Privacy Policy | Safina AI

As of: April 2025

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website or use our service. Personal data is any data that can be used to personally identify you. Detailed information on the subject of data protection can be found in the privacy policy set out below.

Responsible Party

Safina AI is a service of DK Tech Solutions UG Schwanthalerstr. 141 80339 Munich, Germany

Authorized representatives: David Schemm & Karsten Kreh

Registration number: HRB 302584

Email: info@safina.ai

Phone: +49 89 6282 7865

Your Rights

You have the right at any time to:

Obtain information about your data stored with us (Art. 15 GDPR)
Have this data rectified (Art. 16 GDPR)
Request the deletion of this data (Art. 17 GDPR)
Request the restriction of the processing of this data (Art. 18 GDPR)
Object to the processing (Art. 21 GDPR)
Request the transfer of this data (Art. 20 GDPR)
Withdraw a given consent at any time (Art. 7(3) GDPR)
Lodge a complaint with a supervisory authority (Art. 77 GDPR)

Detailed information about your rights can be found further below in this policy.

2. Overview of Processing Activities

Types of Data Processed

Inventory data (e.g., names, addresses upon registration)
Contact data (e.g., email, phone numbers)
Content data (e.g., audio recordings of calls (if enabled), transcripts, summaries, analyses, configurations such as conversation guides) — hereinafter also referred to as “user content”
Usage data (e.g., websites/app sections visited, interest in content, access times, features used)
Meta/communication data (e.g., device information, IP addresses, call data such as phone numbers, time, duration)
Payment data (for paid plans, processed by payment service providers)

Categories of Data Subjects

Users of our service (customers, prospective customers)
Callers who interact with users through the service
Visitors to our website
Communication partners
Business and contractual partners

Purposes of Processing

Provision of the Safina AI service (AI-powered voicemail/phone switchboard) in accordance with the contract (Art. 6(1)(b) GDPR)
Fulfillment of contractual obligations (e.g., provision of user accounts, billing) (Art. 6(1)(b) GDPR)
Communication with users and prospective customers (Art. 6(1)(b) or (f) GDPR)
Security measures to protect the service and data (Art. 6(1)(f) GDPR)
Direct marketing (with consent or for existing customers under the conditions of § 7(3) UWG (German Unfair Competition Act)) (Art. 6(1)(a) or (f) GDPR)
Reach measurement and analysis to improve the website and service (with consent or based on legitimate interests) (Art. 6(1)(a) or (f) GDPR)
Office and organizational procedures (Art. 6(1)(c) or (f) GDPR)
Management of feedback and inquiries (Art. 6(1)(b) or (f) GDPR)
Provision and optimization of our online offering and user-friendliness (Art. 6(1)(f) GDPR)
Fulfillment of legal obligations (e.g., retention obligations) (Art. 6(1)(c) GDPR)

3. Applicable Legal Bases

Applicable legal bases under the GDPR: The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in this privacy policy.

Consent (Art. 6(1)(1)(a) GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
Legal obligation (Art. 6(1)(1)(c) GDPR) — Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6(1)(1)(f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests, fundamental rights, and freedoms of the data subject requiring the protection of personal data do not override such interests.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG) and the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz — TTDSG). The BDSG contains, in particular, special provisions on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer and automated decision-making in individual cases, including profiling. Furthermore, the data protection laws of individual German federal states may also apply.

Note on the applicability of the GDPR and the Swiss FADP: This privacy notice serves to provide information under both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to its broader spatial application and comprehensibility. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data” used in the Swiss FADP, the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of the terms continues to be determined under the Swiss FADP within the scope of its applicability.

4. Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements (in particular Art. 32 GDPR), taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access to, input of, transfer of, safeguarding of the availability of, and separation of such data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to threats to data security. We also take the protection of personal data into account during the development and selection of hardware, software, and processes in accordance with the principle of data protection by design and by default (Art. 25 GDPR).

5. Transfer of Personal Data

In the course of our processing of personal data, it may occur that such data is transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of such data may include, for example, service providers entrusted with IT tasks, or providers of services and content integrated into a website. In particular, for the provision of the core Safina AI service, we engage specialized technical service providers (sub-processors), as described in more detail in the section “Service Providers (Sub-Processors) Used for the Safina AI Service.”

