Privacy notice

Vossmedien, Christian Voss, Frankenstr. 37a, 90443 Nürnberg

Email: christian@vossmedien.de, Phone: 0162 2838535

When users register or sign in, we process data such as email address, optional company/contact details, and session-related technical information. This is necessary to provide the account, authenticate via Magic Link, and manage the workspace.

The legal basis is Article 6(1)(b) GDPR and, for security and abuse prevention, Article 6(1)(f) GDPR.

For paid plans we process plan, contract, payment and invoice-related data. Payments are handled via Stripe. We store plan information, billing interval, Stripe customer/subscription references and billing status information.

The legal basis is Article 6(1)(b) GDPR; statutory retention duties are based on Article 6(1)(c) GDPR.

For consumers we additionally store confirmations relating to pricing, immediate start of digital services and withdrawal-related notices where required before paid checkouts.

When dynamic QR codes are opened, we process pseudonymized scan data such as QR code ID, timestamp, referrer, hashed/truncated IP information and user agent. We currently do not place a persistent analytics cookie on the scanner's device for this purpose.

This processing serves delivery of the QR destination, abuse detection and pseudonymized usage analytics for the booked SaaS service. The legal basis is Article 6(1)(f) GDPR.

If users voluntarily connect SharePoint or Google Sheets, we process the required OAuth and integration data, such as user identifiers, display names, email addresses, tokens and import/export metadata.

The legal basis is Article 6(1)(b) GDPR.

Magic Links, workspace invitations, contract confirmations and cancellation confirmations are sent through our SMTP infrastructure hosted by All-Inkl. Recipient address, sending time and delivery-related technical data are processed for this purpose.

At present, we only use technically necessary cookies or state information, for example for login sessions or OAuth security mechanisms. For these strictly necessary technologies, no consent banner is required.

If we later add consent-requiring tracking, marketing or comfort technologies, they will only be activated after prior consent.

Recipients may include Stripe, All-Inkl as mail host and, if activated by the user, Microsoft or Google. Processing may also take place outside the EU/EEA. Where required, such transfers are safeguarded by appropriate mechanisms such as the EU standard contractual clauses.

Account and workspace data are generally stored for the duration of the contractual relationship and until deletion of the account, unless statutory retention obligations apply.

Pseudonymized scan events are retained as long as necessary for the analytics function of the related QR code. Integration data is retained until the connection is removed or the processing purpose ends.

Data subjects have the right to access, rectification, erasure, restriction of processing, data portability and objection, subject to the applicable legal requirements.

A complaint may also be lodged with a data protection supervisory authority.