Success Stories

Pricing

Resources

Book a demo

Get started (for free)

Book a demo

Get started (for free)

Book a demo

Book a demo

Privacy Policy

Last updated: 7 May 2026

1. A summary of how we handle your data

General notes

This section is meant to give you a quick, plain-language summary of what happens to your personal information when you use this website. "Personal data" means any information that could be used to identify you. A more thorough explanation follows further down in the full Data Protection Declaration.

How data is collected on this website

Who is responsible for processing data on this site (the "controller")?

The party responsible for the data processed on this website is the website operator. You'll find full contact details for the controller in the section titled "Information about the responsible party (referred to as the 'controller' in the GDPR)" further below.

How is your data collected?

Some data reaches us directly because you choose to share it — for example, anything you type into our contact form.

Other information is gathered automatically by our systems, or after you give consent during your visit. This is mainly technical in nature (such as which browser you use, your operating system, or the time you opened a page) and is captured the moment you load the site.

What is the data used for?

A portion of what we collect helps keep the site running smoothly and free of errors. Other information may be analyzed to understand how visitors interact with the site. If a contract is initiated or signed through the website, the data submitted is also used to handle quotes, orders, and similar requests.

What rights do you have regarding your data?

You can ask us — at no cost to you — about where your stored personal data came from, who it has been shared with, and why we are processing it. You may also request that we correct or delete your data. If you previously gave consent for processing, you can withdraw it at any time, with effect for any future processing. Under certain conditions, you also have the right to ask that we restrict how we process your data. And you may always file a complaint with the relevant supervisory authority.

If you have questions about any of this — or about data protection more broadly — feel free to reach out at any time.

Third-party analysis tools

Your activity on this site may be statistically analyzed. This is mainly done with what we call analytics tools.

The full Data Protection Declaration below covers each of these tools in detail.

2. Hosting

The content on this site is hosted by the following provider:

External hosting

This website runs on infrastructure provided by an external host. Personal data collected here lives on the host's servers. That can include things like IP addresses, contact form submissions, communication metadata, contract details, contact details, names, page-view information, and any other information generated by visiting a website.

External hosting allows us to perform our contracts with current and prospective customers (Art. 6(1)(b) GDPR) and to deliver our online services in a way that is fast, reliable, and secure through a professional provider (Art. 6(1)(f) GDPR). Where consent has been given, processing happens solely on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, to the extent the consent covers cookie storage or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. You may withdraw your consent at any time.

Our host(s) only process your data as far as it is needed to perform their service obligations and in accordance with our instructions.

Hosts in use:

Framer B.V.
Rozengracht 207, 1016 LZ Amsterdam, Netherlands

Supabase

We rely on Supabase, a backend-as-a-service platform, for our application's database, user authentication, and content delivery. The service is operated by Supabase Inc., 970 Toa Payoh North, #07-04, Singapore 318992.

Supabase is used to store and manage user data securely. That covers personal data you may share when registering, signing in, or otherwise using our platform — for instance, your email address, authentication tokens, and any data you submit through the product. Supabase additionally provides a content delivery network (CDN) to host and serve static files and media efficiently.

Data sits within Supabase's managed infrastructure. By default, Supabase uses hosting regions located in the European Economic Area (EEA), and we have configured our environment so that user data is, where possible, stored and processed inside the EU.

The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract) and, where applicable, Art. 6(1)(a) GDPR (consent). Consent can be withdrawn at any time.

It is possible that Supabase staff or sub-processors located outside the EU may access or receive data. Where that happens, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) to maintain an adequate level of protection. Supabase also enforces strict access controls and encryption.

For more information, see Supabase's privacy notice and processing practices: https://supabase.com/privacy.

Vercel

We also use Vercel as a hosting and deployment platform for parts of our application. The provider is Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA.

When you visit our site, your browser sends technical information (e.g., IP address, browser type, request time, the URL you accessed) to Vercel's edge infrastructure so the page can be served. Vercel processes this data to deliver content, balance load, and protect against abuse.

The legal basis for this processing is Art. 6(1)(f) GDPR. The website operator has a legitimate interest in delivering its services in a fast, reliable, and secure manner. Where the processing relates to performance of a contract, the basis is Art. 6(1)(b) GDPR.

Where personal data is transferred to the United States, this is based on the European Commission's Standard Contractual Clauses (SCCs).

For more information, see Vercel's privacy notice: https://vercel.com/legal/privacy-policy.

The provider is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the EU and the US intended to ensure that data processing in the US meets European data protection standards. Any company certified under the DPF is contractually bound to those standards.

Data processing agreement

We have signed a data processing agreement (DPA) for the service named above. A DPA is a contract required under data protection law that ensures the provider only processes the personal data of our visitors on our instructions and in line with the GDPR.

3. General and mandatory information

Data protection

We take the protection of your personal data seriously. We treat your data confidentially and in line with the applicable statutory data protection rules and the terms of this Data Protection Declaration.

Whenever you use this website, various pieces of personal information are collected. Personal data is information that could be used to identify you. This Declaration explains what we collect, what we do with it, and why.

A note of caution: data sent over the internet (for example, through email) can have security weaknesses. Fully shielding data from third-party access is not possible.

Information about the responsible party (the "controller" under the GDPR)

The controller for data processing on this website is:

Kinetic Software GmbH
Köpenicker Str. 40a
10179 Berlin
Germany

Phone: 030-54453590-0
Email: privacy[at]usekinetic.com

The controller is the natural or legal person who decides — alone or together with others — about the purposes and means of processing personal data (such as names or email addresses).

How long we store your data

Unless this policy specifies a more specific retention period, your personal data stays with us until the purpose it was collected for no longer applies. If you submit a valid deletion request or withdraw your consent, your data will be removed — unless we have other lawful grounds to keep it (for instance, retention obligations under tax or commercial law). In that case, deletion takes place once those grounds no longer apply.