In such cases, we comply with the legal requirements and, in particular, enter into appropriate agreements (data processing agreements pursuant to Art. 28 GDPR) that serve to protect your data with the recipients of your data. Your data is not shared with third parties for advertising purposes.

6. Service Providers (Sub-Processors) Used for the Safina AI Service

For the technical provision and optimization of the Safina AI service, we engage carefully selected technical service providers (sub-processors). Processing by these service providers is carried out on the basis of data processing agreements (Art. 28 GDPR). This includes, in particular, services in the following areas:

Hosting: For the storage and provision of data and the service. Our primary hosting location is Germany (currently Amazon Web Services — AWS in Frankfurt am Main).
Telephony integration: For receiving and routing calls (e.g., Twilio).
AI features: For speech recognition, transcription, speech generation, summaries, and analyses (e.g., OpenAI, Google Cloud AI Services, Deepgram, Elevenlabs).
Payment processing: For processing payments for paid plans (e.g., Stripe for subscriptions via the website; Apple/Google for in-app purchases, optionally via RevenueCat for subscription management).
Analytics tools (service optimization): For analyzing service usage and troubleshooting (e.g., Posthog).
Communication services: For sending emails and notifications (e.g., Brevo).

The use of these service providers is necessary for the provision of the contractually agreed services (Art. 6(1)(b) GDPR). Some of these service providers may be based outside the EU/EEA or may process data there, as described in the section “International Data Transfers.”

No Use of User Content for AI Training

We make clear that your user content, in particular audio recordings and transcripts of phone conversations, is not used by us for training our own or third-party AI models. The processing of this data is carried out exclusively for the provision of the service you have subscribed to in accordance with our Terms of Use.

7. International Data Transfers

Data processing in third countries: Insofar as we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or where processing takes place in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies, this is done only in accordance with the legal requirements.

Our primary hosting location for the core data of the Safina AI service is Germany (see section “Service Providers Used”). However, some of the sub-processors we use (in particular for AI features, telephony, analytics, or payment processing) may also process data in third countries, particularly the USA.

Insofar as the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. For the USA, such an adequacy decision exists for companies certified under the “EU-US Data Privacy Framework” (DPF). The list of certified companies as well as further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/. We will inform you in the descriptions of the individual services (e.g., Google, Meta, Posthog) whether the provider is DPF-certified.

Otherwise, data transfers only take place if the level of data protection is otherwise ensured, in particular through the conclusion of Standard Contractual Clauses (SCCs) of the EU Commission (Art. 46(2)(c) GDPR), your express consent (Art. 49(1)(a) GDPR), or if the transfer is necessary for the performance of the contract (Art. 49(1)(b) or (c) GDPR).

Information on third-country transfers and existing adequacy decisions can be obtained from the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

8. General Information on Data Storage and Deletion

We delete personal data that we process in accordance with the legal requirements (Art. 17 GDPR) as soon as the underlying consents are revoked or no further legal basis for the processing exists (e.g., if the purpose of the processing has ceased and no statutory retention obligation applies). This applies to cases where the original purpose of processing ceases or the data is no longer needed. Exceptions to this rule exist where legal obligations (e.g., commercial or tax law retention obligations) or our legitimate interests (e.g., for the assertion, exercise, or defense of legal claims) require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the pursuit of legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that apply specifically to certain processing activities. Upon termination of the user agreement, we delete your user content in accordance with the provisions of our Terms of Use (generally after 30 days, unless retention obligations apply).

Where multiple retention periods or deletion deadlines apply to the same data, the longest period shall always prevail.

If a deadline does not expressly begin on a specific date and amounts to at least one year, it shall automatically begin at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships under which data is stored, the event triggering the deadline is the date on which the termination takes effect or other conclusion of the legal relationship.

