Privacy Policy

Last updated: 10 December 2025

We are pleased that you are interested in emborado. Protecting your personal data is important to us. Below, we provide information pursuant to Article 13 of the General Data Protection Regulation (GDPR) on how we process your data.

I. Information on data processing pursuant to Article 13 GDPR

1. Controller and data protection contact

The controller for this website is:

  • emborado GmbH & Co. KG
  • Mendelstraße 11 c/o Gründergarage
  • 48149 Münster, Germany
  • E-mail: info@emborado.de

We have not appointed a data protection officer, as this is currently not required for our organisation.

2. Data processed for provision, functionality and system administration

a) Which data is processed for which purposes?

Categories (among others):

  • Date/time of access, request/response ID
  • IP address (IPv4/IPv6), where applicable hostname
  • Requested URL/path, HTTP method, status code, amount of data transferred
  • Browser type/version, operating system, language settings (user agent), referrer URL where applicable
  • Technical event/error logs of the application
  • Security-relevant events/rule matches of our web application firewall (WAF), if enabled

Purposes:

  • Delivery and display of the website/platform
  • Stability/performance, detection and correction of errors (monitoring/debugging)
  • IT security: detection, defence and tracing of attacks (including DDoS protection)
  • System administration and prevention of misuse/fraud

b) Legal bases

  • Article 6(1)(b) GDPR (performance of a contract/steps prior to entering into a contract), where required for features that require registration (e.g. login, account usage)
  • Article 6(1)(f) GDPR (legitimate interests) for operation, security, error analysis, stability and prevention of misuse

c) Recipients/categories of recipients

  • Hosting & infrastructure (processors): Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (including S3/CloudFront, CloudWatch for logs/monitoring; AWS WAF for security functions, if enabled)
  • Internal recipients: administrators/DevOps staff only, with role-based access on a “need-to-know” basis
  • Other disclosures: only where required by law (e.g. to law enforcement authorities in the event of an attack)

d) Storage period

  • Web/application logs: generally up to 24 hours with direct administrative access
  • Backups/indirect backups: permanently deleted after no more than four weeks
  • WAF/security events: only for as long as necessary for detection/defence/forensic assessment; subsequently deleted or anonymised

e) Source of data / obligation to provide data

  • The data is collected automatically when you access our website/platform (HTTP/HTTPS requests from your device)
  • Without processing the connection data mentioned, provision of the website is technically impossible

f) Third countries/transfers

Processing takes place in EU/EEA regions of our infrastructure provider.

g) Automated decision-making

No decision-making based solely on automated processing is carried out that produces legal effects or similarly significantly affects you (Article 22 GDPR).

3. Payments

a) Purpose and categories of data

When you take out a subscription, we process payments via Stripe. Depending on the payment method used, the following data is processed, among others:

  • Identification/contact data: name, e-mail address, billing address, country
  • Contract/transaction data: plan, term, amounts, currency, times, status, invoice/document numbers, customer number/Stripe customer ID
  • Payment data: type of payment method, masking (e.g. last 4 digits), tokens/transaction IDs; we do not store full card numbers
  • Technical/fraud data (at Stripe): IP address, device/browser information, where applicable fingerprint/telemetry data

b) Roles & recipients

  • Payment service provider: Stripe Payments Europe, Limited (SPEL) & Stripe Technology Europe, Limited (STEL), 1 Grand Canal Street Lower, Dublin, Ireland
  • Stripe acts partly as a processor and partly as an independent controller (including for statutory obligations under payment services law, KYC and fraud prevention).

c) Legal bases

  • Article 6(1)(b) GDPR (performance of a contract/steps prior to entering into a contract)
  • Article 6(1)(c) GDPR (legal obligation) for retention under tax/commercial law
  • Article 6(1)(f) GDPR (legitimate interests) for fraud prevention/prevention of misuse

d) Storage period

  • Contract/transaction/billing data: in general up to 10 years in line with statutory requirements
  • Stripe stores data in line with its own retention periods; details are available at stripe.com/privacy

e) Third countries/transfers

Stripe may transfer data to third countries (including the USA) and, according to its own information, relies on EU Standard Contractual Clauses (Article 46 GDPR) and additional safeguards for this purpose.

f) Obligation to provide data

For a paid subscription, provision of the above-mentioned data is required; without this data, entering into a contract is not possible.

g) Automated decision-making

We do not make decisions based solely on automated processing. Stripe may use automated assessment procedures for fraud prevention (see Stripe’s privacy notice).

h) Gift cards (GiftUp)

For the purchase and management of gift cards, we use an external service provider (GiftUp).

Categories of data:

  • Details of the gift card purchaser: name, e-mail address, and where applicable postal address
  • Details relating to the gift card (value, currency, order and redemption information, status)
  • E-mail address of the gift card recipient (for electronic delivery)
  • Technical data (e.g. IP address, browser information) for security/fraud prevention purposes

Purposes: sale, technical provision and management of gift cards, fraud prevention and billing.

