Privacy Policy

As of: April 2025

Data Protection at a Glance

General Information

The following statements provide a simple overview of what happens to your personal data when you visit this website or use our service. Personal data is any data that can be used to personally identify you. For detailed information on the topic of data protection, please refer to our privacy policy listed below this text.

Responsible Entity

Safina AI is a service of
DK Tech Solutions UG (in formation)
Schwanthalerstr. 141
80339 Munich

Authorized Representatives:
David Schemm & Karsten Kreh

Email:
info(at)safina.ai

Your Rights

You have the right at any time to:

• Obtain information about your stored data with us (Art. 15 GDPR)

• Have this data corrected (Art. 16 GDPR)

• Request the deletion of this data (Art. 17 GDPR)

• Request a restriction of processing this data (Art. 18 GDPR)

• Object to the processing (Art. 21 GDPR)

• Request the transfer of this data (Art. 20 GDPR)

• Withdraw any consent granted at any time (Art. 7 para. 3 GDPR)

• File a complaint with a supervisory authority (Art. 77 GDPR)

Detailed information about your rights can be found further down in this statement.

Overview of Processing Activities

Types of Processed Data

• Inventory Data (e.g., names, addresses during registration)

• Contact Data (e.g., email, phone numbers)

• Content Data (e.g., audio recordings of calls (if activated), transcripts, summaries, analyses, configurations such as call scripts) - hereinafter also referred to as "User Content"

• Usage Data (e.g., visited websites/app areas, interest in content, access times, utilized features)

• Meta/Communication Data (e.g., device information, IP addresses, call data such as phone numbers, time, duration)

• Payment Data (for paid plans, processed by payment service providers)

Categories of Affected Persons

• Users of our service (customers, prospects)

• Callers interacting with users via the service

• Visitors to our website

• Communication partners

• Business and contractual partners

Purposes of Processing

• Provision of the Safina AI service (AI-driven voicemail/telephone service) in accordance with the contract (Art. 6 para. 1 lit. b GDPR)

• Fulfillment of contractual obligations (e.g., providing user accounts, billing) (Art. 6 para. 1 lit. b GDPR)

• Communication with users and prospects (Art. 6 para. 1 lit. b or f GDPR)

• Security measures to protect the service and data (Art. 6 para. 1 lit. f GDPR)

• Direct marketing (with consent or for existing customers under the conditions of § 7 para. 3 UWG) (Art. 6 para. 1 lit. a or f GDPR)

• Reach measurement and analysis to improve website and service (with consent or based on legitimate interests) (Art. 6 para. 1 lit. a or f GDPR)

• Office and organizational procedures (Art. 6 para. 1 lit. c or f GDPR)

• Management of feedback and inquiries (Art. 6 para. 1 lit. b or f GDPR)

• Provision and optimization of our online offerings and user-friendliness (Art. 6 para. 1 lit. f GDPR)

• Fulfillment of legal obligations (e.g., retention obligations) (Art. 6 para. 1 lit. c GDPR)

Applicable Legal Bases

Applicable legal bases under the GDPR: Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the GDPR regulations, national data protection provisions in your or our country of residence may apply. If, in individual cases, more specific legal bases are relevant, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The affected person has given consent to the processing of their personal data for one or more specific purposes.

• Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the fulfillment of a contract to which the affected person is a party, or for taking steps at the request of the affected person prior to entering into a contract.

• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary to comply with a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the affected person which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection in Germany apply. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) and the Telecommunication-Telemedia Data Protection Act (TTDSG). The BDSG contains special provisions regarding the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the Applicability of GDPR and Swiss DPA: These privacy notices serve both as a notice pursuant to the Swiss DPA and pursuant to the General Data Protection Regulation (GDPR). Therefore, please note that due to the broader territorial application and clarity, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DPA "processing" of "personal data", "overriding interest", and "particularly sensitive personal data", the terms used in the GDPR "processing" of "personal data" as well as "legitimate interests" and "special categories of data" are used. However, the legal meaning of the terms remains determined according to the applicability of the Swiss DPA.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, in accordance with the legal requirements (in particular Art. 32 GDPR), taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through control of physical and electronic access to the data as well as the access, input, dissemination, ensuring availability, and separation of the data. In addition, we have established procedures that ensure the exercise of data subject rights, data deletion, and responses to data threats. Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software as well as procedures corresponding to the principle of data protection by design and by default (Art. 25 GDPR).

Transmission of Personal Data

In the course of processing personal data, it may occur that these are transmitted or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers assigned with IT tasks or providers of services and content embedded in a website. In particular, for the provision of the core service of Safina AI, we use specialized technical service providers (sub-processors) as described in the section "Employed Service Providers (Sub-processors) for the Safina AI Service".

In such cases, we observe the legal requirements and particularly conclude relevant contracts or agreements (data processing agreements in accordance with Art. 28 GDPR) that serve to protect your data with the recipients of your data. Your data will not be passed on for third-party advertising purposes.

Employed Service Providers (Sub-processors) for the Safina AI Service

For the technical provision and optimization of the Safina AI service, we utilize carefully selected technical service providers (sub-processors). The processing by these service providers is based on data processing agreements (Art. 28 GDPR). This includes, in particular, services in the following areas:

• Hosting: For the storage and provision of the data and the service. Our primary hosting location is Germany (currently Amazon Web Services - AWS in Frankfurt am Main).

• Telephony Integration: For receiving and routing calls (e.g., Twilio).

• AI Functions: For speech recognition, transcription, speech generation, summaries, and analyses (e.g., OpenAI, Google Cloud AI Services, Deepgram, Elevenlabs).

• Payment Processing: For processing payments for paid plans (e.g., Stripe for bookings via the website; Apple/Google for in-app purchases, possibly via RevenueCat for subscription management).

• Analysis Tools (Service Optimization): For analyzing service usage and troubleshooting (e.g., Posthog).

• Communication Services: For sending emails and notifications (e.g., Brevo).

The use of these service providers is necessary for the provision of the contractually agreed services (Art. 6 para. 1 lit. b GDPR). Some of these service providers may have their headquarters outside the EU/EEA or may process data there, as described in the section "International Data Transfers".

No Use of User Content for AI Training

We clarify that your user content, in particular audio recordings and transcripts of phone calls, are not used by us to train our own or third-party AI models. The processing of this data is solely for the provision of the service you have booked in accordance with our terms of use.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if the processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies, this is done only in accordance with the legal requirements.

Our primary hosting location for the core data of the Safina AI service is Germany (see section "Employed Service Providers"). However, some of the subcontractors we employ (especially for AI functions, telephony, analysis or payment processing) may also process data in third countries, in particular the USA.

If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. For the USA, there is such an adequacy decision for companies certified under the "EU-US Data Privacy Framework" (DPF). You can find the list of certified companies and more information about the DPF on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/. We inform you in the descriptions of the individual services (e.g., Google, Meta, Posthog) whether the provider is DPF-certified.

Otherwise, data transfers occur only if the level of data protection is secured in another way, in particular by concluding Standard Contractual Clauses (SCCs) of the European Commission (Art. 46 para. 2 lit. c) GDPR), your express consent (Art. 49 para. 1 lit. a GDPR), or if the transfer is necessary for the performance of the contract (Art. 49 para. 1 lit. b or c GDPR).

Information on third country transfers and existing adequacy decisions can be found in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with the legal provisions (Art. 17 GDPR) as soon as the underlying consents are revoked or no further legal bases for processing exist (e.g., when the purpose of processing ceases to exist and there is no statutory retention obligation). This applies to cases where the original purpose of processing ceases or the data is no longer required. Exceptions to this regulation exist if legal obligations (e.g., commercial or tax-related retention obligations) or our legitimate interests (e.g., for the enforcement, exercise, or defense of legal claims) require a longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons or whose retention is necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information regarding the retention and deletion of data that specifically apply to certain processing processes. After the termination of the user agreement, we will delete your user content in accordance with the regulations in our terms of use (usually after 30 days, unless there are retention obligations).

If there are multiple statements regarding the retention period or deletion deadlines of a date, the longest period is decisive.

If a deadline does not expressly begin on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the date of validity of the termination or other termination of the legal relationship.

Data that is no longer processed for the originally intended purpose, but is retained due to legal requirements or other reasons, will only be processed for the reasons that justify their retention.

Further notes on processing processes, procedures, and services:

• Retention and Deletion of Data: The following general periods apply for retention and archiving under German law:

  • 10 years: Retention period for books and records, annual accounts, inventories, management reports, opening balance sheets, and other documents required for their understanding, accounting evidence, and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, para. 4 HGB).

  • 6 years: Other business documents: received trading or business letters, copies of sent trading or business letters, other documents as far as they are of taxation relevance (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, para. 4 HGB).

  • 3 years: Data that are necessary to account for potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries based on previous business experiences and usual industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Affected Persons

Rights of affected persons under the GDPR: You, as an affected person, have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, which is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such marketing; this applies also to profiling to the extent that it is related to such direct marketing.