Data that is no longer processed for its originally intended purpose but is retained due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Data Retention and Deletion

The following general deadlines apply to retention and archiving under German law:

10 years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding, accounting records, and invoices (§ 147(3) in conjunction with (1) Nos. 1, 4, and 4a AO (German Fiscal Code), § 14b(1) UStG (German VAT Act), § 257(1) Nos. 1 and 4, (4) HGB (German Commercial Code)).
6 years: Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents insofar as they are relevant for taxation (§ 147(3) in conjunction with (1) Nos. 2, 3, 5 AO, § 257(1) Nos. 2 and 3, (4) HGB).
3 years: Data required to account for potential warranty and damage claims or similar contractual claims and rights, as well as to handle related inquiries, based on past business experience and customary industry practices, is retained for the regular statutory limitation period of three years (§§ 195, 199 BGB (German Civil Code)).

9. Rights of Data Subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.
Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access such data as well as further information and a copy of the data in accordance with the legal requirements.
Right to rectification: In accordance with the legal requirements, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to request that data concerning you be erased without undue delay, or alternatively, to request restriction of the processing of the data in accordance with the legal requirements.
Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller, in accordance with the legal requirements.
Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

10. Business Services

We process data of our contractual and business partners, e.g., customers and prospective customers (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships and related measures, as well as in connection with communication with contractual partners (or pre-contractually), for example to respond to inquiries. The legal basis for this is Art. 6(1)(b) GDPR.

We use this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services (Safina AI service), any update obligations, and remedies for warranty and other performance disruptions. In addition, we use the data to protect our rights and for the administrative tasks associated with these obligations, as well as for business organization (Art. 6(1)(f) GDPR). Furthermore, we process the data on the basis of our legitimate interests in proper and business-efficient management as well as in security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities) (Art. 6(1)(f) GDPR). Within the framework of applicable law, we only disclose the data of contractual partners to third parties (in particular our sub-processors) insofar as this is necessary for the aforementioned purposes or for the fulfillment of legal obligations. Contractual partners will be informed about other forms of processing, such as for marketing purposes, within the scope of this privacy policy.

We inform our contractual partners which data is required for the aforementioned purposes before or during data collection, e.g., in online forms, through special labeling (e.g., colors) or symbols (e.g., asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for archiving purposes due to legal requirements (e.g., for tax purposes, generally ten years). Data disclosed to us by a contractual partner in the course of an assignment is deleted in accordance with the specifications and generally upon completion of the assignment, subject to statutory retention obligations.

11. Data Processing Agreement (DPA) for Entrepreneurs

If you use the Safina AI service as an entrepreneur (pursuant to § 14 BGB (German Civil Code)) and have personal data (in particular data of your callers) processed by us as Safina AI within the scope of this use, you act as the controller within the meaning of Art. 4(7) GDPR and we act as the processor within the meaning of Art. 4(8) GDPR.

In this case, the conclusion of a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR between you and us is mandatory to ensure data-protection-compliant processing. This DPA governs the rights and obligations of both parties with respect to the processing of personal data.

The conclusion of the DPA is a prerequisite for the lawful use of the service by entrepreneurs for the processing of personal data of your callers. You are responsible for concluding the DPA with us in a timely manner before the processing of personal data through the service begins. You can obtain our standard DPA by sending a request to info(at)safina.ai.

Users may create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account on the basis of contractual obligation (Art. 6(1)(b) GDPR). The processed data includes, in particular, login information (username or email address, password).

In the course of using our registration and login functions and the user account, we store the IP address and the time of each user action. This storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use (Art. 6(1)(f) GDPR). This data is generally not shared with third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so (Art. 6(1)(c) or (f) GDPR).

Users may be informed by email about activities relevant to their user account, such as technical changes or billing information (Art. 6(1)(b) GDPR).

13. Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and in the context of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to respond to the contact inquiries and any requested measures (Art. 6(1)(b) or (f) GDPR).

We send newsletters, emails, and other electronic notifications (hereinafter “Newsletter”) only with the consent of the recipients (Art. 6(1)(a) GDPR) or on a legal basis (e.g., § 7(3) UWG (German Unfair Competition Act) for existing customers). If the contents of the Newsletter are described in the context of a subscription, those contents are decisive for the user’s consent. For subscribing to our Newsletter, it is generally sufficient to provide your email address. However, in order to provide you with a personalized service, we may ask for your name for a personal salutation in the Newsletter or for additional information if this is necessary for the purpose of the Newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to prove a previously given consent (Art. 6(1)(f) GDPR). The processing of this data is limited to the purpose of a potential defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the event of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist (Art. 6(1)(f) GDPR).

