Back to Privacy Policy

GDPR Policy

Last updated: May 6, 2026

This GDPR Policy supplements our Privacy Policy and sets out in detail how 6-9.SPACE complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). It covers the legal bases for our data processing, your rights as a data subject, and how to exercise them.

Data Controller

The data controller responsible for your personal data is:

  • Spol. s r.o. registered in Slovakia
  • Michalská 372/9, 811 01 Bratislava-Staré Mesto, Slovenská republika
  • IČO: 55 094 252
  • info@6-9.space
  • Data Protection contact: info@6-9.space

Legal Bases for Processing

We process personal data only where we have a valid legal basis under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b))

Processing necessary to deliver services you request — for example, recording gold vote purchases made via Stripe Checkout and crediting them to the relevant creator profile.

Legitimate interests (Art. 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights — specifically: enforcing daily voting limits using anonymised IP hashes to prevent abuse, and maintaining platform security. We have assessed that these interests are not overridden by your rights.

Legal obligation (Art. 6(1)(c))

Retaining payment transaction records for the period required under Slovak and EU accounting law (Act No. 431/2002 Coll. on Accounting, as amended; typically 10 years).

Personal Data We Process

We process the minimum data necessary for each purpose:

Creator public profiles

Display name, handle, follower count, profile photo URL, and social network metrics — sourced exclusively from publicly accessible social media pages. No private account credentials are ever accessed or stored.

Voting integrity data

A SHA-256 hash of the visitor's IP address combined with a daily salt, plus a browser session token. Raw IP addresses are hashed immediately on receipt and never persisted. Retained for up to 90 days for abuse investigation.

Payment confirmation data

Stripe transaction ID, amount, and associated vote quantity — received via Stripe webhook after a successful gold vote purchase. No payment card data is processed by us; Stripe is the sole card data processor.

Contact & nomination form submissions

Name, email address, and social handle provided voluntarily when submitting a creator nomination or a contact enquiry. Used solely to process the specific request.

Retention Periods

Creator profile data: retained while the creator is active on the platform; deleted within 30 days of a verified removal request. Anonymised voting data (IP hashes, session tokens): maximum 90 days. Payment transaction records: 10 years as required by Slovak accounting law. Contact/nomination submissions: deleted within 12 months of last activity or sooner upon request.

Third-Party Processors

We engage the following sub-processors, each bound by a Data Processing Agreement:

Stripe, Inc.

Payment processing for gold vote purchases. Stripe acts as an independent data controller for card data and its own fraud-prevention systems. See stripe.com/privacy.

VPS hosting provider

Our server infrastructure is hosted within the European Union. The provider processes data only on our instructions and under standard contractual clauses.

We do not use analytics platforms, advertising networks, or tracking pixels. No personal data is sold or shared for marketing purposes.

International Data Transfers

All platform data is stored on servers located within the European Union. Stripe may process payment data in the United States; such transfers are governed by Stripe's Standard Contractual Clauses with the European Commission. No other international transfers of personal data take place.

Your Rights Under GDPR

As a data subject located in the EU/EEA, you have the following rights. To exercise any of them, contact us at info@6-9.space with sufficient information to identify your request:

Right of access (Art. 15): You may request confirmation of whether we process your personal data and, if so, a copy of that data along with supplementary information about our processing.
Right to rectification (Art. 16): You may request correction of inaccurate personal data or completion of incomplete data we hold about you.
Right to erasure / "right to be forgotten" (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent (if applicable), or where processing is unlawful. For creator profiles, erasure means removal of the profile from the platform.
Right to restriction of processing (Art. 18): You may request that we limit our processing of your data — for example, while a rectification request is being assessed.
Right to data portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): You may object at any time to processing based on our legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
Right to lodge a complaint: If you believe we have violated your data protection rights, you may lodge a complaint with the Slovak supervisory authority: Úrad na ochranu osobných údajov Slovenskej republiky (dataprotection.gov.sk), or with the supervisory authority in your EU member state of residence.

We will respond to all verifiable requests within 30 days. In complex cases this may be extended by a further 60 days, with prior notice.

Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include: TLS encryption for all data in transit, server-side IP hashing on receipt (raw IPs are never logged), access controls limiting data access to authorised personnel only, and regular security reviews. In the unlikely event of a personal data breach that is likely to result in high risk to individuals, we will notify the affected individuals and the Slovak supervisory authority within 72 hours of becoming aware.

Changes to This Policy

We may update this GDPR Policy to reflect changes in our processing activities or applicable law. The date at the top of the page indicates the most recent revision. Material changes will be announced on the platform.

Contact

For data subject requests or any data protection enquiries, please contact us at: