Privacy Policy.

This notice explains in plain English which personal data the European Urban Future Alliance website processes, why we process it, on which legal basis, for how long, with whom, and what rights you have as a data subject. It applies to urban-future-alliance.com and all of its sub-paths.

The European Urban Future Alliance is published under the umbrella of GEORG Media. The website is designed and operated by mi media intelligence SL under the direction of Tobias Hager.

Please direct any privacy-related enquiry, including access, rectification, erasure, restriction, portability and objection requests, to:

Tobias Hager
CCO and CTO, GEORG Media · Editor-in-Chief, European Urban Future Alliance
Email: t.hager@georg-media.de

Controller in the sense of Art. 4 (7) GDPR is Georg GmbH & Co. KG, Maximilianstraße 43, 80538 Munich, Germany, registered at Amtsgericht München under HRA 111553. Represented by general partner Georg Verwaltungs GmbH (HRB 252554), itself represented by managing director Dominik Baur-Callwey. Phone: +49 89 436005-0. Email: hallo@georg-media.de.

The website is designed, built and operated by mi media intelligence SL (CEO: Tobias Hager) on the basis of a data processing agreement under Art. 28 GDPR. Contact: th@mi.network.

The website is delivered through the global edge network of Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Vercel is a processor under Art. 28 GDPR. Transfers to the United States are based on the EU-U.S. Data Privacy Framework, for which Vercel is certified.

Domain registration is held with Hostinger International Ltd., Švitrigailos g. 34, Vilnius LT-03104, Lithuania. The registry sets the public DNS record only; the legacy Hostinger website is no longer served from this domain.

When you visit the site, the hosting infrastructure logs basic technical data needed to operate the service and detect abuse: IP address, user agent, timestamp, requested URL, referrer URL, response code, transferred byte count.

Legal basis: Art. 6 (1) (f) GDPR, legitimate interest in stable, secure operation of the service. Retention: a maximum of 14 days, after which logs are deleted automatically. We do not enrich, correlate or commercialise this data, and we do not pass it on to third parties unless legally required.

We use a layered consent banner that distinguishes four categories: Strictly necessary, Functional, Statistics and Marketing. The full per-item disclosure is on the Cookies page.

The only entry we set without consent is a strictly necessary localStorage entry named urban-future-alliance-consent that records your own consent decision so we don’t ask again on every page view. Legal basis: § 25 (2) Nr. 2 TDDDG (technically necessary). All other categories are off until you opt in. You can withdraw consent at any time, with effect for the future, on the Cookies page.

The site uses the Inter and JetBrains Mono web fonts. They load from fonts.gstatic.com only after you grant Functionalconsent. Without consent, the page renders in your operating system’s default font stack.

When the fonts do load, your browser opens a connection to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, transmitting your IP address and user-agent string. Legal basis: Art. 6 (1) (a) GDPR, your active consent, given via the cookie banner. International transfer is covered by the EU-U.S. Data Privacy Framework. You may withdraw this consent at any time on the Cookies page.

When you grant Statistics consent, the page loads two cookie-free measurement tools provided by Vercel Inc. (USA, certified under the EU-U.S. Data Privacy Framework):

• Vercel Web Analytics counts page views and referrer sources at an aggregate level. Visitor identification uses a daily, salted hash of IP + user agent that resets every 24 hours and is never persisted on your device. No cookie is set.
• Vercel Speed Insights measures Core Web Vitals (LCP, CLS, INP, TTFB) to help us spot slow pages. Also cookie-free; only performance samples are transmitted.

Legal basis: Art. 6 (1) (a) GDPR, your active consent given via the cookie banner. International transfer to the United States is covered by the EU-U.S. Data Privacy Framework. You may withdraw this consent at any time on the Cookies page , the script is unloaded immediately.

Server-side aggregates (no individual identification) are retained for up to 12 months. We do not run advertising or remarketing tooling, and have no plans to.

When you contact us by email, the address you write from and the content of your message are processed solely to respond to your enquiry. Legal basis: Art. 6 (1) (b) GDPR if your enquiry is pre-contractual, Art. 6 (1) (f) GDPR otherwise. Messages are deleted once the matter is concluded, at the latest after 24 months, unless statutory retention obligations apply.

We do not currently send a newsletter from this site. If we add a newsletter, sign-up will use the double-opt-in procedure: you submit your email address, you receive a confirmation email, and only after you click the confirmation link is your address added to our distribution list. Legal basis will be Art. 6 (1) (a) GDPR (consent), with a separate Privacy notice update at that time disclosing the mailing provider, recipients and retention. You will always be able to unsubscribe with one click.

For Founding Partners, contact data (name, role, business email, phone, company address) is processed to negotiate, conclude and execute the partnership contract. Legal basis: Art. 6 (1) (b) GDPR. Tax-relevant data is retained for 10 years pursuant to § 147 AO; commercial correspondence for 6 years pursuant to § 257 HGB.

Personal data is transmitted only to the processors listed under § 4, to public authorities where legally required, and, within the GEORG Media group, to the Alliance editorial and sales teams to the extent necessary for editorial coordination and partnership servicing. We do not sell personal data and we do not share personal data with advertising networks.