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of proving its proper course (Art. 6(1)(f) GDPR). If we commission a service provider to send emails (e.g., Brevo), this is done on the basis of our legitimate interests in an efficient and secure sending system (Art. 6(1)(f) GDPR) and within the framework of data processing (Art. 28 GDPR).

Contents: Information about us, our services, promotions, and offers.

15. Promotional Communication via Email, Mail, Fax, or Phone

We process personal data for the purpose of promotional communication, which may take place through various channels such as email, phone, mail, or fax in accordance with the legal requirements (on the basis of Art. 6(1)(a) or (f) GDPR, possibly in conjunction with § 7 UWG (German Unfair Competition Act)).

Recipients have the right to withdraw their consent at any time or to object to promotional communication at any time.

After withdrawal or objection, we store the data required to prove the previous authorization for contact or communication for up to three years after the end of the year of withdrawal or objection on the basis of our legitimate interests (Art. 6(1)(f) GDPR). The processing of this data is limited to the purpose of potential defense against claims. On the basis of the legitimate interest in permanently observing the user’s withdrawal or objection, we also store the data necessary to avoid renewed contact (e.g., depending on the communication channel, the email address, phone number, name) in a blocklist (Art. 6(1)(f) GDPR).

16. Web Analytics, Monitoring, and Optimization (Website & App)

Web analytics (also referred to as “reach measurement”) is used to evaluate the visitor flows of our online offering (website and app) and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, identify when our online offering or its functions or content are most frequently used, or which features encourage repeated use. We can also identify which areas need optimization. In addition to web analytics, we may also use testing procedures to test and optimize, for example, different versions of our online offering or its components.

Unless otherwise stated below, profiles — i.e., data summarized for a usage process — may be created for these purposes, and information may be stored in a browser or on a device and then read (e.g., using cookies or similar technologies such as local storage or app-specific identifiers). The data collected includes, in particular, websites/app sections visited and elements used there, as well as technical information such as the browser used, the computer system/operating system used, and information about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data may also be processed.

In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users where technically possible. In general, no clear-text data of users (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Note on legal bases: If we ask users for their consent to the use of third-party providers (e.g., via a cookie banner or an app prompt), the legal basis for data processing is consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG). Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective, and recipient-friendly services and the optimization of our offering) (Art. 6(1)(f) GDPR, § 25(2) TTDSG).

17. Online Marketing

We process personal data for the purpose of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on the potential interests of users, as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called “cookie”) or similar procedures are used to store information about the user relevant to the display of the aforementioned content. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, and information about usage times and features used. If users have consented to the collection of their location data, such data may also be processed.

In addition, the IP addresses of users are stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) for user protection. In general, no clear-text user data (such as email addresses or names) is stored in the context of online marketing procedures, but rather pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is generally stored in cookies or by means of similar procedures. These cookies can generally also be read on other websites that use the same online marketing procedure and analyzed for the purpose of displaying content, as well as supplemented with further data and stored on the server of the online marketing procedure provider.

In exceptional cases, it is possible to associate clear-text data with the profiles, primarily when users are, for example, members of a social network whose online marketing procedures we use and the network links the user profiles with the aforementioned information. We ask you to note that users may enter into additional agreements with the providers, for example by giving consent during registration.

We generally only receive access to aggregated information about the success of our advertisements. However, within the framework of so-called conversion measurements, we can verify which of our online marketing procedures led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely for the success analysis of our marketing measures.

Unless otherwise stated, please assume that cookies used are stored for a period of up to two years.

Note on legal bases: If we ask users for their consent to the use of third-party providers (e.g., via a cookie banner), the legal basis for data processing is consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG). Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective, and recipient-friendly services and the analysis and optimization of our marketing measures) (Art. 6(1)(f) GDPR, § 25(2) TTDSG).