• Right to Withdraw Consent: You have the right to withdraw any consents granted at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

• Right to Access: You have the right to request confirmation as to whether personal data concerning you is being processed and to access this data as well as further information and a copy of the data in accordance with legal requirements.

• Right to Rectification: You have the right to request the completion of your personal data concerning you or the rectification of inaccurate personal data concerning you in accordance with legal requirements.

• Right to Deletion and Restriction of Processing: You have the right to request, in accordance with legal requirements, that personal data concerning you be deleted immediately or, alternatively, to request a restriction of the processing of the personal data in accordance with legal requirements.

• Right to Data Portability: You have the right to request to receive personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, or to request the transfer to another controller in accordance with legal requirements.

• Right to Complain to a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you is in violation of the GDPR.

Business Services

We process data of our contractual and business partners, e.g., customers and prospects (summarized as "Contract Partners"), within the framework of contractual and comparable legal relationships as well as related measures and concerning communication with these contract partners (or pre-contractually), for example, to respond to inquiries. The legal basis here is Art. 6 para. 1 lit. b GDPR.

We use this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services (Safina AI service), any update obligations, and remedying warranty and other performance disruptions. Furthermore, we use the data to safeguard our rights and for the purposes of administrative tasks related to these obligations as well as the organization of the company (Art. 6 para. 1 lit. f GDPR). Additionally, we process the data on the basis of our legitimate interests in both proper and economically efficient management as well as in security measures to protect our contract partners and our business operations from abuse, risk to their data, secrets, information, and rights (e.g., in involving telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities) (Art. 6 para. 1 lit. f GDPR). In accordance with applicable law, we only pass on the data of contract partners to third parties (in particular our subcontractors) to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Further forms of processing, for example, for marketing purposes, will be disclosed to the contract partners in the context of this privacy policy.

We inform the contract partners beforehand or within the context of data collection which data is required for the aforementioned purposes, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks, etc.), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., basically after four years, unless the data is stored in a customer account, e.g., as long as they must be retained for legal archiving reasons (typically for tax purposes usually ten years). Data disclosed to us by the contract partner in the context of a contract is deleted according to the guidelines and generally after the end of the contract, subject to statutory retention obligations.

Data Processing Agreement (DPA) for Entrepreneurs

If you use the Safina AI service as an entrepreneur (according to § 14 BGB) and have us process personal data (in particular your callers' data), you act as the controller within the meaning of Art. 4 No. 7 GDPR and we as the processor within the meaning of Art. 4 No. 8 GDPR.

In this case, it is mandatory to conclude a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR between you and us to ensure the compliant processing of data. This DPA regulates the rights and obligations of both parties regarding the processing of personal data.

The conclusion of the DPA is a prerequisite for the lawful use of the service by entrepreneurs to process personal data of your callers. You are responsible for concluding the DPA with us in a timely manner before the processing of personal data via the service begins. Our standard DPA can be obtained by request at info(at)safina.ai.

Registration, Login, and User Account

Users can create a user account. During registration, the necessary mandatory information is provided to the users and processed for the purpose of providing the user account on the basis of contractual obligation fulfillment (Art. 6 para. 1 lit. b GDPR). The data processed includes, in particular, login information (username or email address, password).

In the context of using our registration and login functions as well as utilizing the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against abuse and other unauthorized use (Art. 6 para. 1 lit. f GDPR). Generally, this data is not passed on to third parties unless required to pursue our claims or there is a legal obligation to do so (Art. 6 para. 1 lit. c or f GDPR).

Users may be informed via email about processes relevant to their user account, such as technical changes or billing information (Art. 6 para. 1 lit. b GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, phone, or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary for responding to contact inquiries and any requested measures (Art. 6 para. 1 lit. b or f GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as "Newsletter") exclusively with the consent of the recipients (Art. 6 para. 1 lit. a GDPR) or based on a legal basis (e.g., § 7 para. 3 UWG for existing customers). If the contents of the newsletter are specified during the signup, these contents are crucial for the users' consent. Normally, stating your email address is sufficient to subscribe to our newsletter. However, to provide you with a personalized service, we may request the provision of your name for personal addressing in the newsletter or additional information if necessary for the purpose of the newsletter.

Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to demonstrate prior consent (Art. 6 para. 1 lit. f GDPR). The processing of this data will be limited to the purpose of potentially defending against claims. An individual deletion request is possible at any time, provided that the prior existence of a consent is simultaneously confirmed. In the event of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocking list (so-called "blocklist") (Art. 6 para. 1 lit. f GDPR).

