Privacy Policy
1. Privacy at a Glance
General Information
The following notices provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information about data protection, please refer to our privacy policy below.
Data Collection on this Website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the section 'Information about the Responsible Party' in this privacy policy.
How do we collect your data?
Some data is collected when you provide it to us. This could be data that you enter in a contact form, for example.
Other data is collected automatically or with your consent when you visit the website by our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.
What do we use your data for?
Some of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data is also processed for contract offers, orders, or other order requests.
What rights do you have regarding your data?
You have the right to receive information about the origin, recipient, and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority. You can contact us at any time regarding this and other questions about data protection.
2. Hosting
External Hosting
This website is hosted externally. The personal data collected on this website is stored on the host's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated via a website.
External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of a secure, fast and efficient provision of our online offering by a professional provider (Art. 6 (1) (f) GDPR). Our server functions are executed in the Frankfurt (EU) region; static content may be delivered via the provider's global content delivery network. Vercel is certified under the EU-US Data Privacy Framework (DPF); EU Standard Contractual Clauses apply in addition.
Provider:
Vercel Inc.
440 N Barranca Avenue #4133
Covina, CA 91723, United States
Data Processing Agreement
We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law that ensures that the provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.
3. General Information and Mandatory Disclosures
Data Protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.
When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens. We point out that data transmission over the Internet (e.g., when communicating by e-mail) may have security gaps. Complete protection of data against access by third parties is not possible.
Information about the Responsible Party
The responsible party for data processing on this website is:
RD MindMedia Ltd
Anemonis 218c
8560 Paphos, Cyprus
Email: info@kontiqo.io
The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g., names, e-mail addresses, etc.).
Storage Duration
Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data; in such cases, deletion will take place after these reasons cease to apply.
Specific Retention Periods
The following automated retention periods apply:
- IP addresses and browser identifiers from consent records (T&C acceptance, avatar consent): 90 days, then automatic anonymisation
- Payment webhook data (Stripe): 90 days, then automatic deletion
- Usage logs: 365 days, then automatic deletion
- AI learning and feedback data (ratings, usage signals and image feedback for style personalization): 365 days, then automatic deletion; the aggregated style profile is kept until account deletion
- Post analytics data (own posts, statistics, LinkedIn insights): 730 days (2 years), then automatic deletion
- Temporary Telegram input data: 4 hours, then automatic deletion
- Third-party data from LinkedIn comments: comment texts 48 hours, name/profile details 24 hours, then automatic anonymisation (LinkedIn platform requirement)
- Encrypted backups (storage files): 30 daily, 4 weekly, 12 monthly, and 8 yearly snapshots. Individual records cannot be removed from encrypted backups for technical reasons. Backups automatically expire after the retention periods. In the event of a restore from an older backup, previously deleted personal data is immediately re-deleted.
- Account data: Until account deletion by user
General Information on the Legal Basis for Data Processing on this Website
If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, if special categories of data pursuant to Art. 9(1) GDPR are processed. In the case of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information on your device (e.g. via device fingerprinting), the data processing is additionally carried out on the basis of § 25(1) TDDDG. The consent can be revoked at any time. If your data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data if this is necessary for the fulfillment of a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. Information about the relevant legal bases in each individual case is provided in the following paragraphs of this privacy policy.
Notice regarding data transfers to countries without adequate data protection and to US companies not certified under the DPF
We use, among other things, tools from companies based in countries without adequate data protection, as well as US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). When these tools are active, your personal data may be transferred to and processed in these countries. We point out that no level of data protection comparable to that in the EU can be guaranteed in countries without adequate data protection. We note that the USA, as a safe third country, generally has a level of data protection comparable to the EU. Data transfers to the USA are therefore permissible if the recipient holds certification under the 'EU-US Data Privacy Framework' (DPF) or has appropriate additional safeguards. Information about transfers to third countries, including the data recipients, can be found in this privacy policy.
