Privacy Policy

1. Controller and Responsible Person

The controller responsible for the processing of your personal data (Verantwortlicher according to Art. 4 No. 7 GDPR) is:

2. Introduction

We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with our FriendHub application in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using our services, you consent to the data practices described in this policy. If you do not agree with the practices described in this policy, please do not use our services.

3. Information We Collect

3.1 Personal Information

We may collect personal information that you voluntarily provide to us, including:

• Name and contact information (email address, phone number)
• Business information (company name, job title, industry)
• Project requirements and technical specifications
• Payment information (processed securely through third-party payment processors)
• Communication preferences and feedback

3.2 Automatically Collected Information

When you visit our website or use our services, we automatically collect certain information:

• Device information (IP address, browser type, operating system)
• Usage data (pages visited, time spent, referral sources)
• Cookies and similar tracking technologies
• Performance and analytics data

3.3 FriendHub Application Data

For FriendHub users, we may collect:

• Account registration information
• App usage statistics and crash reports
• Feature usage preferences
• Support requests and feedback

Note: A separate, dedicated privacy notice for FriendHub is available within the app and complies with App Store and Google Play Store requirements for mobile applications.

4. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary for the performance of a contract with you or to take steps prior to entering into a contract (e.g., contact forms, pre-contractual communication, project execution, billing)
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities (e.g., newsletter subscriptions, marketing communications, optional analytics)
• Legal obligations (Art. 6(1)(c) GDPR): Processing necessary to comply with legal obligations (e.g., tax records, business documentation requirements)
• Legitimate interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as improving our services, security measures, and fraud prevention, provided your rights and freedoms are not overridden

5. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain our services
• Process transactions and send related information
• Communicate with you about projects, updates, and support
• Improve our website, applications, and services
• Analyze usage patterns and optimize user experience
• Comply with legal obligations
• Protect against fraudulent or illegal activities

6. Third-Party Services and Data Processors

We work with trusted third-party service providers to deliver our services. Below are the main processors we use:

6.1 Hosting Provider

Our website is hosted by Hetzner Online GmbH. We have concluded a data processing agreement (Auftragsverarbeitungsvertrag) pursuant to Art. 28 GDPR with our hosting provider to ensure your data is processed securely and in compliance with data protection laws.

6.2 Email Services

We operate our own email server hosted on Hetzner Online GmbH infrastructure. All email communications are processed in accordance with GDPR requirements and are subject to the same data processing agreement we have with our hosting provider. Email data remains under our direct control and is not processed by third-party email service providers.

6.3 Contact Forms and Communication

When you contact us through our website contact forms, we collect and process the information you provide (name, email, message content) solely for the purpose of responding to your inquiry and providing the requested information or services.

We have concluded appropriate data processing agreements (Auftragsverarbeitungsverträge) with all processors to ensure your personal data is processed securely and in compliance with GDPR requirements.

7. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

• With your explicit consent
• With trusted service providers who assist in our operations
• To comply with legal requirements or court orders
• To protect our rights, property, or safety
• In connection with a business transfer or acquisition

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• SSL/TLS encryption for data transmission
• Secure hosting and database encryption
• Regular security audits and updates
• Access controls and authentication requirements
• Employee training on data protection practices

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

9. Cookies and Tracking Technologies

Currently, we do not use any non-essential cookies on our website. We only use technically necessary cookies that are essential for the basic functionality of our website. These essential cookies do not require your consent under the TTDSG (Telecommunications Telemedia Data Protection Act).

9.1 Server Logs

Server logs are collected automatically by our hosting provider for security and operational purposes. These logs may include IP address, timestamp of access, requested resources, browser information, and referrer URL. Server logs are automatically deleted after 30 days and are used solely for:

• Security monitoring and threat detection
• Performance optimization and error analysis
• Legal compliance and abuse prevention

Should we implement analytics, marketing, or other non-essential cookies in the future, we will:

• Obtain your explicit consent before setting any non-essential cookies
• Provide you with a cookie consent banner with clear opt-in options
• Allow you to withdraw your consent at any time via cookie settings
• Update this privacy policy to reflect the specific cookies in use

You can control cookie settings through your browser preferences at any time.

10. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access to your personal information
• Correction of inaccurate information
• Deletion of your personal information
• Restriction of processing
• Data portability
• Objection to processing
• Withdrawal of consent

To exercise these rights, please contact us using the information provided in the “Contact Us” section below. You also have the right to lodge a complaint with the competent supervisory authority (see section 11).

11. Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority if you believe that the processing of your personal data violates data protection laws.

The competent supervisory authority for our business is:

12. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Factors we consider when determining retention periods include:

• The nature and sensitivity of the information
• Legal and regulatory requirements
• Business purposes and operational needs
• Your relationship with our services

12.1 Specific Retention Periods

• Contact form submissions: Deleted after 6 months if no contractual relationship develops
• Email correspondence: Retained for the duration of the business relationship plus 3 years
• Invoices and financial records: Retained for 10 years (German tax law requirements - AO §147)
• Server logs: Automatically deleted after 30 days
• Project documentation: Retained for 3 years after project completion
• Marketing communications: Until consent is withdrawn or 3 years of inactivity

You may request deletion of your personal data at any time, subject to our legal obligations to retain certain information.

13. International Data Transfers

If your personal data is transferred to countries outside the European Union (EU) or the European Economic Area (EEA), we ensure that such transfers comply with applicable data protection laws. We implement appropriate safeguards to protect your information, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for specific countries
• Other appropriate safeguards as required by GDPR

You can request a copy of the safeguards we have in place for international transfers by contacting us.

14. Automated Decision-Making and Profiling

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR). Any automated processing we perform is limited to:

• Basic website analytics and performance monitoring
• Automated spam detection for contact forms
• Technical optimization and error detection

These automated processes do not involve profiling or decision-making that would significantly impact your rights or legal status.

15. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child under 16 has provided us with personal information, please contact us immediately so we can take appropriate action.

16. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
• Document the breach and take immediate steps to contain and remedy the situation
• Implement additional security measures to prevent similar incidents

If you suspect a security incident or have concerns about the safety of your personal data, please contact us immediately using the information in section 17.

17. Privacy Policy Updates and Version Control

We maintain version control of our Privacy Policy to ensure transparency about changes:

• Current Version: 1.0 (September 2025)
• All material changes will be highlighted and dated
• Previous versions are available upon request
• Users will be notified of significant changes via email (where applicable) and website notice

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on our website and updating the “Last updated” date.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For urgent data protection matters or security concerns: Please mark your email with “URGENT - Data Protection” in the subject line for priority handling.