← Back to the form

Privacy Notice

This privacy notice informs you, pursuant to Article 13 of the General Data Protection Regulation (GDPR), how your personal data is processed when you complete and submit the public inquiry form at /apply.

1. Controller

The controller responsible for processing your personal data within the meaning of the GDPR is the natural person operating ORIEZID:

  • Name: Gassann Nyangi
  • Email: talkto@oriezid.world

2. Data Protection Officer

No data protection officer has been appointed, as there is no legal obligation to do so under Article 37 GDPR. For any data protection matters, please contact the controller named in Section 1 directly.

3. What Data We Process

When you submit the inquiry form, we process the data you enter:

  • First name and last name
  • Date of birth
  • City and country
  • Email address
  • Phone number (stored in international E.164 format)
  • Instagram handle (if provided)
  • Your request / message (free text)
  • The name of the person who referred you (free text, if provided)
  • Your consent (confirmation of the consent checkbox)

To prevent spam and abuse, we additionally process the following technical data automatically:

  • Your browser identifier (User-Agent string)
  • Your IP address only in hashed form (SHA-256); the un-hashed IP address is not stored.

4. Purposes and Legal Bases of Processing

We process your data for the following purposes on the following legal bases:

  • Handling your concierge inquiry and contacting you: on the basis of your consent pursuant to Article 6(1)(a) GDPR, which you give by ticking the consent checkbox.
  • Spam and abuse prevention, protection and operational security of the form (browser identifier, hashed IP address, rate-limiting requests per source): on the basis of our legitimate interest pursuant to Article 6(1)(f) GDPR in maintaining a functional inquiry channel protected against automated abuse.

5. Recipients and Processors

Your data is treated confidentially. It is disclosed only to the following service providers, which we engage as processors pursuant to Article 28 GDPR and exclusively on our instructions:

  • Supabase Inc. (database / hosting of the Postgres database). The project database is operated in the EU region (Frankfurt, Germany); the company is established in the USA.
  • Vercel Inc. (web hosting and serverless functions used to serve and process the form). US company.
  • Cloudflare, Inc. (bot and spam protection via Cloudflare Turnstile), where activated. This service is currently enabled depending on the environment and may not yet be active. US company.

No transfer to other third parties or sale of your data takes place.

6. Transfers to Third Countries

The providers listed in Section 5 are US companies, so processing of data in the USA or access from the USA cannot be ruled out. For these transfers to a third country, appropriate safeguards under Chapter V GDPR are in place:

  • Vercel, Inc. is certified under the EU-US Data Privacy Framework (DPF); the transfer relies on the European Commission's adequacy decision for the DPF (Article 45 GDPR).
  • Cloudflare, Inc. is certified under the EU-US Data Privacy Framework (DPF); the transfer relies on the same adequacy decision (Article 45 GDPR).
  • Supabase Inc. is, to our knowledge, not certified under the DPF; the transfer relies on the Standard Contractual Clauses adopted by the European Commission (Article 46(2)(c) GDPR). The database itself is additionally hosted in the EU (Frankfurt).

A copy of the respective safeguards can be requested from the controller.

7. Retention Period

We store your inquiry data for as long as is necessary to handle your inquiry, plus a subsequent reasonable period to allow for follow-up questions and contact.

If your inquiry is rejected or you withdraw your consent, your data will be deleted or anonymised, unless statutory retention obligations require otherwise.

The technical anti-spam data (browser identifier, hashed IP address) is stored only for the short period required for abuse prevention and rate-limiting and is deleted thereafter.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object to processing based on legitimate interest (Article 21 GDPR)
  • Right to withdraw your consent at any time with effect for the future (Article 7(3) GDPR); the lawfulness of processing carried out before withdrawal remains unaffected.

To exercise these rights, an informal message to the controller named in Section 1 is sufficient.

9. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority.

If your habitual residence is in the EU, you may contact the supervisory authority of your country of residence.

10. Whether Provision Is Required

The provision of your data is neither legally nor contractually required. You are under no obligation to complete the form.

However, we need certain details (in particular your name and a means of contact) in order to handle your inquiry and contact you. Without this information and without your consent, we cannot process your inquiry. No further disadvantages arise for you as a result.

11. No Automated Decision-Making

No decision based solely on automated processing, including profiling, within the meaning of Article 22 GDPR takes place. Your inquiry is handled by a human.