General notes on the legal basis for processing on this site

Where you have given consent, we rely on Art. 6(1)(a) GDPR or, in the case of special categories of data under Art. 9(1) GDPR, on Art. 9(2)(a) GDPR. Where you have explicitly consented to a transfer of personal data to a third country, processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information on your device (such as device fingerprinting), processing is also based on § 25(1) TDDDG. Consent can be withdrawn at any time. If your data is necessary to perform a contract or to take pre-contractual steps, we rely on Art. 6(1)(b) GDPR. Where processing is needed to meet a legal obligation, the basis is Art. 6(1)(c) GDPR. Processing may also occur on the basis of our legitimate interests under Art. 6(1)(f) GDPR. The relevant basis for each specific processing activity is identified in the sections below.

Appointment of a data protection officer

We have appointed a data protection officer:

Philipp Schickling
Kinetic Software GmbH
Köpenicker Str. 40a
10179 Berlin
Germany

Email: privacy@usekinetic.com

Recipients of personal data

In the course of running our business, we work with various external partners. Some of those collaborations require sharing personal data. We only share data with external parties when it is needed to fulfill a contract, when we are legally required to do so (e.g., reporting to tax authorities), when we have a legitimate interest under Art. 6(1)(f) GDPR, or when another lawful basis allows it. Where we use processors, customer data is only shared on the basis of a valid data processing agreement. In cases of joint controllership, a joint controllership agreement is put in place.

Withdrawing your consent

A great deal of data processing is only permitted where you have given consent. You can withdraw any consent you have already given us at any time. Doing so does not affect the lawfulness of any processing that took place before the withdrawal.

Right to object to processing in specific cases; right to object to direct marketing (Art. 21 GDPR)

WHERE PROCESSING TAKES PLACE ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT — AT ANY TIME — TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON GROUNDS RELATED TO YOUR PARTICULAR SITUATION. THIS APPLIES EQUALLY TO ANY PROFILING BUILT ON THESE PROVISIONS. THE LEGAL BASIS FOR ANY GIVEN PROCESSING ACTIVITY IS DESCRIBED IN THIS DECLARATION. IF YOU OBJECT, WE WILL STOP PROCESSING THE PERSONAL DATA IN QUESTION UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR UNLESS THE PROCESSING IS NEEDED TO ESTABLISH, EXERCISE, OR DEFEND LEGAL CLAIMS (OBJECTION UNDER ART. 21(1) GDPR).

IF YOUR DATA IS PROCESSED FOR DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING FOR THAT PURPOSE. THIS ALSO COVERS PROFILING TO THE EXTENT IT IS LINKED TO DIRECT MARKETING. ONCE YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING (OBJECTION UNDER ART. 21(2) GDPR).

Right to file a complaint with the supervisory authority

If you believe the GDPR has been violated, you have the right to lodge a complaint with a supervisory authority — particularly in the EU member state where you live, where you work, or where the alleged violation occurred. This right is independent of any other administrative or judicial remedies that may be available.

Right to data portability

You can request that any data we process automatically on the basis of your consent or in performance of a contract be handed over to you, or to a third party, in a commonly used and machine-readable format. If you request that we transfer it directly to another controller, we will do so where this is technically possible.

Information about, correction of, and erasure of data

Within the limits of applicable law, you have the right at any time to obtain free information about your stored personal data, where it came from, who it has been shared with, and why it is being processed. You may also have the right to have your data corrected or deleted. If you have any questions about this — or anything else relating to your personal data — feel free to get in touch.

Right to demand processing restrictions

You have the right to request that processing of your personal data be restricted. Just contact us. The right to restriction applies in the following cases:

If you dispute the accuracy of the personal data we hold about you, we usually need some time to check. While that review is in progress, you may demand that processing of the affected data be restricted.
If processing of your personal data was or is unlawful, you may request restriction of processing instead of erasure.
If we no longer need your personal data but you still need it to establish, exercise, or defend legal claims, you may request restriction of processing instead of erasure.
If you have filed an objection under Art. 21(1) GDPR, your interests and ours need to be weighed. Until it has been decided whose interests prevail, you may request that processing be restricted.

If processing of your data has been restricted, that data — except for storage — may only be processed with your consent, or to establish, exercise, or defend legal claims, or to protect the rights of another person or legal entity, or for important public interest reasons of the EU or a member state.

SSL / TLS encryption

For security and to protect the transfer of confidential information — such as orders or inquiries you send to us as the operator of this site — we use SSL or TLS encryption. You can tell that the connection is encrypted because the address bar in your browser switches from "http://" to "https://" and a padlock icon appears.

When SSL or TLS encryption is in use, the data you send us cannot be read by third parties.

Encrypted payment processing on this website

If you are required to share payment details with us — for example, an account number when you authorize us to debit your bank account — once you have entered into a paid contract with us, we need that information to process payment.

Standard payment methods (Visa/MasterCard, debit) are handled exclusively over encrypted SSL or TLS connections. You can see this in the same way as above: "https://" in the address bar and a padlock icon.

When the connection with us is encrypted, third parties cannot read the payment information you send.

No unsolicited mail

We hereby object to the use of contact details published as part of our mandatory legal notice for the purpose of sending us unsolicited promotional or informational material. The operators of this website expressly reserve the right to take legal action in the event of unsolicited promotional messages, e.g., spam.

4. How data is recorded on this site

Cookies

This website uses what the industry calls "cookies." Cookies are small text files that don't damage your device. Some last only for the length of your visit (session cookies); others stay stored on your device until you delete them or your browser does so automatically (persistent cookies). Session cookies are wiped automatically once you leave the site.

Cookies can come from us (first-party cookies) or from third-party companies (third-party cookies). Third-party cookies allow services from outside providers to be embedded into a website (for example, payment-handling cookies).

Cookies serve a range of purposes. Many are technically necessary — without them, certain features simply wouldn't work (think shopping carts or video playback). Others are used for analytics or advertising.

