Privacy Policy
1. Data Protection at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you use our website or web application. Personal data is any data that can personally identify you. Detailed information on data protection can be found in the privacy policy below.
Data Collection in Our Web Application
Who is responsible for data collection?
Data processing is carried out by the operator of the application. Their contact details can be found in the section “Information on the Controller” in this privacy policy.
How do we collect your data?
Some data is collected when you provide it to us (e.g. by entering your email address to sign in). Other data is collected automatically or with your consent when you use the website/web application. This mainly includes technical data (e.g. browser, operating system, or time of access). This data is collected automatically once you access the site.
What do we use your data for?
Some data is collected to ensure error-free provision of the website/web application and to enable authentication. Other data may be processed to ensure stability and IT security and for troubleshooting. If contracts can be concluded or initiated via the website/web application, transmitted data will also be processed for contract offers, orders, or other inquiries. Furthermore, we process pseudonymized usage data for statistical evaluation of the use of individual functions and for the further development of the application.
What rights do you have regarding your data?
You have the right at any time to obtain free information about the origin, recipient, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can withdraw it at any time with effect for the future. You further have the right, under certain circumstances, to request restriction of processing of your personal data and the right to lodge a complaint with the competent supervisory authority. You can contact us at any time for this and for further questions about data protection.
2. Hosting
We host the content of our website/web application with the following provider:
External Hosting
This website/web application is hosted externally. The personal data collected is stored on the servers of the hosting provider(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, access data, and other data generated through usage. External hosting is carried out for the purpose of fulfilling contracts with our users (Art. 6(1)(b) GDPR) and in the legitimate interest of providing our online offer securely, quickly, and efficiently by a professional provider (Art. 6(1)(f) GDPR). If consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG insofar as the consent covers cookies or access to information on the user’s device. Consent can be withdrawn at any time. Our hosting provider(s) will process your data only to the extent necessary to fulfill their service obligations and in accordance with our instructions.
Hosting Provider:
Vercel Inc.
440 N. Barranca Ave #4133
Covina CA 91723
United States
Data Processing Agreement
We have concluded a Data Processing Agreement (DPA) with the provider named above. This ensures the provider processes personal data only in accordance with our instructions and in compliance with the GDPR.
3. Use of Supabase
We use Supabase as a backend service to provide the technical infrastructure of our application. Provider: Supabase Inc., 981 Mission St, San Francisco, CA 94103, USA. Supabase processes data required for authentication, user account management, and operation of the application. This includes in particular email address, user ID, and technical session/connection data. Processing is carried out for the purpose of providing and operating our web application and managing user accounts. Hosting and processing via Supabase are based on Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) and our legitimate interest in the secure and efficient provision of the application in accordance with Art. 6(1)(f) GDPR. We have concluded a Data Processing Agreement (DPA) with Supabase pursuant to Art. 28 GDPR. If data is transferred to the USA, such transfer is based on the Standard Contractual Clauses (SCCs) issued by the European Commission.
4. General Information and Mandatory Details
Data Protection
The operator of this website/web application takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy. When you use this website/web application, various personal data are processed. This privacy policy explains what data we process, how we use it, and for what purpose. Please note that data transmission over the internet (e.g. via email) may have security gaps. Complete protection of data from third-party access is not possible.
Information on the Controller
The controller responsible for data processing is:
Pascal Wegner
Heintzestraße 15a
24143 Kiel
Deutschland
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data (e.g. names, email addresses, etc.).
Storage Duration
Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for processing no longer applies. If you request deletion or withdraw your consent, your data will be deleted unless there are other legally permissible reasons for storing it (e.g. statutory retention obligations). In such cases, deletion will occur once those reasons no longer apply.
Legal Bases for Data Processing
If you have given consent, your personal data is processed on the basis of Art. 6(1)(a) GDPR or, for special categories of data, Art. 9(2)(a) GDPR. If you consent to cookies or access to device information, this is additionally based on § 25(1) TDDDG. You may withdraw your consent at any time. If your data is required for performance of a contract or pre-contractual steps, processing is based on Art. 6(1)(b) GDPR. If processing is required to fulfill a legal obligation, it is based on Art. 6(1)(c) GDPR. Processing may also be based on our legitimate interest under Art. 6(1)(f) GDPR. The relevant legal basis is specified in the respective sections of this privacy policy.
Recipients of Personal Data
In the course of our operations, we work with external parties. This may require transferring personal data to such parties. We transfer personal data only if necessary for contract performance, if required by law, if we have a legitimate interest (Art. 6(1)(f) GDPR), or if another legal basis permits it. When using processors, we do so only based on a valid DPA under Art. 28 GDPR.
Withdrawal of Your Consent
Many processing operations are possible only with your explicit consent. You can withdraw your consent at any time with future effect. The lawfulness of processing prior to withdrawal remains unaffected.
Right to Object (Art. 21 GDPR)
If processing is carried out on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. If you object, we will stop processing your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or processing is necessary for legal claims.
Complaint to the Competent Supervisory Authority
In the event of a breach of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement.
Right to Data Portability
You have the right to receive data which we process on the basis of your consent or in performance of a contract, in a commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
Right of Access, Rectification, and Erasure
You have the right to obtain information about your stored personal data, its origin, recipients, and the purpose of processing, and the right to rectify or delete this data in accordance with applicable law.
Right to Restrict Processing
You have the right to request restriction of processing of your personal data under certain conditions.
- If you contest the accuracy of your personal data, we need time to verify it.
- If processing is unlawful, you may request restriction instead of deletion.
- If we no longer need your data but you need it for legal claims.
- If you have objected under Art. 21(1) GDPR and a balance of interests is pending.
Where processing is restricted, your data (apart from storage) will be processed only with your consent, for legal claims, or for important public interests as permitted by law.
SSL/TLS Encryption
This site uses SSL/TLS encryption to protect the transmission of confidential content. You can recognize an encrypted connection by “https://” and the lock symbol in your browser’s address bar.
5. Authentication (Magic Link Login)
Using our web application requires authentication via an email-based magic link process. When you enter your email address, we process it to send you a one-time, time-limited login link. After you click the link, a session is created. For authentication, security (e.g. abuse prevention), and operation of the application, we also process technical session and connection data (e.g. tokens, timestamps, IP address, and device/browser information) to the extent necessary. The legal basis for processing for authentication and account management is Art. 6(1)(b) GDPR. To the extent technical data is processed to ensure security and stability, it is additionally based on our legitimate interest under Art. 6(1)(f) GDPR. Authentication and account management are technically provided via Supabase (see section “Use of Supabase”).
6. Pseudonymized Usage Analysis
To improve and further develop our web application, we process pseudonymized data on the usage of individual features. For this purpose, a randomly generated tracking ID is used for each user, which is not derived from the user account. The tracking ID is stored in a separate table and managed separately from the registration data. Based on this tracking ID, we record how often certain features are used within a calendar month. In particular, the following data is processed: - randomly generated tracking ID, - identifier of the used feature, - month and year of use, - number of uses per month. Direct identification of users based on this data is not possible. There is no merging with clear data (e.g., email address), profiling, or use for advertising purposes. The legal basis for this processing is our legitimate interest in the statistical evaluation as well as the technical and functional further development of our application according to Art. 6(1)(f) GDPR. The tracking ID and the associated usage data are only stored as long as necessary for the stated purposes. If a user account is deleted, the association between the user account and the tracking ID is removed.