Recipients of Personal Data
In the course of our business activities, we work with various external parties. In some cases, this also requires the transfer of personal data to these external parties. We only pass on personal data to external parties if this is necessary for the fulfillment of a contract, if we are legally obligated to do so (e.g. transfer of data to tax authorities), if we have a legitimate interest pursuant to Art. 6(1)(f) GDPR in the transfer, or if another legal basis permits the data transfer. When using data processors, we only pass on personal data of our customers on the basis of a valid data processing agreement. In the case of joint processing, a joint processing agreement is concluded.
Revocation of Your Consent to Data Processing
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of data processing carried out until the revocation remains unaffected by the revocation.
Right to Object to Data Collection in Special Cases and to Direct Advertising (Art. 21 GDPR)
IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR). IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21(2) GDPR).
Right to Lodge a Complaint with the Competent Supervisory Authority
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority. As our company is based in Cyprus, the competent supervisory authority is: Commissioner for Personal Data Protection, Iasonos 1, 1082 Nicosia, Cyprus, http://www.dataprotection.gov.cy. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.
Right to Data Portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent technically feasible.
Information, Rectification and Erasure
Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipients, and the purpose of data processing and, if applicable, a right to rectification or erasure of this data at any time. For this purpose and for further questions on the subject of personal data, you can contact us at any time.
Right to Restriction of Processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases: If you dispute the accuracy of your personal data stored by us, if processing is unlawful, if we no longer need the data but you need it for asserting legal claims, or if you have lodged an objection.
SSL or TLS Encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Objection to Advertising Emails
The use of contact data published as part of the imprint obligation for sending unsolicited advertising and information materials is hereby objected to. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam emails.
Encrypted payment transactions on this website
If, after the conclusion of a paid contract, there is an obligation to transmit your payment data (e.g. account number for direct debit authorization) to us, this data is required for payment processing. Payment transactions via common payment methods (Visa/MasterCard, direct debit) are carried out exclusively via an encrypted SSL or TLS connection. With encrypted communication, your payment data that you transmit to us cannot be read by third parties.
4. Data Collection on This Website
Cookies
Our website uses so-called "cookies". Cookies are small data packets and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device.
Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or automatic deletion is carried out by your web browser.
Cookies can originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services). Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies can be used to analyze user behavior or for advertising purposes. Cookies that are required to carry out the electronic communication process, to provide certain functions you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); the consent can be revoked at any time. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. The deactivation of cookies may limit the functionality of this website. If additional cookies and services are used on this website, you can find information about them in this privacy policy.
Overview of cookies and local storage used
| Name / Identifier | Purpose | Duration | Type |
|---|
sb-*-auth-token | Authentication (login session) | 30 days | Cookie (Supabase) |
i18n_locale | Language setting (DE/EN) | 1 year | Cookie (first-party) |
cf_clearance | Bot protection (Cloudflare Turnstile) | 30 minutes | Cookie (Cloudflare) |
__cf_bm | Bot detection (Cloudflare) | 30 minutes | Cookie (Cloudflare) |
Additionally, we use your browser's local storage (localStorage) for UI settings such as dashboard layout and similar preferences. This data does not leave your browser and is used solely for functionality.
Audience Measurement with Umami (self-hosted)
We use the open-source analytics software Umami in a self-operated instance (hosted on Vercel, function region Frankfurt/EU) to statistically evaluate the use of our website (e.g. page views, country of origin, browser type). Umami does not set cookies and does not store identifiers on your device; IP addresses are not stored but only processed transiently to handle the page view. The collected data does not allow individual visitors to be identified. The legal basis is our legitimate interest in data-minimising audience measurement (Art. 6 (1) (f) GDPR); Sec. 25 TDDDG does not apply as no information is accessed on your device.
Contact Form
If you send us enquiries via the contact form, your details from the enquiry form, including the contact data you provide there, will be processed for the purpose of handling the enquiry and in case of follow-up questions. The submission is sent by email to our support mailbox; no additional storage in our database takes place. To protect against automated submissions we use Cloudflare Turnstile on the form (see Section 8). Processing is based on Art. 6 (1) (b) GDPR if your enquiry relates to the performance of a contract; otherwise on our legitimate interest in the effective handling of enquiries addressed to us (Art. 6 (1) (f) GDPR). The email correspondence remains with us until the purpose for storage no longer applies; mandatory statutory retention periods remain unaffected.
