

TUDSaT personnel appointed for processing personal data agree to the association keeping their personal data for up to 10 calendar years, for the purpose of possible leagal liabilities regarding their activities.

All IT-Services (except e-Mails, phone calls, Google Forms on BVSR Conference 2026 website, postal Mailings and Fax) store their required personal data internally. View previous chapters to see what personnel and automated systems could have access under normal and special circumstances.

All other services (the ones noted as exceptions above) store their personal data on the TUDSaT Cloud, with password protected access (legitimised personnel only). Also view previous chapters for clarification on this.

Notice on the revocation of consent to processing or publication concerning personal data

Revocation of consent to the publication or general processing of personal data as defined in the GDPR may be submitted at any time to the Association Board or to the data protection officer.

The publication of personal data of any kind will only occur with explicit consent of the persons concerned. This chapter serves as a reminder that such consent can be revoked at any time.

The individual user may object to publication at any time by contacting the Association Board or the data protection officer. In the event of an objection, no further publications will be made with regard to the objecting user. Personal data of the objecting user will be removed from the services of the association, the publications concerned (by method of deletion of such publications) and a notice of compliance will be sent to the user concerned, as stated in previous chapters.

In case the revocation is meant to address only specific publications or specific use / processing of personal data and not all services / the Privacy Policy as a whole, such intent can be stated by the party concerned in the first correspondence regarding the subject. The data protection officer with advice from the association board and appointed TUDSaT personnel will decide whether or not a complete deletion of personal data is necessary case by case.

To make use of revocation contact this e-mail (data protection officer): datenschutz@tudsat.space

In case of unlawful conduct or security incidents with any party concerned regarding personal data, the data protection officer will inform the persons / organisations / our users affected immediately, notify hessian data protection authorities as required by law and make efforts to force deletion regarding known unlawful use. In case of fault lying within the responsibilities of the tudsat-cluster owners this notification will occur through the TUDa-CERT (the responsible entity for IT-security regarding the tudsat-cluster). The association board and appointed TUDSaT personnel will also become active participants of mitigation in this case, such that appropriate reactions can be taken as fast as possible.

Protection of Policies

In case an aspect or multiple aspects of this privacy policy turn out to be legally void or outdated, all other aspects remain in force.

The user agrees to inform the association in case such legally voiding aspects are found by them.

The association must find agreements with the concerned user and update the privacy policy.

E-Mail: datenschutz@tudsat.space

Reference to the right to complain to a supervisory authority

The State Commissioner for Data Protection and Freedom of Information of Hesse is available as the supervisory authority for the submission of complaints by data subjects regarding data protection. The complaint can be submitted via e-mail to the following address:

poststelle@datenschutz.hessen.de