Privacy policy of the BVSR e. V.
Bundesverband studentischer Raumfahrt e. V.
c/o: TU Darmstadt Space Technology e. V.
Karolinenplatz 5
64289 Darmstadt
Germany
Published Revision 1.1.4,
Date: 19.05.2026
The following chapters contain the Privacy Policy of BVSR e.V.
All users of BVSR services must agree to this Privacy Policy in order to get or maintain access to BVSR services.
You can close this website to disagree in case you have not agreed to our privacy policy before or contact us via e-mail to datenschutz@bvsr.space to withdraw from prior agreements.
Definitions
Terminology, definitions:
| Terms | Definitions / Explainations |
| BVSR, BVSR e.V., the association | Bundesverband studentischer Raumfahrt, the association this privacy policy belongs to and originates from. Under german law our Organisation is an e.V., meaning „eingetragener Verein“. |
| BVSR services, services | View the „Usage of personal data“ chapter for a complete list of services provided by the BVSR. These services aim to enable the BVSR to fulfill its purposes as an association. |
| personal data, usage data | Personal Data under the definition of article 4 paragraph 1 GDPR. |
| Board of the association, Executive Board, Board of Management, Association Board | In german „Vorstand“, the board of the top executive position in the BVSR e.V. Contact via e-mail to vorstand@bvsr.space |
| appointed association personnel, appointed personnel, appointed BVSR personnel, legitimised BVSR-internal-entity, legitimised personnel | Any entity or natural person who has been appointed by the Association Board to the task of processing personal data. These appointments are documented in the official Association Board meeting minutes (Protocol). |
| IT Administrators, Administrators, IT-Office | BVSR personnel responsible for all IT affairs, maintaining the BVSR services. Due to the nature of having admin permissions they can access all data saved. Contact via e-mail to admin@bvsr.space |
| data protection officer, data protection office | Person responsible for personal data protection matters of the BVSR, contact via e-mail to datenschutz@bvsr.space |
| German Federal Data Protection Act / Data Protection Basic Regulation, GDPR | View website: https://gdpr-info.eu/ |
| BVSR personnel | All persons participating in tasks of the association (BVSR), legitimised either by the Association Board or a branch Board, if such branch is allowed to gather personnel by its own. These persons are advised to use BVSR services with a BVSR-user-account. |
| external contacts | All contacts who are not explicitly part of BVSR member associations and also not part of BVSR personnel, but make use of at least one of the BVSR services. |
| Information, datapoints | Umbrella-terms referring to all processed data which may or may not include personal data. Mind context. |
| persons / organisations concerned, concerned person | Used to give context, meaning the person whose personal data or other information is meant in used paragraph or the organisation whose information is meant in used paragraph. Only legal ownership, meaning original ownership of data is referred to by calling a party concerned, parties who have gained data by illegal means are not legal owners of said data. |
| Uploadee | Person who uploads media to any BVSR service. |
| service user (active / inactive), individual user, user | Any legal user of BVSR services. This means having agreed to a privacy policy. Active users are those whose last interaction with the association or its services is less than 6 months ago. As of now the BVSR does not log which users are active and which users are inactive, but the time of last use of any online BVSR service is logged for each user. |
| anonymization | The act of altering any piece of media in such a way that personal data is removed. For example: blurring a person in a video or photo. |
| Hochschulrechenzentrum, HRZ | IT service centre for information technology at TU Darmstadt. They are housing provider for the servers of BVSR. View website: https://www.hrz.tu-darmstadt.de/ |
| TU Darmstadt | University, where TUDSaT is located and finances the housing of servers. View website: https://www.tu-darmstadt.de/ |
| Zentrum für IT-Sicherheit, CYSEC | The data center is located at the CYSEC institute. View website: https://www.cysec.tu-darmstadt.de/ |
| hosting entities (explaination of „co-shared rackspace“) | The rackspace used by BVSR is shared with several other entities assigned by the HRZ. For more information contact the HRZ. |
| Admins of TUDSaT e.V. and TUDSaT e.V., TUDSaT | Due to BVSR Services running on the same hardware as the IT Services of the TUDSaT e.V., Administrators of this association also have access to the room with the BVSR services servers. Contact via e-mail to vorstand@tudsat.space |