Cookies that are needed to carry out electronic communications, to provide functions you've asked for (such as a shopping cart), or to optimize the website (e.g., to measure web audiences) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis applies. The website operator has a legitimate interest in storing such cookies in order to deliver its services in a technically reliable, optimized way. Where consent for cookies and similar identifying technologies has been requested, processing happens solely on the basis of that consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); consent can be withdrawn at any time.

You can configure your browser to notify you when cookies are set, to allow only certain cookies, to reject cookies generally or in specific cases, or to delete them automatically when the browser closes. Disabling cookies may limit how this website works.

The cookies and services in use on this site are described later in this policy.

Server log files

The provider of this website automatically collects and stores information sent to us by your browser in what are called server log files. The information includes:

Browser type and version
Operating system in use
Referrer URL
Hostname of the accessing computer
Time of the server request
IP address

This data is not combined with information from other sources.

This processing is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in keeping the website technically error-free and optimized — and recording log files is necessary to achieve this.

Contact form

If you send us an inquiry through our contact form, the information you provide there — along with any contact details you include — will be saved by us so that we can respond and follow up if needed. We will not share this information without your consent.

Processing of this data is based on Art. 6(1)(b) GDPR if your inquiry relates to performance of a contract or pre-contractual steps. In all other cases, it is based on our legitimate interest in handling incoming inquiries efficiently (Art. 6(1)(f) GDPR), or on your consent (Art. 6(1)(a) GDPR) where this has been obtained; consent may be withdrawn at any time.

The information you submit through the contact form remains with us until you ask us to delete it, withdraw your consent for storage, or until the purpose for storage no longer applies (e.g., once we've fully responded to your inquiry). Mandatory legal provisions, particularly retention periods, are not affected.

Inquiries by email, phone, or fax

If you reach us by email, phone, or fax, we will store and process your request — including all personal data attached to it (such as your name and the contents of the request) — in order to respond. We will not share this data without your consent.

Processing is based on Art. 6(1)(b) GDPR where your inquiry relates to a contract or pre-contractual steps. Otherwise, processing is based on our legitimate interest in efficiently handling inquiries (Art. 6(1)(f) GDPR), or on your consent (Art. 6(1)(a) GDPR) where it has been obtained; consent may be withdrawn at any time.

Data sent to us through such inquiries stays with us until you ask us to delete it, withdraw consent for storage, or the purpose for storage falls away (for example, once your inquiry is fully resolved). Mandatory legal provisions — especially retention periods — remain in force.

Cal.com

You can book appointments with us through this website using the "Cal.com" tool. The provider is Cal.com, Inc., 2261 Market Street #4382, San Francisco, CA 94114, USA (referred to here as "Cal.com").

To schedule an appointment, you enter the requested details and the time you want into the form provided. The information you submit is used to plan, hold, and (where applicable) follow up on the appointment. Booking data is stored on Cal.com's servers; their privacy notice is available at: https://cal.com/privacy.

The data you provide remains with us until you ask us to delete it, withdraw your consent, or until the purpose for storage no longer applies. Mandatory legal provisions — particularly retention periods — remain unaffected.

The legal basis for processing is Art. 6(1)(f) GDPR. The website operator has a legitimate interest in being able to schedule meetings with prospects and customers as smoothly as possible. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Transfers of data to the USA take place on the basis of the European Commission's Standard Contractual Clauses. See: https://cal.com/security.

The provider is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the EU and the US designed to ensure that data processing in the US complies with European data protection standards. Any company certified under the DPF is contractually bound to follow those standards.

Attio

We use Attio on this website. The provider is Attio Limited, registered office Exmouth House Unit 120, 3-11 Pine Street, London EC1R 0JH, United Kingdom (referred to here as "Attio").

Attio helps us, among other things, manage existing and prospective customers and contacts, communicate with you, and plan and run marketing activities aligned with your interests. Attio lets us record, organize, and analyze customer interactions across email, social media, and phone. The personal data captured this way can be evaluated and used to communicate with prospective customers or to support marketing measures (e.g., newsletter sends). Attio also lets us collect and analyze how our contacts behave on our website.

Use of Attio is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in efficient customer management and communication. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

For details, see Attio's privacy notice: https://attio.com/legal/privacy

Where personal data is transferred outside the EU/EEA, those transfers take place under the European Commission's Standard Contractual Clauses (SCCs).

Twenty (self-hosted)

We use Twenty, an open-source CRM platform, to manage existing and prospective customer relationships. Twenty is operated as a self-hosted instance on our own infrastructure (see "External Hosting" / Supabase in section 2), which means your data is processed under our direct control rather than passed to a Twenty-operated cloud service.

Through Twenty, we record contact details, communication history, account notes, and similar information needed to manage our customer relationships and respond to inquiries. This may include data captured when you fill out a form on our site, contact us by email, or otherwise interact with us.

Use of Twenty is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in efficient customer management and communication. Where the processing relates to performance of a contract or pre-contractual steps, the basis is Art. 6(1)(b) GDPR. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.

Because the instance is self-hosted, no personal data is transferred to Twenty as a service provider for the purpose of running the CRM itself. Data residency follows the hosting infrastructure described in section 2 above.

For more information about the underlying software, see: https://twenty.com/.

Apollo.io

We use Apollo.io to support outbound sales activity, including identifying prospective business contacts and enriching the data we hold for them. The provider is Apollo Data Co., 535 Mission Street, San Francisco, CA 94105, USA.

Through Apollo, we may access and process publicly available business contact information (such as name, work email address, job title, employer, and LinkedIn profile) and combine it with notes and outreach history.

Use of Apollo.io is based on Art. 6(1)(f) GDPR. We have a legitimate interest in identifying and contacting potential business customers. If you would prefer not to be contacted, you may object at any time using the contact details in section 3.

Transfers to the United States are based on the European Commission's Standard Contractual Clauses (SCCs).

