FreyFrey
Your Privacy Matters

Privacy Policy

Last updated: January 2026

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Worth a Shot, LLC

Delaware LLC

Email: joe@frey.club

2. Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of their processing:

  • Email addresses (for registration and authentication)
  • Usage data (registration time, offer participations)
  • Referral codes (for tracking referrals)
  • IP addresses (for security and abuse prevention)
  • Authentication tokens (for secure access)

3. Legal Basis

We process personal data based on the following legal grounds under the GDPR:

Consent (Art. 6(1)(a) GDPR)

The data subject has given consent to the processing.

Contract Performance (Art. 6(1)(b) GDPR)

Processing is necessary for the performance of a contract.

Legitimate Interests (Art. 6(1)(f) GDPR)

Processing is necessary for our legitimate interests.

4. Registration and Authentication

4.1 Double Opt-In Process

We use a double opt-in process for registration. After entering your email address, we send you a confirmation link. Your account is only activated after clicking this link. We store:

  • Your email address
  • Registration timestamp
  • Confirmation timestamp
  • Your IP address (for abuse prevention)

Legal basis: Contract performance (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).

4.2 Passwordless Authentication (Magic Links)

We use passwordless authentication via "magic links". For each login, we send you a unique, time-limited link via email. These links can only be used once and expire after a short period for security reasons.

5. Cookies and Local Storage

5.1 Authentication Cookies

We use HTTP-only cookies to securely store your authentication tokens (JWT - JSON Web Tokens). These cookies are technically necessary and enable access to your account.

Name: auth_token

Purpose: Authentication and session management

Duration: 7 days

Type: Technically necessary

5.2 Local Storage

We store the following data in your browser's local storage:

Language preference: Your preferred language (German/English)

Referral code: If you arrived via a referral link

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

6. Email Delivery

For sending emails (confirmation links, login links), we use Amazon Simple Email Service (AWS SES). The following data is transmitted to AWS:

  • Your email address
  • Email content

AWS SES processes this data on our behalf. Servers are located in the EU (Frankfurt, eu-central-1). We have a data processing agreement with AWS pursuant to Art. 28 GDPR.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

7. Hosting

Our services are hosted on Fly.io. Fly.io processes technically necessary data such as IP addresses to provide the service. We have concluded a data processing agreement with Fly.io.

The database (PostgreSQL) is also hosted on Fly.io in the EU.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

8. Referral Program

When you invite other users, we store the connection between your account and the invited users. This is necessary to verify the conditions for the reward.

  • Your personal referral code
  • Assignment of invited users to your account
  • Status of referrals (pending, verified, converted)

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

9. Security Measures

We implement the following technical and organizational measures to protect your data:

  • Encrypted transmission (HTTPS/TLS)
  • HTTP-only and secure cookies
  • Rate limiting for abuse protection
  • Secure token generation for authentication
  • Regular security updates

10. Data Retention

We store your data only as long as necessary for the respective purposes:

Account data

Until account deletion

Authentication tokens

7 days (automatic renewal on use)

DOI tokens

24 hours

IP addresses for rate limiting

1 hour

Referral data

Until account deletion or reward payout

11. Your Rights

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)

You can request information about your stored data.

Right to rectification (Art. 16 GDPR)

You can request correction of inaccurate data.

Right to erasure (Art. 17 GDPR)

You can request deletion of your data.

Right to restriction (Art. 18 GDPR)

You can request restriction of processing.

Right to data portability (Art. 20 GDPR)

You can receive your data in a common format.

Right to object (Art. 21 GDPR)

You can object to processing.

Right to withdraw consent (Art. 7(3) GDPR)

You can withdraw given consents at any time.

To exercise your rights, please contact: joe@frey.club

12. Changes to this Privacy Policy

We reserve the right to update this privacy policy to adapt it to changed legal requirements or changes to the service. The current version is always available on this page.