| administrative rights, root permissions, administration | Admins of the BVSR Services have so called root permissions enabling them to view, modify and delete any data on the server. |
| security incident, breach in data security, data breach, unlawful conduct, unlawful use | Describes scenario of personal data and or other confidential data leaving the scope of the data processing parties mentioned in this privacy policy and their legitimisations as described by german law and this privacy policy, and the probable suspicion (from log-data) that such happening occured or is intended to occur. May or may not include third party involvement. |
| member association, BVSR member association | The BVSR e.V. is an umbrella association. Its member associations can be found on this website: https://bvsr.space |
| BVSR-user-account and member-association-user-account | BVSR online services can be used by logging in via the sign-on by member associations (member-association-user-account) or by signing in via an account created by the BVSR (BVSR-user-account). The first loses access to services when the user leaves the member association. |
| treasury management | Financial department of the BVSR. Contact via e-mail to: finanzen@bvsr.space |
| tax regulations (regarding data storage of up to 10 Years) | Laws in relation to §257 of the German Commercial Code „Handelsgesetzbuch, HGB“, german explaination on this website: ( https://www.frankfurt-main.ihk.de/recht/uebersicht-alle-rechtsthemen/steuerrecht/abgabenordnung/aufbewahrung-von-geschaeftsunterlagen-5195530 ) |
| Media material | Videos, Photos, Audio recordings etc. |
| third parties | Any person, group or organisation not related to the BVSR and its way of processing data. |
| server-logfiles | All interactions with the BVSR services are logged for auditing purposes and will be deleted within a year. |
| controller of IT-Systems, controller | The Organisation responsible for operating referred IT-Systems (BVSR e.V.). |
| branch board (such as „Networking committee“) | Branch Boards are created by the Association Board to aid in specific tasks such as managing all external contacts („Networking committee“). This enables the Association Board to better focus on other subjects. To view all committees / branches of the BVSR visit this website: https://bvsr.space |
| deletion notice, notice, notice of compliance | E-mail sent by appointed BVSR personnel or an automated IT-System in order to inform a concerned party about the status of their personal data or datapoints belonging to them within the services and publications of the BVSR. |
| hessian data protection authorities, supervisory authority | Direct authority in regards to data security of BVSR e.V.. View website: https://datenschutz.hessen.de/ German Name of authority: „Hessischer Beauftragter für Datenschutz und Informationssicherheit“ |
| TUDa-CERT | Computer Emergency Response Team of TU Darmstadt, responsible for coordination in case of IT security incidents. View website: https://www.tu-darmstadt.de/it-sicherheit/itsecurity_ueberuns/itsecurity_tuda_cert/. Contact via E-mail to: cert@tu-darmstadt.de |
| data subjects | All who have agreed to any BVSR privacy policy or are otherwise convinced that the BVSR holds personal data belonging to them. |
Access to personal data
Access to all personal data collected by BVSR e.V. is granted to the board of the association, association personnel appointed by the board of the association, IT Administrators and the data protection officer of the association. The data protection officer is elected annually and is the association’s internal contact person for data processing. The current composition of the board of the association and the current data protection officer are listed on the association’s website (https://bvsr.space).
Personal data needed for the functions of services applied by the user can be seen by other users of the same service. View services sheet in the „usage of personal data“ chapter. This does not apply for services where users use the service independent of each other (communication / information platforms vs. direct contact to BVSR association).
The Executive Board can be contacted via the e-mail address (vorstand@bvsr.space) and the data protection officer via the e-mail address ( datenschutz@bvsr.space )
Within the framework of the provisions of the German Federal Data Protection Act / Data Protection Basic Regulation, each person has the right to obtain information about the personal data stored about them by the association. In the event of incorrect data, each person has the right of correction. Contact: datenschutz@bvsr.space via e-mail to do so.