For more information, see Apollo.io's privacy notice: https://www.apollo.io/privacy-policy.

Reply.io

We use Reply.io to plan, send, and analyze multi-step outbound email sequences and other outreach to prospective business contacts. The provider is Reply, 800 N King Street, Suite 304, 1813, Wilmington, DE 19801, USA.

Through Reply, we process contact data for prospects (such as name, work email address, job title, and employer) along with the content and engagement metrics of our outreach (delivered, opened, clicked, replied).

Use of Reply.io is based on Art. 6(1)(f) GDPR. We have a legitimate interest in efficiently managing outbound communication with potential business customers. Where you have given consent, processing is based on Art. 6(1)(a) GDPR; consent can be withdrawn at any time. You may object to outreach at any time using the unsubscribe link included in our messages or by contacting us directly.

Transfers to the United States are based on the European Commission's Standard Contractual Clauses (SCCs).

For more information, see Reply.io's privacy notice: https://reply.io/privacy-policy/.

Registering on this website

You have the option to register on this site so that you can use additional features. We only use the data you provide for the offer or service you registered for. The required fields at registration must all be completed. Otherwise, we cannot accept the registration.

For important changes to the scope of our offering, or in the case of technical changes, we will use the email address you supplied at registration to let you know.

The data captured at registration is processed in order to carry out the user relationship that the registration creates and, where appropriate, to initiate further contracts (Art. 6(1)(b) GDPR).

Data captured during registration is stored for as long as you are registered on this site. After that, it is deleted. Mandatory statutory retention obligations are unaffected.

5. Analytics tools and advertising

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that helps us embed tracking and statistical tools (and other technologies) into our website. The Tag Manager itself does not build user profiles, store cookies, or run any independent analyses. It only manages and runs the tools embedded through it. That said, Google Tag Manager does collect your IP address, which may also be transferred to Google's parent company in the United States.

Google Tag Manager is used on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in being able to integrate and manage various tools on the website quickly and conveniently. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Google Analytics

This site uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics allows the website operator to analyze how visitors behave on the site. We receive a range of user information — pages visited, time spent on the page, the operating system used, and where the user is coming from. This data is gathered into a user ID and tied to the visitor's particular device.

Beyond that, Google Analytics lets us record things like mouse movements, scrolling, and clicks. It uses different modeling techniques to enrich the data it collects and applies machine learning to its analyses.

Google Analytics relies on technologies that recognize users for the purpose of analyzing their behavior (such as cookies or device fingerprinting). The website-usage data Google records is, as a rule, transferred to a Google server in the US for storage.

Use of these services is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

Transfers to the US take place under the European Commission's Standard Contractual Clauses (SCCs). Details: https://privacy.google.com/businesses/controllerterms/mccs/.

IP anonymization

IP anonymization in Google Analytics is enabled. As a result, your IP address is shortened by Google within the EU member states or in other states that have signed the European Economic Area Agreement before being sent to the US. Only in exceptional cases is the full IP address transferred to a Google server in the US and only then truncated. Acting on behalf of the website operator, Google uses this information to evaluate how you use the site, to compile reports on website activity, and to provide further services to the website operator related to website and internet use. The IP address sent from your browser in connection with Google Analytics is not combined with other Google data.

Browser plug-in

You can prevent Google from collecting and processing your data by downloading and installing the browser plug-in available here: https://tools.google.com/dlpage/gaoptout?hl=en.

For more on how Google Analytics handles user data, see Google's privacy information: https://support.google.com/analytics/answer/6004245?hl=en.

Google Signals

We use Google Signals. Whenever you visit our site, Google Analytics records — among other things — your location, the path of your search, your YouTube activity, and demographic information (visitor data). With Google Signals, this data may be used for personalized advertising. If you have a Google account, your visitor information will be linked to your Google account by Google Signals and used to send you targeted promotional content. The data is also used to compile anonymized usage statistics for our visitors.

Google Analytics e-commerce tracking

This website uses Google Analytics' "e-commerce tracking" function. With it, the website operator can analyze the buying patterns of visitors in order to improve online marketing campaigns. The function tracks information such as the orders placed, the average order value, shipping costs, and how long it takes from viewing a product to making a purchase decision. Google can group this data under a transaction ID linked to the user or the user's device.

Clarity

This website uses Clarity. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, https://learn.microsoft.com/en-us/clarity/faq (referred to here as "Clarity").

Clarity is a tool for analyzing how visitors interact with this site. In particular, it captures cursor movements and produces graphics that show which areas of a page are most heavily scrolled (heatmaps). Clarity can also record sessions, allowing us to watch site usage played back as videos. We also receive overall information about visitor behavior on the website.

Clarity uses technologies that allow visitors to be recognized for the purpose of analyzing their behavior (e.g., cookies or device fingerprinting). Your personal data is stored on Microsoft servers (Microsoft Azure Cloud Service) in the United States.

Where you have given consent, the service named above is used on the basis of Art. 6(1)(a) GDPR and § 25 TDDDG (German Telecommunications Act). Consent can be withdrawn at any time. Where consent has not been obtained, the service is used on the basis of Art. 6(1)(f) GDPR; the website operator has a legitimate interest in effectively analyzing user behavior.

For more on Clarity's privacy practices, see: https://docs.microsoft.com/en-us/clarity/faq.

The provider is certified under the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the EU and the US intended to ensure that data processing in the US complies with European data protection standards. Any company certified under the DPF is contractually bound to those standards. For more information, see: https://www.dataprivacyframework.gov/participant/6474.

PostHog

This website uses functions of the web analytics service PostHog. The provider is PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, United States.

PostHog allows the website operator to study how visitors behave on the site. To do so, we may collect various pieces of user information — pages visited, time spent on a page, actions taken (clicks, scrolls, form submissions), the operating system, and approximate location based on the IP address. This data is pseudonymized and may be associated with a unique visitor ID for usage analysis.