Inquiry by email, phone or fax
If you contact us by email, phone or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent. The processing of this data is based on Art. 6(1)(b) GDPR, if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if this has been requested; the consent can be revoked at any time. The data sent to us via contact inquiries will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular retention periods - remain unaffected.
Registration on This Website
You can register on this website to use the service. We use the data entered (email address, password) only for the purpose of using the service. Upon registration we record your acceptance of the Terms of Service (time, version and - for 90 days - IP address and browser identifier as evidence). The legal basis is Art. 6 (1) (b) GDPR. The data collected during registration is stored for as long as your account exists; upon account deletion it is irrevocably removed unless statutory retention obligations apply.
Sign in with LinkedIn
Instead of registering by email, you can sign in using your LinkedIn account (OpenID Connect). The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. We receive from LinkedIn the profile data required to create your account (name, email address, profile picture URL, LinkedIn identifier). Processing is carried out for the performance of the contract (Art. 6 (1) (b) GDPR); the exchange between you and LinkedIn is subject to LinkedIn's privacy policy (https://www.linkedin.com/legal/privacy-policy). LinkedIn is certified under the EU-US Data Privacy Framework.
5. LinkedIn Integration (Publishing and Insights)
Connecting Your LinkedIn Account
The core of our service is the connection to your LinkedIn account or company page via the official LinkedIn interfaces (Community Management API). The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland; LinkedIn is certified under the EU-US Data Privacy Framework. When connecting, we store the access tokens you authorise (AES-256 encrypted), your LinkedIn identifier and the name/email of your LinkedIn profile. The legal basis is the performance of the contract (Art. 6 (1) (b) GDPR).
Publishing on Your Behalf
Posts, images and comments that you approve in the platform are transmitted to LinkedIn on your behalf. No automatic publishing takes place without your prior approval.
Statistics and Comments (Insights)
At your request we retrieve statistics on your own posts (impressions, reactions, follower development) as well as comments under your posts. In doing so we also process personal data of commenters (name, LinkedIn identifier, comment text). This third-party data is subject to strict retention limits imposed by LinkedIn, which we enforce automatically: name and profile details are anonymised after 24 hours, comment texts after 48 hours. Your own replies and the related statistics are retained. The legal basis is the performance of the contract with you (Art. 6 (1) (b) GDPR) and, with regard to third-party data, our mutual legitimate interest in managing your LinkedIn presence (Art. 6 (1) (f) GDPR). Incoming comments can, at your request, be automatically classified by sentiment and category to make replying easier; the wording of third-party comments is not used for AI-assisted text generation.
6. AI Features
Overview and Principles
On your instruction, our service creates texts and images using AI models from external providers. For this purpose we transmit the content you enter (e.g. ideas, texts, style samples, images) to the respective provider to the extent required for the requested function. Data processing agreements are in place with all AI providers; your content is contractually not used to train AI models. AI-generated drafts are labelled as such within the application and are only published after your review and approval. The legal basis is the performance of the contract (Art. 6 (1) (b) GDPR).
Anthropic (Text Generation and Analysis)
For text generation, style analysis (brand voice), the AI chat and image description we use Claude by Anthropic PBC, 548 Market St, San Francisco, CA 94104, USA. Transfers to the USA are based on EU Standard Contractual Clauses in the data processing agreement. Anthropic contractually does not use API content for model training and is certified to ISO 27001 and ISO 42001, among others.
OpenAI (Image Analysis, Speech Transcription, Embeddings)
For analysing uploaded images (Vision), transcribing voice messages (Whisper, e.g. from the Telegram integration) and semantic embeddings we use services from OpenAI (OpenAI, L.L.C., San Francisco, USA or OpenAI Ireland Ltd for the EEA). A data processing agreement with EU Standard Contractual Clauses is in place; API content is not used for training by default and is retained for a maximum of 30 days for abuse monitoring purposes under OpenAI's contractual terms.