Notes on withdrawal and objection: We refer to the privacy notices of the respective providers and the opt-out options provided for the providers (so-called “opt-out”). If no explicit opt-out option has been provided, you have the option of disabling cookies in your browser settings. However, this may restrict the functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered in summary for the respective regions:

a) Europe: https://www.youronlinechoices.eu
b) Canada: https://www.youradchoices.ca/choices
c) USA: https://www.aboutads.info/choices
d) Cross-regional: https://optout.aboutads.info

18. Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as “content”).

The integration always requires that the third-party providers of this content process the IP address of the users, as without the IP address they would not be able to send the content to their browsers. The IP address is therefore necessary for the display of this content or functions. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through the “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offering, and may also be linked with such information from other sources.

Note on legal bases: If we ask users for their consent to the use of third-party providers (e.g., via a cookie banner), the legal basis for data processing is consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG). Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, cost-effective, and recipient-friendly services and an appealing presentation of our offering) (Art. 6(1)(f) GDPR, § 25(2) TTDSG).

19. Services and Service Providers Used

Google Fonts (Local)

This website uses so-called “Google Fonts” for the uniform display of fonts, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We have integrated the Google Fonts locally on our server. As a result, no connection to Google servers is established when visiting our website. No data is transferred to Google.

Use of the Meta Pixel (Facebook Pixel)

On our website, we use the Meta Pixel of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA; “Meta”). This is an analytics tool that enables us to measure the effectiveness of our advertising activities on the Facebook and Instagram platforms, to place targeted advertising (Custom Audiences), and to track user activities triggered by our advertisements (conversion measurement).

The Meta Pixel collects, among other things, information about the pages you visit, interactions (e.g., clicks), purchases made (if applicable), forms filled out, and device-specific information (including IP address, browser information, and cookie data). This data is transmitted to Meta servers and stored there, possibly also in the USA.

Processing is carried out exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG, which you grant via our cookie banner and can revoke at any time.

You can also object to data collection by the Meta Pixel in your Facebook settings: https://www.facebook.com/settings?tab=ads. Further information on data processing by Meta can be found in Meta’s Data Policy at: https://www.facebook.com/policy.php.

Meta Platforms Inc. is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection for data transfers to the USA (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active).

Posthog (Analytics Tool for Website & App)

If you have given your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG (e.g., via a cookie banner or app prompt), we collect user data about your behavior on our website and within the app (click and view behavior) through our analytics tool Posthog, which we evaluate statistically for internal purposes (website/app optimization, improvement of user experience/usability).

For this purpose, we use features of the service Posthog Inc., 2261 Market Street #4063, San Francisco, CA 94114, USA. Posthog can record and replay your behavior on the website and within the app. Your personal data is stored and analyzed — in particular your activity (which pages/features were used, which elements were clicked). Each user is assigned a tracking code (pseudonymized user ID). The personal data processed is stored by PostHog by default on servers within the EU (Frankfurt, Germany). A transfer to the USA only takes place in exceptional cases.

This data is stored for as long as it is necessary to fulfill the processing purposes or your consent remains in effect.

Further information on data processing by PostHog can be found here: https://posthog.com/privacy.

PostHog Inc. is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection for any data transfers to the USA (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000POO8AAO&status=Active).

Chatbot by Pickaxe Project

We use a chatbot on our website provided by Pickaxe Project Inc., based in the USA. This chatbot is intended solely to answer general questions about our service. To protect your privacy, the chatbot is configured so that no personal data is collected or stored from you. This means that we neither store your IP address nor require you to provide personal information to use the chatbot. Communication takes place anonymously.

Since no personal data is processed, a data processing agreement with Pickaxe Project is not required. Usage is based on our legitimate interest in efficiently answering general inquiries (Art. 6(1)(f) GDPR).

For further information on data protection at Pickaxe Project, please refer to the provider’s privacy policy: https://beta.pickaxeproject.com/privacy.

20. Changes to This Privacy Policy

We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services. Your subsequent visit will then be subject to the new privacy policy.

Authoritative Version

This document is a translation provided for informational purposes only. In case of any discrepancy between this translation and the German original, the German version shall prevail.