PostHog may use technologies such as cookies or local storage to recognize returning visitors and follow usage across sessions. Depending on how we have set things up, data may be processed either on PostHog's EU-hosted infrastructure or on servers located in the United States.

Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

Where data is transferred to the US, this is based on the European Commission's Standard Contractual Clauses (SCCs) to ensure an adequate level of protection. PostHog is not currently certified under the EU-US Data Privacy Framework (DPF), but contractual safeguards are in place to protect your personal data.

For more, see PostHog's privacy notice: https://posthog.com/privacy.

Google Ads

The website operator uses Google Ads. Google Ads is an online advertising program from Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads lets us show ads in Google Search or on third-party websites when a user enters specific search terms in Google (keyword targeting). It also allows ads to be targeted based on the user information Google holds (for example, location data and interests; audience targeting). As the website operator, we can analyze this data quantitatively — for example, by looking at which search terms led to our ads being shown and how many clicks resulted.

Use of these services is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

Transfers to the US take place under the European Commission's Standard Contractual Clauses (SCCs). Details: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.

Google Ads Remarketing

This website uses Google Ads Remarketing. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

With Google Ads Remarketing, we can group people who interact with our online presence into specific audiences and later show them interest-based ads on Google's advertising network (remarketing or retargeting).

The advertising audiences built with Google Ads Remarketing can also be linked to Google's cross-device features. This makes it possible to deliver interest-based, customized ads — based on your earlier usage and browsing behavior on one device (e.g., your phone) — across all your devices (e.g., tablet or PC) in a way that is tailored to you.

If you have a Google account, you can opt out of personalized advertising at: https://adssettings.google.com/anonymous?hl=de.

Use of these services is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

For more details and Google's data protection terms, see: https://policies.google.com/technologies/ads?hl=en.

Audience building with customer matching

Among other techniques, we use Google Ads Remarketing's customer matching feature for audience building. To do this, we transfer specific customer data (such as email addresses) from our customer lists to Google. If those customers are Google users and signed in to their Google accounts, matching ads are shown to them across the Google network (e.g., YouTube, Gmail, or in search).

Google Conversion Tracking

This site uses Google Conversion Tracking. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Conversion Tracking lets us see whether users have completed certain actions. For example, we can analyze how often individual buttons on our site are clicked and which products are reviewed or purchased most often. The point is to compile conversion statistics. We learn how many users have clicked our ads and what actions they completed. We do not receive any information that personally identifies the users. Google itself uses cookies or comparable recognition technologies for identification.

Use of these services is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

For more on Google Conversion Tracking, see Google's data protection policy: https://policies.google.com/privacy?hl=en.

Reddit Pixel

To measure conversions, this site uses the Reddit Pixel — a web analytics and tracking tool from Reddit Inc., 1455 Market Street, Suite 1600, San Francisco, CA 94103, USA.

The Reddit Pixel allows us to track what users do after they reach our website by clicking on a Reddit ad. This means we can evaluate the effectiveness of Reddit ads for statistical and market-research purposes and improve future campaigns.

As website operator, we receive no information that personally identifies a user. The data Reddit captures is provided to us only in aggregated, anonymized form. Reddit, however, may link the data to your Reddit account and use it for its own advertising purposes in line with the Reddit Privacy Policy (https://www.redditinc.com/policies/privacy-policy). That means Reddit may show targeted ads on its own platform — and possibly on third-party sites.

Use of the Reddit Pixel is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time, with effect for the future.

Where personal data is transferred to the United States, this is based on the European Commission's Standard Contractual Clauses (SCCs), which are designed to ensure an adequate level of protection in line with EU standards. Reddit is not currently certified under the EU-U.S. Data Privacy Framework (DPF).

For more on how Reddit handles personal data, see Reddit's privacy notice: https://www.reddit.com/policies/privacy-policy. To manage your ad preferences on Reddit, visit: https://www.reddit.com/personalization.

Meta Pixel (formerly Facebook Pixel)

To measure conversions, this site uses Meta's visitor activity pixel. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Meta, the data collected is also transferred to the USA and other third countries.

The pixel allows page visitors to be tracked once they have been routed to the provider's site by clicking on a Meta ad. As a result, the effectiveness of Meta ads can be analyzed for statistical and market-research purposes, and future campaigns can be improved.

For us as the website operator, the data collected is anonymous — we cannot draw any conclusions about who individual users are. Meta, however, stores and processes the information so that a connection can be made to the relevant Facebook or Instagram profile, and Meta is then in a position to use the data for its own advertising purposes in line with the Meta Data Usage Policy (https://www.facebook.com/about/privacy/). This allows Meta to display ads on Facebook, Instagram, and other advertising channels. As website operator, we have no influence over how that data is used.

Use of these services is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

Where personal data is collected on our website using the tool described here and forwarded to Meta, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are joint controllers (Art. 26 GDPR). The joint responsibility is limited strictly to the collection of data and its forwarding to Meta. The processing carried out by Meta after that handover is not part of the joint responsibility. The obligations that fall to each of us are set out in a joint controllership agreement; the text is available here: https://www.facebook.com/legal/controller_addendum. Under that agreement, we are responsible for providing data protection information when using the Meta tool and for implementing it on our website in a privacy-compliant way. Meta is responsible for the data security of Meta products. You can exercise data subject rights (e.g., requests for information) regarding data processed by Facebook or Instagram directly with Meta. If you exercise such rights with us, we are required to forward your request to Meta.

Transfers to the US take place under the European Commission's Standard Contractual Clauses (SCCs). Details: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Meta's data protection policy contains additional information about how your privacy is protected: https://www.facebook.com/about/privacy/.

You can also turn off the "Custom Audiences" remarketing feature in the ad settings at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you'll need to be logged into Facebook.

If you don't have a Facebook or Instagram account, you can opt out of usage-based advertising by Meta on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

Meta Conversion API

We have integrated the Meta Conversion API on this website. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to information from Meta, however, the data captured is also transferred to the United States and other non-EU and non-EEA countries.