Replicate (AI Image Generation)
For generating post images we use the model platform Replicate (Replicate, Inc., San Francisco, USA). The image instructions and, where applicable, reference images you provide are transmitted. Transfers to the USA are based on a data processing agreement with EU Standard Contractual Clauses.
Images of You (biometric-adjacent processing, Art. 9 GDPR)
Optionally, you can upload portrait photos of yourself to generate new, photorealistic images of yourself in desired scenes. As your facial features are processed in this context, we treat this feature as processing of special categories of personal data and carry it out exclusively on the basis of your explicit consent (Art. 9 (2) (a) GDPR), which you grant before first use and can revoke at any time in the settings (Art. 7 (3) GDPR; the lawfulness of processing prior to revocation remains unaffected). For generation we transmit your reference photos to Replicate (image model) and, where applicable, to Anthropic (image description) - in each case on the basis of data processing agreements, without use for model training. We document the granting and revocation of consent with timestamp and version; the IP/browser details recorded in this context are anonymised after 90 days. Generated images appear in your image library and can be deleted by you at any time.
7. Email Delivery and Customer Information
Transactional Emails (Resend)
For sending system emails (e.g. registration confirmation, password reset, subscription and support notifications) we use Resend (Resend, Inc., 2261 Market Street #4103, San Francisco, CA 94114, USA). Email address, name and the respective message content are processed. Resend is certified under the EU-US Data Privacy Framework; in addition, a data processing agreement with EU Standard Contractual Clauses is in place. The legal basis is the performance of the contract (Art. 6 (1) (b) GDPR).
Newsletter delivery to existing customers
If you purchase goods or services from us and provide your email address in the process, this email address may subsequently be used by us for sending newsletters, provided that we inform you in advance. In such a case, only direct advertising for our own similar goods or services will be sent via the newsletter. You can cancel the sending of this newsletter at any time. For this purpose, there is a corresponding link in every newsletter. The legal basis for sending the newsletter in this case is Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG.
8. Further Service Providers and Tools
Google Fonts (Local Hosting)
This site uses so-called Google Fonts for uniform display of fonts. The Google Fonts are installed locally. There is no connection to Google servers.
Supabase (Database, Authentication, File Storage)
We use Supabase (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992) for authentication, database and file storage. Your data is stored in the EU region (Ireland). We have concluded a data processing agreement with EU Standard Contractual Clauses; Supabase is SOC 2 Type II certified. Details: https://supabase.com/privacy
Sentry (Error Monitoring)
For error detection we use Sentry (Functional Software, Inc., 132 Hawthorne St, San Francisco, CA 94107, USA) with EU data residency (error data processed in Frankfurt). Technical data is collected (browser, operating system, error details); cookies, request parameters and identifiers are removed before transmission and IP addresses are not stored. When an error occurs, a fully masked session replay is created (all texts, inputs and media hidden); normal sessions are not recorded. Sentry is DPF certified; a data processing agreement is in place. The legal basis is Art. 6 (1) (f) GDPR (stable and secure operation).