Collection of personal data
BVSR e.V. collects and stores the necessary usage data of and for all the used services provided by the BVSR e.V. to ensure all functionalities, which includes personal data such as, but not limited to:
- Name
- Username
- Email address
- Membership of member associations of the BVSR e.V.
- Mobile phone number
This privacy policy is used equally for the collection of personal data from BVSR personnel and the collection of personal data of external contacts, when they want to make use of BVSR services.
Other information about persons and organizations is only collected by the association if it is useful for the fulfillment of the association’s purpose and the person or organization has given explicit consent for the collection and use of their informations.
Information that is non-personal and public by the intent of the owner (only concerning organisations) will be collected if deemed useful for the purpose of the association and unlikely to be opposed by the owner.
The deletion of these and other datapoints of persons or organisations will be done:
- after 10 years of no interaction with the association
- as soon as possible after instructing the association to delete via e-mail to: datenschutz@bvsr.space
- as soon as possible after instructing the association to delete via letter to:
Bundesverband studentischer Raumfahrt e. V.
c/o: TU Darmstadt Space Technology e. V.
Karolinenplatz 5,
64289 Darmstadt,
Germany - when appointed association personnel notices that the reason for the collected datapoint is no longer in effect
- when an automated IT system determines that the reason for the collected datapoint is no longer in effect
With the exception of „10 years of no interaction“, all stated above reasons for data deletion will cause association personnel or an automated IT system to inform the person or organisation concerned, about which data was deleted via e-mail. In case the e-mail address is part of the data to be deleted the association assures that appointed personnel or automated IT systems deletes this data immediately after sending the notice.
In case no e-mail address was given to the association, no deletion notice will be sent.
In case a person or organisation wishes data such as pictures and videos (only data that has been provided by them) should remain for use by the association indefinitely, this wish must be stated via e-mail to: datenschutz@bvsr.space It is expected that alteration of the data for the purpose of anonymization might be necessary and that work required for this anonymization should be done by the persons / organisations concerned.
For the fulfillment of stated deletion obligations users of the BVSR-Cloud, -Wiki and other services must mark the persons and organisations visible and audible in footage. They (the service user / uploadee) are also responsible for ensuring the consent of all recorded parties (consent for storage on used service).
Storage of personal data
The so called tudsat-cluster of the BVSR e. V. consists of multiple servers operating from the „Hochschulrechenzentrum“ (HRZ) at the TU Darmstadt in a data center. All data stored and offered by services of the BVSR e. V. are currently physically stored on the cluster. The location is as follows:
S2|20 Zentrum für IT-Sicherheit CYSEC
Pankratiusstraße 2,
64289 Darmstadt
Germany
The cluster itself is locked inside a co-shared rackspace with two other (currently unknown) hosting entities. The admins of TUDSaT e. V. (TU Darmstadt Space Technology e. V.) do have direct access to the hardware and can administrate those. The employees of the HRZ and admins of the other hosting entities of the co-shared rackspace are also able to access the locked rack with a key. The data center itself is only accessible to hosting entities and employees of the HRZ as well as fire figthers and contractors employed by the HRZ via a transponder locksystem from SimonsVoss.
Administrators of the BVSR have administrative rights, so called root permissions, to manage the nodes of the tudsat-cluster and the cluster itself as well as all the services running on them.
The cluster and the operating systems on the nodes are enclosed in a local subnet behind the Firewall of the HRZ and TUDSaT and are only reachable for administration via a wireguard VPN access providing sufficient security through cryptographical means. Services of the BVSR are only reachable after passing through an isolated reverse proxy (traefik), which enforces modern encryption standards for https requiring at least TLS1.2 for all web connections (list of supported cypher suits).
All data that is stored on the tudsat-cluster is by default not encrypted by software.
Since access to personal data will, in most cases, not be done at the tudsat-cluster directly, it is to be expected that personal data will exist in cached form on personal devices. Depending on the software and hardware used, this can have varying standards of IT security.
In case of a breach in data security, the data protection officer will inform the parties concerned and hessian authorities immediately. View the chapter titled „Notice on the revocation of consent to processing or publication concerning personal data“ for more information on the procedure for such security incidents.