The Meta Conversion API allows us to record how visitors interact with our website and pass that information on to Meta in order to improve advertising performance on Facebook and Instagram.

In particular, the time you accessed the site, the page you accessed, your IP address, your user agent, and — where applicable — additional specific data (such as products purchased, cart value, and currency) are tracked. For a complete list of tracked data, see: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters.

Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

Where personal data is collected on our website using the tool described here and forwarded to Meta, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are joint controllers (Art. 26 GDPR). This joint responsibility is limited strictly to the collection of your data and its handover to Meta. The processing Meta carries out after the handover is not part of this joint responsibility. The shared obligations are set out in a joint controllership agreement, the text of which is available here: https://www.facebook.com/legal/controller_addendum. Under that agreement, we are responsible for providing data protection information when using the Meta tool and for implementing it on our website in a privacy-compliant way. Meta is responsible for the data security of Meta products. You can request information about the data Facebook or Instagram process directly with Meta. If you raise such requests with us, we are obliged to forward them to Meta.

Transfers to the United States are based on the European Commission's Standard Contractual Clauses. Details: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Additional information about how Meta protects your privacy is available in Meta's data protection policy: https://de-de.facebook.com/about/privacy/.

You can also turn off the "Custom Audiences" remarketing feature in your ad settings at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged into Facebook.

Meta Custom Audiences

We use Meta Custom Audiences. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

Whenever you visit or use our website and apps, take part in our offerings (such as sweepstakes), share data with us, or interact with our company's content on Facebook or Instagram, related personal data is collected. Where you have given consent for Meta Custom Audiences, we share that data with Meta so it can show you matching ads. The data may also be used to define lookalike target audiences.

Meta processes that data as our processor. For details, see Meta's user agreement: https://www.facebook.com/legal/terms/customaudience.

Use of these services is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may withdraw consent at any time.

Transfers to the US take place under the European Commission's Standard Contractual Clauses. Details: https://www.facebook.com/legal/terms/customaudience and https://www.facebook.com/legal/terms/dataprocessing.

LinkedIn Insight Tag

This site uses LinkedIn's Insight Tag. The service is provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Data processing through the LinkedIn Insight Tag

We use the LinkedIn Insight Tag to obtain information about visitors to our website. Once a visitor is registered with LinkedIn, we can analyze key professional details (e.g., career level, company size, country, location, industry, job title) of our website visitors to make our content more relevant to the right audience. The LinkedIn Insight Tag also lets us measure whether visitors to our sites make a purchase or perform other actions (conversion measurement). Conversion measurement can also be carried out across devices (e.g., from PC to tablet). The LinkedIn Insight Tag also offers a retargeting feature that lets us show targeted ads to visitors of our website outside of the website itself. According to LinkedIn, the recipient of the ad is not personally identified.

LinkedIn itself also collects log files (URL, referrer URL, IP address, device and browser characteristics, and time of access). IP addresses are shortened or — if used to recognize LinkedIn members across devices — hashed (pseudonymized). LinkedIn deletes direct identifiers of LinkedIn members after seven days. The remaining pseudonymized data is then deleted within 180 days.

The data LinkedIn collects cannot be linked to specific individuals by us as the website operator. LinkedIn stores the personal data it collects from website visitors on its servers in the USA and uses it for its own promotional purposes. For details, see LinkedIn's privacy notice at https://www.linkedin.com/legal/privacy-policy#choices-oblig.

Legal basis

Transfers to the US take place under the European Commission's Standard Contractual Clauses (SCCs). Details: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

Objecting to the LinkedIn Insight Tag

You can object to LinkedIn's analysis of user behavior and to targeted advertising at: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

LinkedIn members can also manage how their personal information is used for promotional purposes through their account settings. To prevent LinkedIn from linking information collected on our site to your LinkedIn account, log out of LinkedIn before visiting our site.

6. Newsletter

Newsletter data

If you'd like to receive the newsletter offered on this site, we need an email address from you, plus information that lets us verify that you own the address provided and that you agree to receive the newsletter. We don't collect anything else, or we only collect it on a voluntary basis. To handle our newsletter, we use newsletter service providers, described below.

Klaviyo

This site uses Klaviyo to send out our newsletter. The provider is Klaviyo, Inc., 125 Summer Street, Boston, MA 02110, USA.

Klaviyo is a marketing automation and email service provider used to organize and analyze newsletter sends. Whenever you enter data to subscribe (e.g., your email address), the information is stored on Klaviyo's servers. Klaviyo may also process additional data such as how you interact with the emails we send (opens, clicks), browser type, operating system, IP address, and approximate location.

With the help of Klaviyo, we can analyze how our newsletter campaigns perform. When you open an email sent through Klaviyo, an embedded tracking pixel connects to Klaviyo's servers, allowing us to see whether the message has been opened and which links you may have clicked. Technical information is also captured at that point (such as the time of access, IP address, browser type, and operating system). This information is used solely for statistical analysis of newsletter campaigns. The results help us shape future newsletters more closely around recipients' interests.

If you don't want Klaviyo to analyze your activity, you'll need to unsubscribe from the newsletter. Every newsletter we send includes an unsubscribe link.

Processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by unsubscribing. The lawfulness of any processing already carried out before the withdrawal is unaffected.

The data you give us in order to subscribe to the newsletter is held by us until you unsubscribe from either the newsletter or the newsletter service provider, and is removed from the distribution list once you unsubscribe. Data we hold for other purposes is unaffected.

Transfers to the US take place under the European Commission's Standard Contractual Clauses (SCCs). Details: https://www.klaviyo.com/legal/dpa.

Once you have unsubscribed, your email address may be added to a suppression list by us or by Klaviyo, where this is necessary to prevent future mailings. Data on that list is used only for that purpose and is not combined with other information. This serves both your interest and our interest in meeting legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Storage on the suppression list is for an indefinite period. You can object to this storage if your interests outweigh our legitimate interest.