Cloudflare Turnstile (Bot Protection)
To protect against automated attacks and spam, we use Cloudflare Turnstile (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA) on the contact form and during registration. The cookies 'cf_clearance' and '__cf_bm' are set. No personal data is transmitted to Cloudflare; the verification is performed without a visible CAPTCHA. The legal basis is § 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR (legitimate interest in protection against abuse). Cloudflare is certified under the EU-US Data Privacy Framework. Details: https://www.cloudflare.com/privacypolicy/
Upstash / Vercel KV (Rate Limiting & Caching)
To protect against abuse and for performance optimization, we use Upstash (Upstash, Inc., San Francisco, CA, USA) as a serverless Redis database, provided via Vercel KV. Pseudonymized request counters (based on hashed IP addresses or user IDs) are temporarily stored. This data is automatically deleted after a short time (a few minutes to hours). No plaintext personal data is stored. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in protection against abuse). We have concluded a Data Processing Agreement (DPA) with Upstash. Details: https://upstash.com/trust/privacy
Hostinger (Encrypted Backup)
To ensure data availability and disaster recovery, we create daily encrypted backups of all files stored in Supabase Storage (images, documents, attachments) on a dedicated server provided by Hostinger (Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Cyprus) located in Frankfurt (EU). Backups are secured with AES-256-CTR encryption and Poly1305 MAC (via restic). Unencrypted data is automatically deleted after backup completion. Retention periods are: 30 daily, 4 weekly, 12 monthly, and 8 yearly backups. In the event of a restore from an older backup, previously deleted personal data is immediately re-deleted. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in data security and business continuity). We have concluded a Data Processing Agreement (DPA) with Hostinger. Details: https://www.hostinger.com/privacy-policy
Telegram Bot (optional integration)
Optionally, you can connect our Telegram bot to your account to capture ideas via message or voice message and approve posts. The messenger provider is Telegram (Telegram FZ-LLC, Dubai, UAE); according to Telegram, data of EEA users is stored in data centres in the Netherlands, and EDPO (Avenue Huart Hamoir 71, 1030 Brussels, Belgium) is appointed as EU representative pursuant to Art. 27 GDPR. Please note that no EU adequacy decision exists for transfers to Telegram; use of the bot is voluntary and takes place at your initiative for the performance of the contract (Art. 6 (1) (b) GDPR). Content you send to the bot is processed like input in the web application; voice messages are transmitted to OpenAI (Whisper) for transcription (see Section 6). Temporary bot input data is deleted after 4 hours.
Google Meet / Google Calendar (business communication)
For video appointments with customers and prospects (e.g. demos, support calls) we use Google Meet and Google Calendar. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The appointment data you provide (name, email address, time) and the usual connection metadata for conferences are processed. These services are not embedded in our website; processing only takes place if you arrange an appointment with us. Google is certified under the EU-US Data Privacy Framework. The legal basis is Art. 6 (1) (b) GDPR (appointment coordination at your request) or Art. 6 (1) (f) GDPR (efficient business communication).
Pexels (Stock Photo Search)
To let you choose free stock photos for your posts, we use the Pexels API, a brand of Canva Germany GmbH (Pappelallee 78/79, 10437 Berlin, Germany). The search request is made server-side; this transmits our server IP to Pexels, not yours. However, the thumbnail previews of the search results are loaded directly from the Pexels image network (images.pexels.com) into your browser; in doing so, your IP address may be transmitted to Pexels. When you select a photo, we download it server-side and store it in our file storage so it can be attached to your post. The legal basis is performance of the contract (Art. 6(1)(b) GDPR) and our legitimate interest in providing suitable image content (Art. 6(1)(f) GDPR). More information: https://www.pexels.com/privacy-policy/
9. eCommerce and Payment Processing
Processing of Customer and Contract Data
We collect, process, and use personal customer and contract data for the establishment, content design, and modification of our contractual relationships. Processing is based on Art. 6(1)(b) GDPR. The collected customer data is deleted after completion of the order or termination of the business relationship and expiry of tax retention periods.
Data transmission upon contract conclusion for services and digital content
We only transmit personal data to third parties if this is necessary in the context of contract processing, for example to the credit institution entrusted with payment processing. Further transmission of data does not take place or only takes place if you have expressly consented to the transmission. Your data will not be passed on to third parties without your express consent, for example for advertising purposes. The basis for data processing is Art. 6(1)(b) GDPR, which permits the processing of data for the fulfillment of a contract or pre-contractual measures.
Payment Service Provider
All payment processing (credit card and other payment methods) is handled via Stripe. When you make a purchase, your payment data is processed by the payment service provider for the purpose of payment processing; we ourselves do not receive or store complete payment data. The use is based on Art. 6 (1) (b) GDPR (contract processing) and in the interest of a smooth and secure payment process (Art. 6 (1) (f) GDPR).
Stripe
The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter 'Stripe'). The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here: https://stripe.com/de/privacy and https://stripe.com/de/guides/general-data-protection-regulation.
Last updated: 2026-06-05