In case of technical questions concerning the storage of personal data contact our IT-Office via e-mail to: admin@bvsr.space
Within the scope of the provisions of the German Federal Data Protection Act and related laws the right to information about the personal data stored about the concerned person can be used by contacting the data protection officer via e-mail: datenschutz@bvsr.space
When a user leaves a member association and is not part of any member association their personal data will be deleted as soon as possible, unless explicit consent is given by the user (in case their information is still of use for the purpose of the association) before leaving all member associations or concerned person is part of BVSR personnel.
For this reason member associations will inform the BVSR e.V. about persons leaving their association as soon as possible.
Active BVSR service users from member associations are advised to move to a BVSR-user-account before leaving their member association, in case they still want to contribute to the BVSR after leaving their member association (become BVSR personnel).
In the event of withdrawal or expiration of permission to use personal data, the personal data concerned will be deleted, unless it has to be stored in accordance with legal requirements. Personal data relating to the association’s treasury management will be stored in accordance with the provisions of the tax regulations for up to ten calendar years, starting from the withdrawal of the usage permit. After this period, the data will be deleted.
For media material stored on BVSR services a general deletion time of ten years after its upload exists, if the uploadee marks the media for such automation, which they are obliged to do by agreeing to this privacy policy. The uploadee must not mark media for automated deletion when all concerned parties gave their explicit permission for indefinite storage.
Transmission of personal data
Personal data may be disclosed to internal and external natural persons or even organizations with the appropriate consent. The transmission of personal data takes place in a data-technical, encrypted procedure.
In the context of transfers of personal data, the right exists to know to whom which data has been passed on (to make use of this right contact this e-mail: datenschutz@bvsr.space). A data transmission outside of the explicitly granted consent to other third parties does not take place.
For this reason the IT-Office will log all usage of personal data via server-logfiles in order to archive who has made use of personal data stored for the association at any given time. These server-logfiles will be kept for 6 months after their generation. In case of a data breach, these server-logfiles will be used for forensic investigation, thus being kept longer in accordance with concerned authorities.
Use of personal data for the purpose of advertising or any other commercial intent does not occur, unless the user gave explicit consent.
Usage of personal data
By consenting to this Privacy Policy you agree that the BVSR e.V. can process your personal data according to the methods stated in this Policy, with BVSR e.V. as the controller of IT-Systems. All collection and use of personal data must be presented explicitly, in order for you to be able to agree. This is why we have listed our services and the purpose that they cover. For each purpose, the data used / needed is indicated and the processing procedure is explained. You will be able to decide by yourself whether or not you want to use all, a selection of or none of our services after agreeing to this Policy. If you wish to disagree with this policy at any point in time contact this e-mail: datenschutz@bvsr.space and express that you want to disagree (this will result in the immediate deletion of your personal data from all our records and will also end your ability to use our services). In case you have not agreed to a BVSR Privacy Policy before, we should not have any of your personal data, unless you have interacted with the association before the making of this privacy policy. This case will not exempt you from your right to disagree and have your data deleted.
If the controller or any other legitimised BVSR-internal-entity intends to process personal data for a purpose other than listed or for other reasons than the data was collected for, they must reach out to the concerned party (owner of concerned personal data), inform them about the reasons which explain why this process would benefit them, what exactly each new use-case of their data is and wait until explicit consent or disagreement is given, before proceeding (disagreement by the party concerned or the lack of contact information will end such process). It is important to remember that implicit agreement does not exist when listing use-cases for personal data or in the legal handling of such data in general. Law and our Privacy Policy is intended to keep all agreements to the use of personal data explicit. If you suspect any BVSR agreement, including this Privacy Policy to be too unspecific or implicit, then please contact this e-mail: datenschutz@bvsr.space in order to request correction.