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21) regarding your personal data. Where processing is based on consent, you may withdraw your consent at any time with effect for the future, without affecting the lawfulness of processing carried out before withdrawal. The simplest way to exercise these rights is to email t.hager@georg-media.de.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for the controller is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Web: lda.bayern.de

We do not use this website for automated individual decision-making within the meaning of Art. 22 GDPR, and we do not profile visitors.

Optionally, readers can create an account on the Alliance website to keep their reading preferences and Folio chat memory across devices. Sign-in is passwordless via a one-time magic link emailed to the address you provide. We do not store passwords and we do not run our own SMTP server.

Processor: Supabase Inc., 970 Toa Payoh North #07-04 Singapore 318992, operating an EU-only project hosted on AWS in eu-central-1(Frankfurt). An EU Standard Contractual Clauses (SCC) data-processing agreement is in place. The transactional emails (magic link) are sent through Supabase’s built-in mailer.

Data processed: email address (sign-in identifier), optional display name, optional city, up to five interest tags, and the recent reading history you have read on this site (last twelve articles). For signed-in visitors, recent Folio chat turns (max twelve) are also stored to provide cross-device continuity. Marketing consent is stored as a boolean and defaults to false.

Legal basis: Art. 6 (1) (b) GDPR (performance of the account contract you enter into when you sign in) for the email address and session cookie; Art. 6 (1) (a) GDPR (consent) for the optional newsletter checkbox.

Cookie: Sign-in sets a single functional cookie named sb-<project-ref>-auth-token. It contains the session JWT, is HTTP-only, SameSite=Lax, and expires when you sign out (or after 7 days of inactivity, whichever comes first). It is strictly necessary to keep you logged in and is therefore not gated by the consent banner.

Retention:Profile and memory rows are kept for as long as your account exists. You can delete the entire account — profile, memory, usage rows and sign-in identity — with one click at /account. Deletion is immediate, irreversible, and cascades through all rows referenced by your user-id.

In addition to the magic-link path described above, readers may choose to sign in via a one-click OAuth handshake with Google or LinkedIn. Whichever provider you pick, a redirect cookie set by that provider on its own domain keeps the session for the duration of the round-trip and is then discarded. We never receive your password.

Recipients: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (with affiliate LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA).

Data exchanged: the OAuth provider sends us an opaque user identifier, your verified email address, your display name and (where available) a profile-picture URL. We do not request additional scopes. The identifier is stored under oauth_providers on your reader profile so we can link future sign-ins.

Legal basis: Art. 6 (1) (b) GDPR (performance of the account contract you enter into when you sign in). For the international transfer to the U.S. (where applicable): both Google and LinkedIn are certified under the EU-U.S. Data Privacy Framework.

Retention: the linked-provider list is retained for the life of your account; deleting the account at /account removes the link.

The Alliance is a Klarnamen-network. To prove that the photo on your reader profile is actually a photo of you, sign-up step 3 asks for a short live selfie via your device camera. The matching is done locally in your browser using face-api.js, an open-source JavaScript library for facial recognition. The library and its model weights are loaded only on the /auth/sign-up route from this site’s own origin, no third-party CDN.

Where the processing happens:entirely on your device. The live camera stream, the captured frames, and the 128-dimensional face descriptor never leave your browser’s memory. The stream is dropped the moment the page is closed.

What we persist: only (a) a boolean derived from the comparison ( verification_status flips from pending to verified), (b) a perceptual hash of your profile photo (a 16-character hex string of an 8×8 average- hash, used for re-verification, not for biometric identification), and (c) a timestamp of the last selfie attempt. We do not store your selfie image, your face descriptor, or any other biometric template.

Legal basis:Art. 6 (1) (a) GDPR (consent, by clicking «Capture frame» you confirm you want the comparison to run) and Art. 6 (1) (b) GDPR (performance of the Klarnamen-account contract). Because no biometric data is persisted, Art. 9 GDPR does not apply.

Camera permission:you can deny the camera permission in your browser at any time; the selfie step won’t run, and your account stays in pending verification status. You can still browse the magazine and use Folio chat, only posting and replying require verification.

Retention: the verification boolean, the photo hash and the last-selfie timestamp are kept for the life of your account. Deleting the account at /account removes them all.

Each magazine article carries a play button that reads the piece aloud. The audio is rendered once per article version through ElevenLabs Inc., 169 Madison Ave, New York, NY 10016, USA. The text we send to ElevenLabs is the published article body, no reader data and no user identifiers ever travel along with it.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing accessibility-friendly reading); transfer to the U.S. covered by Standard Contractual Clauses (we use ElevenLabs' EU residency endpoint where available, otherwise the SCC framework applies).

What we keep: the rendered MP3 is cached in our own EU storage so playback never re-hits ElevenLabs once the article is rendered. The cache key is the article's updated_at timestamp; on edit we re-render. No usage analytics on your individual play sessions.

This privacy notice may be updated to reflect new functionality or new legal requirements. The latest version is always available at urban-future-alliance.com/privacy. Material changes (new processors, new categories, changed retention) trigger a fresh consent prompt via the banner version field, so previously stored consents do not silently extend to new processing.