For more details, see Klaviyo's privacy notice: https://www.klaviyo.com/legal/privacy-notice.

7. Plug-ins and tools

Google Fonts

To make sure fonts on this site display consistently, we use what are known as Google Fonts, provided by Google. When you visit a page on our site, your browser loads the required fonts into its cache so that text is displayed correctly.

To do this, your browser has to connect to Google's servers. As a result, Google learns that this site has been accessed via your IP address. Use of Google Fonts is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in displaying fonts consistently across the site. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

If your browser doesn't support Google Fonts, a standard font installed on your computer will be used instead.

For more on Google Fonts, see https://developers.google.com/fonts/faq and Google's privacy notice: https://policies.google.com/privacy?hl=en.

Make / Celonis

We have integrated Make on this website. The provider is Celonis Inc., Theresienstraße 6, 80333 Munich, Germany (referred to here as "Make").

Make lets us connect and synchronize various functions, databases, and tools with our website. For example, content we publish on the website can be automatically distributed to our social channels, or content can be exported from marketing and analytics tools. Depending on the function, Make may collect various pieces of personal data along the way.

Use of Make is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in integrating the tools it uses as efficiently as possible. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Transfers to the USA take place under the European Commission's Standard Contractual Clauses. Details: https://Make.com/tos.

Loom

We use Loom to record and embed product demos, walkthroughs, and explainer videos on our website. The provider is Loom, Inc., 100 1st Street, Suite 2700, San Francisco, CA 94105, USA.

When you watch a Loom video embedded on our site, your browser establishes a connection to Loom's servers. As a result, Loom may receive information about your visit (e.g., IP address, browser type, the page on which you watched the video) and set cookies to support playback and analytics.

Use of Loom is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in providing visual product information on its website. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR and § 25(1) TDDDG, to the extent the consent covers the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Transfers to the United States are based on the European Commission's Standard Contractual Clauses (SCCs).

For more information, see Loom's privacy notice: https://www.loom.com/privacy-policy.

n8n (self-hosted)

We use n8n, an open-source workflow automation platform, to connect and synchronize various tools and services we work with. Depending on the workflow, this may involve processing personal data (e.g., contact information of leads or customers) as it moves between systems.

n8n is operated as a self-hosted instance on our own infrastructure (see "External Hosting" / Supabase in section 2), which means data processed through n8n remains under our direct control rather than passed to a separately operated cloud provider.

Use of n8n is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in automating and integrating its tools efficiently. Where the processing relates to performance of a contract or pre-contractual steps, the basis is Art. 6(1)(b) GDPR. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.

Because the instance is self-hosted, no personal data is transferred to n8n as a service provider for the purpose of running the platform itself. Data residency follows the hosting infrastructure described in section 2 above. Where individual workflow steps connect to third-party services, the privacy implications of those services are governed by their own respective entries in this policy.

For more information about the underlying software, see: https://n8n.io/.

AI service providers (OpenAI and Anthropic)

We use large language model APIs from OpenAI and Anthropic to power certain product features and internal workflows (for example, content generation, summarization, classification, and analysis).

OpenAI: provider is OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA. Privacy notice: https://openai.com/policies/privacy-policy.
Anthropic: provider is Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA. Privacy notice: https://www.anthropic.com/legal/privacy.

We do not knowingly send personally identifiable information to these providers. Where data passed to them could otherwise contain personal information, we strip or pseudonymize identifiers before transmission. Under our API agreements, content sent to these providers is not used to train their models.

Use of these services is based on Art. 6(1)(f) GDPR. We have a legitimate interest in efficiently developing, operating, and improving our product. To the extent personal data is nonetheless transferred to the United States, transfers take place under the European Commission's Standard Contractual Clauses (SCCs). Neither OpenAI nor Anthropic is currently certified under the EU-US Data Privacy Framework (DPF), but contractual safeguards are in place to protect personal data.

8. eCommerce and payment service providers

Processing of customer and contract data

We collect, process, and use personal customer and contract data in order to enter into, define the contents of, and amend our contractual relationships. Personal data linked to the use of this website (usage data) is collected, processed, and used only where it is needed to enable the user to use our services or for billing. The legal basis for this is Art. 6(1)(b) GDPR.

Customer data we have collected is deleted once the order is fulfilled or the business relationship ends, and once any statutory retention periods have run out. Mandatory statutory retention periods remain unaffected.

Sharing of data when contracts for services and digital content are signed

We only share personal data with third parties where this is needed in connection with handling the contract — for example, with the financial institution responsible for processing payments.

Any further sharing of your data takes place only with your express consent. We will not, for instance, share your data with third parties for advertising purposes without your express consent.

The basis for processing is Art. 6(1)(b) GDPR, which permits processing for the performance of a contract or for pre-contractual steps.

Payment services

We integrate third-party payment services on our site. When you make a purchase, your payment data (e.g., name, payment amount, bank details, credit card number) is processed by the payment service provider for the purpose of handling the payment. The relevant contractual and data protection terms of each provider apply. Use of payment service providers is based on Art. 6(1)(b) GDPR (contract performance) and on our interest in smooth, convenient, and secure payment processing (Art. 6(1)(f) GDPR). Where consent is requested for specific actions, Art. 6(1)(a) GDPR is the basis; consent may be withdrawn at any time, with effect for the future.

The following payment services / providers are used on this website:

Stripe

For customers in the EU, the provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (referred to here as "Stripe").

Transfers to the US are based on the European Commission's Standard Contractual Clauses (SCCs). Details: https://stripe.com/de/privacy and https://stripe.com/de/guides/general-data-protection-regulation.

For more, see Stripe's privacy notice: https://stripe.com/de/privacy.

Shopify

The provider for billing services is Shopify International Ltd., Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (referred to here as "Shopify").