Logging of the signup process occurs on the basis of our legitimate interests for the purpose of proving its proper execution (Art. 6 para. 1 lit. f GDPR). If we engage a service provider for sending emails (e.g., Brevo), this takes place based on our legitimate interests in an efficient and secure mailing system (Art. 6 para. 1 lit. f GDPR) and within the framework of a data processing agreement (Art. 28 GDPR).

Contents: Information about us, our services, promotions, and offers.

Advertising Communication via Email, Post, Fax, or Phone

We process personal data for the purposes of advertising communication, which can take place through various channels, such as email, phone, post, or fax, in accordance with legal requirements (on the basis of Art. 6 para. 1 lit. a or f GDPR, possibly in conjunction with § 7 UWG).

The recipients have the right to withdraw consents granted at any time or to object to advertising communication at any time.

After withdrawal or objection, we store the data necessary for demonstrating previous authorization for contact or sending until three years after the end of the year of the withdrawal or objection based on our legitimate interests (Art. 6 para. 1 lit. f GDPR). The processing of this data is limited to the purpose of possible defense against claims. Based on the legitimate interest in permanently observing the users' withdrawal or objection, we also store the data necessary to avoid renewed contact (e.g., depending on the communication channel, the email address, phone number, name) in a blocking list (Art. 6 para. 1 lit. f GDPR).

Web Analysis, Monitoring, and Optimization (Website & App)

Web analysis (also referred to as “Reach Measurement”) serves the evaluation of visitor flows to our online offering (website and app) and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. Using reach analysis, we can, for example, recognize when our online offering or its functions or content are used most frequently or invite for reuse. We can also identify areas that need optimization. In addition to web analysis, we may also deploy testing procedures to test and optimize different versions of our online offering or its components.

Unless stated otherwise below, profiles may be created for these purposes, i.e., data summarized in a usage process may be stored and subsequently retrieved in a browser or on an end device (e.g., using cookies or similar technologies such as local storage or app-specific identifiers). The collected data particularly includes visited websites/app areas and used elements as well as technical information, such as the browser used, the computer system/operating system used, and information about usage times. If users have consented to the collection of their location data, processing of location data is also possible.

Furthermore, the IP addresses of users are stored. However, we employ an IP masking procedure (i.e., pseudonymization by truncating the IP address) to protect users wherever technically possible. In general, no clear data of users (such as email addresses or names) is stored in the context of web analysis, A/B testing, and optimization, but pseudonymous data. This means that we, as well as the providers of the employed software, do not know the actual identity of the users, but only the data stored in their profiles for the respective procedures.

Notes on Legal Bases: If we request users to consent to the use of third-party providers (e.g., via a cookie banner or app query), the legal basis for data processing is consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG). Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services as well as optimizing our offerings) (Art. 6 para. 1 lit. f GDPR, § 25 para. 2 TTDSG). In this context, we would also like to draw your attention to the information regarding the use of cookies and similar technologies in this privacy policy.

Online Marketing

We process personal data for the purpose of online marketing, which may particularly include the marketing of advertising spaces or the presentation of advertising and other content (summarily referred to as “Content”) based on potential interests of users as well as measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called “Cookie”) or similar procedures are used, by which relevant information about the user for the display of the aforementioned content is stored. This may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information such as the browser used, the computer system used, as well as information about usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

Moreover, the IP addresses of users are stored. However, we employ available IP masking procedures (i.e., pseudonymization by truncating the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored as part of the online marketing process, but pseudonymized data. This means that we as well as the providers of online marketing methods do not know the actual identity of users, only the data stored in their profiles.

The statements in the profiles are usually stored in cookies or similar procedures. These cookies can later generally also be read on other websites that employ the same online marketing method and analyzed for the purpose of content presentation, supplemented with other data, and stored on the server of the online marketing provider.

In exceptional cases, it may be possible to assign clear data to the profiles, primarily when users, for example, are members of a social network whose online marketing method we employ and the network links user profiles with the aforementioned information. Please note that users may enter into additional agreements with providers, for example, by giving consent during registration.

We generally only gain access to aggregated information about the success of our advertisements. However, we can check, within the context of so-called conversion measurements, which of our online marketing methods led to a so-called conversion, i.e., for example, to a contract conclusion with us. The conversion measurement is used solely for the success analysis of our marketing activities.

Unless stated otherwise, please assume that cookies used are stored for a period of up to two years.

Notes on Legal Bases: If we request users to consent to the use of third-party providers (e.g., via a cookie banner), the legal basis for data processing is consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG). Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services as well as analyzing and optimizing our marketing measures) (Art. 6 para. 1 lit. f GDPR, § 25 para. 2 TTDSG).