Services sheet:
| Service | Purpose of processing | Affected personal data | Affected persons and recipients | Responsible authority |
| BVSR Wiki | Knowledge database of the BVSR. Data is used to prevent unauthorized access and maintain required functionality. | IP Time(s) of usage Browser Resources requested Name Username Published content Pictures and videos | All users of the BVSR Wiki | Association Board |
| BVSR Cloud | File storage and archive of the BVSR. Data is used to prevent unauthorized access and maintain required functionality. | IP Time(s) of usage Browser Resources requested Name Username Email Published content Pictures and videos | All users of the BVSR Cloud | Association Board |
| BVSR Chat | Internal communication platform within the BVSR e.V. to establish communication with a member (person) and preventing unauthorized access. | IP Time(s) of usage Browser Resources requested Name Username Email Published content Pictures and videos Online status Mobile phone number (optional) | All users of the BVSR Chat | Association Board |
| BVSR Antrag | Tool for voting on revision to texts and submitting changes. Data is used to prevent unauthorized access and maintain required functionality. | IP Time(s) of usage Browser Resources requested Name Username Email Published content | All users of the BVSR Antrag | Association Board |
| BVSR SSO | Ensuring functionality of the Single-Sign-On service and preventing unauthorized access in the BVSR services | IP Time(s) of usage Browser Resources requested Name Username Email Membership of member associations | All users of BVSR Services that require login | Association Board |
| BVSR Website1 | Presentation of the BVSR to the outside | IP Time(s) of usage Browser Resources requested | Every visitor | Association Board |
| BVSR Website Contact Field („Kontakt“) | Contact the association | All data entered in contact field | Users of the BVSR Website Contact Field („Kontakt“) | Association Board |
| BVSR Links | Collection of links to all services | IP Time(s) of usage Browser Resources requested | Every visitor | Association Board |
| BVSR Pad | Pad to write down protocols or other notes and preventing unauthorized access | IP Time(s) of usage Browser Resources requested Name Username Email Published content | All users of the BVSR Pad | Association Board |
| BVSR Status | View status of BVSR services | IP Time(s) of usage Browser Resources requested | Every visitor | Association Board |
| BVSR Pastebin | Anonymous pastebin service to share end-to-end encrypted text snippets | IP Time(s) of usage Browser Resources requested | All users of the BVSR Pastebin | Association Board |
| TUDSaT Cluster | Auditing changes to IT-Systems and preventing unauthorized access | IP Username Time & date of access Actions taken | BVSR admins | Association Board |
| e-Mails | Direct method of communication | Email Name | All e-Mail contacts | Association or branch Board (example: Networking committee) |
| phone calls | Direct method of communication | Mobile and other phone numbers Name | All phone-call contacts | Association or branch Board (example: Networking committee) |
| postal Mailings | Direct method of communication, delivery and acceptance of hardware | Adress or PO Box Name | All postal contacts | Association or branch Board (example: Networking committee) |
| Fax | Legacy method of communication | Fax number Name | All fax contacts | Association or branch Board (example: Networking committee) |
[1] Note: „BVSR Website“ is a service with its own privacy policy. It can be viewed here: https://bvsr.space/datenschutzerklaerung/
BVSR personnel have the option of keeping their personal data longer inside the association than their membership duration via explicit agreement with the association board. This can be done verbally. It is advised to only use this arrangement for the enabling of long term reference capability, for example, enabling the association to be able to confirm that a key possition at the association was held by concerned person.
BVSR personnel appointed for processing personal data agree to the association keeping their personal data for up to 10 calendar years, for the purpose of possible leagal liabilities regarding their activities.
All IT-Services (except e-Mails, phone calls, postal Mailings, BVSR Website Contact Field („Kontakt“) and Fax) store their required personal data internally. View previous chapters to see what personnel and automated systems could have access under normal and special circumstances.
All other services (the ones noted as exceptions above) store their personal data on the BVSR Cloud, with password protected access (legitimised personnel only). Also view previous chapters for clarification on this.
Access to member directories
Member associations are publicly listed on the website (https://bvsr.space).
By consenting to this Privacy Policy you have only authorized BVSR e.V. and other explicitly named entities to make use of / process your personal data for the reasons and services stated. In case you have reason for your personal data to be used / processed by our member associations, please contact them via appropriate means.
Your personal data will not be given to member associations without your explicit consent. Exeptions may apply in regards to the right of seeing meeting minutes.