Data may be transferred to Shopify Inc., 151 O'Connor Street, Ground Floor, Ottawa, Ontario, K2P 2L8, Canada, and to Shopify's affiliates, including some located in the United States. Where data is transferred outside the EU/EEA, those transfers take place under the European Commission's Standard Contractual Clauses (SCCs).

For more on Shopify's data protection practices, see: https://www.shopify.com/legal/privacy.

9. Online audio and video conferences (conferencing tools)

Data processing

Among other things, we use online conferencing tools to communicate with our customers. The specific tools we use are listed below. If you communicate with us via internet-based video or audio conference, your personal data is collected and processed both by the provider of the conferencing tool and by us. The conferencing tools collect any information you provide or that is necessary to use them (email address and/or phone number). They also process the duration of the conference, the start and end time of your participation, the number of participants, and other "context information" related to the communication (metadata).

The tool provider also processes all the technical data needed to handle the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker, and the type of connection.

If content is exchanged, uploaded, or otherwise made available within the tool, it is also stored on the tool provider's servers. That includes — but is not limited to — cloud recordings, chat/instant messages, voicemail, uploaded photos and videos, files, whiteboards, and other information shared while using the service.

Please bear in mind that we don't have full control over how the tools handle data. Our scope is largely set by the provider's company policy. More information about how each conferencing tool processes data is available in the data protection statements of the tools used; these are listed below this paragraph.

Purpose and legal basis

We use these conferencing tools to communicate with prospective or existing contractual partners or to provide certain services to our customers (Art. 6(1)(b) GDPR). They also serve to make communication with us, or with our company more generally, simpler and faster (legitimate interest within the meaning of Art. 6(1)(f) GDPR). Where consent has been requested, the relevant tool will be used on the basis of that consent; consent may be withdrawn at any time, with effect from that date.

Storage duration

Data we collect directly through the video and conferencing tools is deleted from our systems as soon as you ask us to delete it, withdraw your consent for storage, or the reason for storage no longer applies. Cookies that have been stored remain on your device until you delete them. Mandatory statutory retention periods are unaffected.

We have no influence over how long the operators of the conferencing tools store data they hold for their own purposes. For details, please contact those operators directly.

Conferencing tools used

We use the following conferencing tools:

Google Meet

We use Google Meet. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on data processing, see Google's privacy notice: https://policies.google.com/privacy?hl=en.

Fireflies

We use Fireflies to record, transcribe, and summarize online meetings (such as sales calls and customer interviews) when it is invited as a participant. The provider is Fireflies.ai Corp., 333 Bush Street, Suite 2150, San Francisco, CA 94104, USA.

When Fireflies joins a call, audio is recorded and processed to produce a transcript and summary. Recordings, transcripts, and summaries are stored on Fireflies' infrastructure. The transcript may include personal data shared by participants during the meeting.

We inform meeting participants that Fireflies is present and recording before any recording begins. Where consent is the basis for processing, it is given on the basis of Art. 6(1)(a) GDPR and can be withdrawn at any time, with effect for the future. Where the processing is necessary for the performance of a contract or pre-contractual steps, the basis is Art. 6(1)(b) GDPR. We otherwise rely on Art. 6(1)(f) GDPR, where we have a legitimate interest in keeping accurate records of business conversations.

Recordings and transcripts are deleted once the purpose for which they were created no longer applies, unless retention is required by law.

Transfers to the United States are based on the European Commission's Standard Contractual Clauses (SCCs).

For more information, see Fireflies' privacy notice: https://fireflies.ai/privacy.

10. Custom services

Handling of applicant data

We give visitors the option to send us job applications (e.g., by email, by post, or via our online application form). Below, we explain the scope, purpose, and use of the personal data we collect from you in the application process. We assure you that the collection, processing, and use of your data takes place in line with applicable data protection rights and all other statutory provisions, and that your data is always treated as strictly confidential.

Scope and purpose of data collection

If you submit an application to us, we process the personal data attached to it (e.g., contact and communications data, application documents, notes from interviews, and so on) to the extent that it's needed to make a decision about establishing or shaping an employment relationship. The legal bases are § 26 BDSG under German law (negotiation of an employment relationship), Art. 6(1)(b) GDPR (general contract negotiations), and — where you have given us your consent — Art. 6(1)(a) GDPR. You may withdraw any consent given at any time. Within our company, your personal data is shared only with the people involved in handling your application.

If your application leads to your being hired, the data you submitted is archived under § 26 BDSG and Art. 6(1)(b) GDPR for the purpose of carrying out the employment relationship in our data processing systems.

Retention period

If we are unable to make you a job offer, you turn down a job offer, or you withdraw your application, we reserve the right to keep the data you submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal). After that, the data is deleted and physical application documents are destroyed. Storage serves in particular as evidence in the event of a legal dispute. Where it becomes clear that the data will be needed beyond the 6-month period (e.g., because a legal dispute is imminent or pending), deletion happens once the reason for storage falls away.

Longer storage may also occur where you have given your agreement (Art. 6(1)(a) GDPR) or where statutory retention requirements prevent deletion.

Inclusion in the applicant pool

If we don't make you a job offer, you may have the option to join our applicant pool. If you are accepted, all documents and information from your application will be transferred to the applicant pool so that we can contact you about suitable openings.

Inclusion in the applicant pool is based exclusively on your express agreement (Art. 6(1)(a) GDPR). The submission agreement is voluntary and not connected to the ongoing application procedure. The data subject can withdraw the agreement at any time. In that case, the data in the applicant pool is irrevocably deleted, unless there are legal reasons to keep it.

Data in the applicant pool is irrevocably deleted no later than two years after consent is given.

Google Drive

We have integrated Google Drive on this website. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Drive lets us include an upload area on our site to which you can upload content. When you upload something, it is stored on Google Drive's servers. When you visit our site, a connection to Google Drive is also established, so Google Drive can detect that you have visited our site.

Use of Google Drive is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in providing a reliable upload area on the site. Where consent has been obtained, processing is based exclusively on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.