Privacy Policy
Last updated: June 17, 2026
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
OpitzWorks Inh. Tobias Opitz
Stockhauser Str. 17
42929 Wermelskirchen
Germany
Email: info@mejay.io
Data Protection Officer: Tobias Opitz (contact details above)
2. Overview & Principles
MeJay is a music request service for DJs: DJs create a channel for each event;
guests access a mobile request page via a QR code, submit music requests, and
vote on them. We process personal data according to the principle of
data minimization:
- Hosting in the EU (Hetzner Online GmbH, Germany).
- No tracking cookies, no Google Analytics, no tracking pixels, no
advertising/profiling networks. - No external CDNs — fonts (Inter), scripts, and stylesheets are served locally from the
MeJay server. - Guests require no account and are only identified via a pseudonymous identifier.
3. DJ Account (Registered Users)
Data processed: Name, email address, optional billing email, password (stored
only as a cryptographic hash), language preference, role, timestamp of
email confirmation, account timestamps. With two-factor authentication enabled,
additionally a TOTP secret and recovery codes.
Purposes: Provision and management of the DJ account, authentication, email confirmation,
password reset, optional two-factor authentication. Upon registration, consent to the
Terms & Conditions is required (mandatory checkbox).
Legal basis: Art. 6 (1) lit. b GDPR (contract/pre-contractual measures); for
security measures additionally Art. 6 (1) lit. f GDPR.
Spam/bot protection during registration: Honeypot field and an encrypted
render timestamp (no personal data evaluation) as well as IP-based rate limiting (see
Section 5). Legal basis: Art. 6 (1) lit. f GDPR (protection against abuse).
Retention period: until deletion of the account (see Section 11). Unconfirmed accounts
are automatically deleted after a short period (default 7 days).
4. Public Request Pages (Guests / "Wishers")
Guests who submit a music request or vote via a QR code/link do not create an
account and do not provide a name or email address.
Pseudonymous identifier: To recognize their own device (manage own requests,
enforce request/voting limits), a technically necessary cookie
wisher-identifier containing a random identifier (UUID) is set — without name or
email. Lifetime: long-lived (up to approx. 5 years), HttpOnly. Legal basis for
storage on the device: § 25 (2) TTDSG (strictly necessary for the service explicitly requested by the user).
Data processed: submitted music requests (title, optional artist, optional
comment), up-/downvotes, and potentially a channel-related ban — each linked to the pseudonymous identifier. Comments are moderated via a word filter.
Purpose: Provision of the request service for the respective DJ's event.
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in providing
the service).
Retention period: until deletion of the associated channel or DJ account.
5. Server Logs & IP Addresses
- Abuse/spam protection (rate limiting): To limit registration,
request, and voting attempts, the IP address is processed only temporarily in a volatile
cache and not permanently stored in the database.
Retention only for the duration of the respective time window (seconds to one hour).
Legal basis: Art. 6 (1) lit. f GDPR. - Logged-in DJ sessions: For the duration of a logged-in session, for
session management purposes, IP address and browser identifier (user agent) are stored. Sessions
expire by default after 120 minutes of inactivity. - Web server logs: Any server log files from the host/web server must be reviewed
server-side and supplemented here if necessary (content, purpose, retention period) — see Section 15.
6. Cookies & Local Storage
MeJay uses exclusively technically necessary cookies as well as local
browser storage for a display setting. No tracking or
marketing cookies and no third-party trackers are used.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
…_session |
Cookie | Session management (login status) | ~120 min. |
XSRF-TOKEN |
Cookie | Protection against cross-site request forgery | Session |
wisher-identifier |
Cookie | Pseudonymous device identifier for guests (see 4) | up to ~5 years |
appearance |
LocalStorage | Display mode light/dark/system (no personal data) | until deleted by user |
7. Recipients / Data Processors / Third-Country Transfer
We use carefully selected service providers. Data processing agreements (Art. 28 GDPR) must be
concluded with processors; for transfers to third countries,
appropriate safeguards must be ensured.
| Service | Data Processed | Purpose | Location / Third Country |
|---|---|---|---|
| Hetzner Online GmbH | all data stored in the app (hosting) | Server operation/storage | Germany (EU) |
| SendGrid (Twilio Inc.) | Recipient email, name, links/tokens in emails | Sending transactional and broadcast emails (SMTP) | USA — transfer based on Standard Contractual Clauses / EU-US Data Privacy Framework |
| Last.fm (Audioscrobbler) | entered search term (title/artist) | Title autocompletion; call made server-side, no guest IP transmitted to Last.fm | United Kingdom (adequacy decision) |
| payments.opitzworks.de | Redirect to checkout | Checkout/management of Pro subscription | OpitzWorks, Wermelskirchen, Germany |
Billing/payments: MeJay stores no payment data. Subscription management and
the payment process run entirely via the payment service; locally only the determined subscription status is cached.
8. Advertising on Request Pages (Free Plans Only)
On the request pages of DJs on the free plan, our own advertising banners may be displayed.
Only aggregated metrics (number of impressions/clicks per banner) are recorded —
no personal data and no profiling. A click redirects to the
external destination page of the advertiser; their own privacy policy applies.
9. Migration of Existing Customers
Accounts and content from existing customers of the previous MeJay service were migrated to the new
platform (name, email, profiles, channels, requests, votes, bans, and active subscription status). Passwords were not migrated — reactivation is done via
password reset. Legal basis: Art. 6 (1) lit. b and lit. f GDPR
(continuation of the contractual relationship or legitimate interest in the takeover of existing customers).
10. Email Communication
We send transactional emails (email confirmation, password reset,
reactivation invitations, data export, deletion log) as well as potential service announcements
to DJs. Email service provider is SendGrid/Twilio (see Section 7). Legal basis:
Art. 6 (1) lit. b or lit. f GDPR.
11. Retention Period & Deletion
| Data | Retention |
|---|---|
| DJ account & related content | until deletion by the user/operator |
| Unconfirmed accounts | automatic deletion after a short period (default 7 days) |
| Migrated, non-reactivated accounts | automatic deletion after default 6 months |
| Sessions | ~120 minutes (inactivity) |
| IP in rate limit | only temporary (seconds to 1 hour), not in DB |
Deletion (right to be forgotten): Upon account deletion, the account and all
associated data are irrevocably removed (no "soft delete"): channels, requests,
votes, bans, and uploaded images (cover images, logos, profile backgrounds).
A log is kept of the deletion process that contains only metadata
(e.g., timestamp and affected account identifier) — no content data.
12. Your Rights
You have the right, within the framework of the legal requirements, to access (Art. 15),
rectification (Art. 16), erasure (Art. 17), restriction of processing
(Art. 18), data portability (Art. 20), and objection (Art. 21), as well as the right to
withdraw any consent given at any time.
Practical implementation: In the DJ account, a self-service data export (machine- and
human-readable as JSON/CSV/PDF including uploaded images as a ZIP archive) as well as a
self-service account deletion are available. Requests can also be directed to the data controller
(Section 1).
Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority.
13. Data Security
- Encrypted transmission (TLS/HTTPS; enforced in production).
- Passwords are stored exclusively as a cryptographic hash.
- Optional two-factor authentication for DJ accounts.
- Security HTTP headers including Content Security Policy (in production).
- Security-relevant tokens are stored only in hashed form.
14. Changes to This Privacy Policy
We adapt this privacy policy when data processing or the legal situation
changes. The version currently published at https://mejay.io applies.