1. Who we are
Bahn.Bet is a satire project by desperate media GmbH that lets you predict German train delays. It is not affiliated with Deutsche Bahn AG. This is a demo application, no real money is involved.
desperate media GmbH
Postgasse 8b, 1010 Wien, Austria
Contact: hallo@desperate.media
2. Data we collect
- Email address provided when you register. We use it for magic-link sign-in, password resets, and, if you opt in, email notifications when your bets resolve. Your email is encrypted at rest using AES-256-GCM.
- OAuth profile (optional) if you sign in with Apple or Google, we receive your name and email from the provider. No passwords are stored for OAuth accounts.
- Bet history journeys you bet on, amounts, and outcomes. Stored to calculate your caßh balance and leaderboard rank.
- Comments and chat messages content you post in train discussions or the global chat.
We do not collect payment information, device fingerprints, or third-party tracking data.
3. How we use your data
- Authenticating you via email magic links, or Apple/Google OAuth
- Displaying your caßh balance, bet history, and leaderboard rank
- Sending bet-result emails (can be disabled in your profile settings)
- Displaying your username and comments in train discussions
We do not sell your data or share it with third parties for marketing.
4. Third-party services
- Neon (PostgreSQL) hosts the database. Data is stored in the EU (Frankfurt).
- Vercel hosts the application. Deployed in the EU region.
- Resend used to send authentication and notification emails.
- Upstash Redis used for caching and rate limiting. No personal data stored.
- Cloudflare Turnstile invisible CAPTCHA for registration and password reset forms. No personal data is stored beyond the verification token.
- Shopify Storefront API powers the in-app merch shop. When you add items to your cart, Shopify stores a cart session. Checkout is handled entirely by Shopify (verzweifelt.eu). We do not process or store any payment data.
- Apple / Google (OAuth) optional sign-in providers. We receive only your name and email from the provider during authentication.
- DB GTFS / GTFS-RT public German train schedule data. No personal data is sent.
5. Data retention
Account data is retained as long as your account is active. Bet history and verification tokens expire naturally. You can request deletion of your account and all associated data by emailing hallo@desperate.media.
6. Your rights (GDPR)
As an EU resident, you have the right to access, correct, or delete your personal data, restrict or object to processing, and data portability. To exercise these rights, contact hallo@desperate.media.
7. Cookies
You might be tracking your lost trains, but we're not tracking you.
We use a small number of cookies, all functional:
Strictly necessary
next-auth.session-token keeps you signed in. HTTP-only, secure, expires after 30 days.- Cloudflare Turnstile a short-lived cookie set during invisible CAPTCHA verification on registration and password reset forms. Disappears after the check.
Functional
bahnbet-lang stores your language preference (EN/DE). Expires after 1 year.shopify_cart_id stores your merch shop cart ID so items persist across pages. Expires after 7 days. Only set when you add items to the cart.
We also store your theme preference (light/dark) in localStorage, which is not a cookie and is never sent to our servers.
That's it. No analytics cookies, no advertising pixels, no third-party trackers, no fingerprinting. Our web analytics (Vercel Analytics) are fully cookieless and collect only anonymous, aggregated page-view counts. No personal data, no cross-site tracking.
Because we only use strictly necessary and functional cookies, no cookie consent banner is required under GDPR/ePrivacy. One less annoying popup in your life.