Notes on Withdrawal and Objection: We refer to the privacy notices of the respective providers and the objection options provided for them (so-called "Opt-Out"). If no explicit opt-out option is provided, one possibility is that you can disable cookies in your browser settings. However, this may restrict the functionality of our online offerings. Therefore, we also recommend the following opt-out options, which are generally aimed at respective areas:
a) Europe: https://www.youronlinechoices.eu.
b) Canada: https://www.youradchoices.ca/choices.
c) USA: https://www.aboutads.info/choices.
d) Cross-border: https://optout.aboutads.info.

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering, which are sourced from the servers of their respective providers (hereinafter referred to as “Third-party Providers”). This may include, for example, graphics, videos, or maps (hereinafter uniformly referred to as “Content”).

The integration always requires that the third-party providers of this content process the users' IP address, as they cannot send the content to their browser without the IP address. The IP address is therefore required for the display of this content or functions. We strive to use only such content whose respective providers apply the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. By using the pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user's device and contain, among other things, technical information about the browser and operating system, referring websites, visit time, and further information on the use of our online offering, but may also be combined with such information from other sources.

Notes on Legal Bases: If we request users to consent to the use of third-party providers (e.g., via a cookie banner), the legal basis for data processing is consent (Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG). Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services as well as an appealing representation of our offerings) (Art. 6 para. 1 lit. f GDPR, § 25 para. 2 TTDSG).

Employed Services and Service Providers

Google Fonts (Local)

This site uses so-called “Google Fonts” for the uniform display of fonts, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. We have integrated Google Fonts locally on our server. Therefore, no connection to Google servers takes place when accessing our website. No data is transmitted to Google.

Use of the Meta Pixel (Facebook Pixel)

On our website, we use the Meta Pixel of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA; "Meta"). This is an analytical tool that allows us to measure the effectiveness of our advertising efforts on the platforms Facebook and Instagram, create targeted advertising (Custom Audiences), and track user activities triggered by our advertisements (conversion measurement).

The Meta Pixel collects information about the pages you visit, interactions (e.g., clicks), purchases made (if applicable), completed forms as well as device-specific information (including IP address, browser information, and cookie data). This data is transmitted to Meta servers and stored there, possibly also in the USA.

The processing is based solely on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, which you grant via our cookie banner and can withdraw at any time.

You can also object to data collection by the Meta Pixel in your Facebook settings: https://www.facebook.com/settings?tab=ads. Further information about the data processing by Meta can be found in Meta's data policy at: https://www.facebook.com/policy.php.

Meta Platforms Inc. is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection for data transfers to the USA (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active).

Posthog (Analysis Tool for Website & App)

If you have given your consent in accordance with Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TTDSG (e.g., via cookie banner or app query), we collect user data about your behavior on our website and within the app (click and display behavior) through our analysis tool Posthog, which we statistically evaluate for internal purposes (website/app optimization, improvement of user experience).

For this purpose, we use functions of the service Posthog Inc., 2261 Market Street #4063, San Francisco, CA 94114, USA. Posthog can record and replay your behavior on the website and within the app. Your personal data is stored and evaluated – particularly the activity (which pages/functions were used, which elements were clicked). Each user is assigned a tracking code (pseudonymized user ID). The processed personal data is, by default, stored by PostHog on servers within the EU (Frankfurt, Germany). A transfer to the USA only takes place in exceptional cases.

These data are stored as long as they are necessary to fulfill the processing purposes or as long as your consent exists.

For more information about data processing by PostHog, please visit: https://posthog.com/privacy.

PostHog Inc. is certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection for data transfers to the USA (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000POO8AAO&status=Active).

Chatbot from Pickaxe Project

We use a chatbot from the provider Pickaxe Project Inc., based in the USA, on our website. This chatbot is solely designed to answer general questions about our service. To ensure the protection of your privacy, the chatbot is configured not to capture or store any personal data from you. This means we do not save your IP address or request you to provide personal information to use the chatbot. Communication occurs anonymously.

Since no personal data is processed, an agreement on data processing with Pickaxe Project is not necessary. The use is based on our legitimate interest in efficiently answering general inquiries (Art. 6 para. 1 lit. f GDPR).

For more information on data protection at Pickaxe Project, please refer to the provider's privacy policy: https://beta.pickaxeproject.com/privacy.

Changes to this Privacy Policy

We reserve the right to adapt this privacy policy to ensure it always meets the current legal requirements or to implement changes to our services in the privacy policy, such as when introducing new services. The new privacy policy shall apply to your subsequent visits.