By being part of one of the BVSR member associations and agreeing to this privacy policy, you agree to the transfer of personal data from your member association to the BVSR e.V.
This transfer happens via the OpenID Connect protocol over an encrypted ssl/tls https connection and a pre-shared secret with the identity provider of your member association, in case of technical questions on this process contact our IT-Office via e-mail: admin@bvsr.space
The personal data concerned is the data needed for services listed in previous chapters. If no services are used, no such transfer will happen.
Notice on the revocation of consent to processing or publication concerning personal data
Revocation of consent to the publication or general processing of personal data as defined in the GDPR may be submitted at any time to the Association Board or to the data protection officer.
The publication of personal data of any kind will only occur with explicit consent of the persons concerned. This chapter serves as a reminder that such consent can be revoked at any time.
The individual user may object to publication at any time by contacting the Association Board or the data protection officer. In the event of an objection, no further publications will be made with regard to the objecting user. Personal data of the objecting user will be removed from the services of the association, the publications concerned (by method of deletion of such publications) and a notice of compliance will be sent to the user concerned, as stated in previous chapters.
In case the revocation is meant to address only specific publications or specific use / processing of personal data and not all services / the Privacy Policy as a whole, such intent can be stated by the party concerned in the first correspondence regarding the subject. The data protection officer with advice from the association board and appointed BVSR personnel will decide whether or not a complete deletion of personal data is necessary case by case.
To make use of revocation contact this e-mail (data protection officer): datenschutz@bvsr.space
In case of unlawful conduct or security incidents with any party concerned regarding personal data, the data protection officer will inform the persons / organisations / our users affected immediately, notify hessian data protection authorities as required by law and make efforts to force deletion regarding known unlawful use. In case of fault lying within the responsibilities of the tudsat-cluster owners this notification will occur through the TUDa-CERT (the responsible entity for IT-security regarding the tudsat-cluster). The association board and appointed BVSR personnel will also become active participants of mitigation in this case, such that appropriate reactions can be taken as fast as possible.
Protection of Policies
In case an aspect or multiple aspects of this privacy policy turn out to be legally void or outdated, all other aspects remain in force.
The user agrees to inform the association in case such legally voiding aspects are found by them.
The association must find agreements with the concerned user and update the privacy policy.
E-Mail: datenschutz@bvsr.space
Reference to the right to complain to a supervisory authority
The State Commissioner for Data Protection and Freedom of Information of Hesse is available as the supervisory authority for the submission of complaints by data subjects regarding data protection. The complaint can be submitted via e-mail to the following address:
poststelle@datenschutz.hessen.de
Register of associations
Member Associations (Mitgliedsvereine)
- ASTRA e.V. (Amtsgericht Bremen, VR 8433 HB)
- Auxspace e.V. (Amtsgericht Augsburg, VR 202615)
- BEARS – Berlin Experimental Astronautics Research Student Team e.V.
- ERIG e.V. (Amtsgericht Braunschweig: VR 4264)
- FAR e.V. (Amtsgericht Köln: VR 52260)
- Hamburg Space Team e.V.
- HyEnD e.V. (Amtsgericht Stuttgart: VR 725023)
- KSat e.V. (Amtsgericht Stuttgart: VR 721583)
- MoonAixperts e.V.
- ROCKIT e.V.
- SeeSat e.V.
- Space Team Aachen e.V.
- SPROG – Spaceflight Rocketry Gießen e.V. (Amtsgericht Gießen: VR 5242)
- STAR Dresden e.V. (Amtsgericht Dresden: VR 11592)
- SUNDSPACE e.V. (Amtsgericht Stralsund: VR 10438)
- TUDSaT – TU Darmstadt Space Technology e.V.
- Vespe Jena e.V.
- WARR e.V.
- WüSpace e.V. (Amtsgericht Würzburg: VR 201239)
Correspondence Members (Korrespondenzmitglieder)
- Aerospace Team Graz (ZVR-Number: 1717703017)
- TU Wien Space Team
Supporting Members (Fördermitglieder)
- OHB System AG