Legal bases:

  • Article 6(1)(b) GDPR (performance of the contract with the purchaser)
  • Article 6(1)(f) GDPR (fraud prevention, system security)
  • Article 6(1)(a) GDPR, where the recipient is contacted directly by us (e.g. by e-mail)

Recipient: gift card service provider (GiftUp) as a processor, address: The Growth Hub, Stroud Road, Cirencester, GL7 6JR, United Kingdom.

Storage period: Data that is relevant for tax and commercial law is usually retained for up to 10 years, other data is retained only for as long as is necessary to manage the gift card.

4. Registration and account

a) Categories of data

  • E-mail address, display name, account/customer IDs, timestamps (registration, last login), status information (e.g. verification)

b) Purposes

  • Set-up/management of your account, authentication, performance of the contract, security and communication regarding account-related matters

c) Legal bases

  • Article 6(1)(b) GDPR (performance of a contract/steps prior to entering into a contract)
  • Article 6(1)(f) GDPR (legitimate interests) for IT security/prevention of misuse

d) Recipients

  • Internal recipients (role-based); external recipients only where required (e.g. hosting/e-mail/identity services as processors)

e) Storage period

  • Until the account is deleted; thereafter, data remains only in logs/backups for the periods specified under section 2(d) or where statutory obligations apply

f) Obligation to provide data

Without the data mentioned, registration and use of features that require an account is not possible.

5. Content management

a) Categories of data

  • Files uploaded by you (file name, content/formats), generated preview images/thumbnails
  • Technical metadata extracted from the files (e.g. stitch count, colours, size)
  • Manually assigned information (tags, notes)
  • AI-generated descriptions/tags/similarity information
  • Usage events (e.g. favourites, recently used)

b) Purposes

  • Provision of management, search and organisation features, including preview display

c) Legal bases

  • Article 6(1)(b) GDPR (performance of a contract/steps prior to entering into a contract)
  • Article 6(1)(f) GDPR (legitimate interests) for stability, prevention of misuse and quality assurance

d) Recipients

  • Internal recipients (role-based); external recipients only as processors (hosting/storage)

e) Storage period

  • Until deleted by you or until your account is deleted; derived metadata (including previews, AI descriptions) is deleted together with the associated files

f) Obligation to provide data

The provision of content is voluntary; without content, the corresponding features cannot be used.

6. Analytics and statistics services

a) Google Analytics

We use Google Analytics to statistically evaluate and improve the use of our website.

Categories of data:

  • Anonymised or truncated IP address
  • Device and browser information (e.g. operating system, screen resolution)
  • Usage data (pages visited, time spent, click paths, referrer URL)
  • Pseudonymous identifiers (e.g. cookie ID or similar identifiers)

Purposes: reach measurement, usage analysis, optimisation of content and features.

Legal basis: Article 6(1)(a) GDPR (consent) via our consent tool. You can withdraw your consent at any time with effect for the future.

Recipients:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Transfers to third countries: A transfer of data to the USA cannot be ruled out. For this, Google relies on EU Standard Contractual Clauses (Article 46 GDPR) and additional safeguards.

Storage period: The retention periods we have configured for user and event data are typically between 2 and 14 months.

b) Umami Analytics

We also use Umami, a privacy-friendly web analytics service, to collect aggregated usage statistics.

Categories of data:

  • Pages and paths accessed
  • Referrer (which site you came from)
  • Browser and device information (e.g. screen size, language)
  • Time of access

Evaluation generally takes place without creating personal profiles.

Purposes: anonymous reach measurement, technical and content optimisation of our website.

Legal basis:

  • Article 6(1)(f) GDPR (legitimate interests in operating a user-friendly and efficient website)
  • Article 6(1)(a) GDPR (consent) via our consent tool, where cookies or similar identifiers are used. You can withdraw your consent at any time with effect for the future.

Recipient: We use a hosted version of Umami.

7. CRM, support & marketing communication (HubSpot)

a) Categories of data

  • Contact details (e.g. name, e-mail address, telephone number where applicable)
  • Information on interactions with e-mails sent

b) Purposes

  • Management of our customer and contact relationships (CRM)
  • Sending information about our service (e.g. product updates), where permitted

c) Legal bases

  • Article 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract)
  • Article 6(1)(f) GDPR (legitimate interests in efficient customer communication and support)
  • Article 6(1)(a) GDPR where we obtain your consent for specific marketing e-mails or tracking

d) Recipients

  • HubSpot Ireland Limited / HubSpot Inc. as CRM and communication service provider (processor)

e) Transfers to third countries

Data may be transferred to HubSpot Inc. in the USA. Such transfers are based on EU Standard Contractual Clauses (Article 46 GDPR) and additional safeguards.

f) Storage period

  • CRM data is usually stored until the end of the customer relationship or until you object/withdraw your consent.
  • In addition, statutory retention periods apply (e.g. for business correspondence).

8. Affiliate programme (Endorsely)

a) Categories of data

  • Click and referrer data (e.g. which affiliate links were used)
  • Partner IDs, campaign identifiers
  • Time of clicks and any resulting contract conclusions
  • Master data of our affiliate partners (e.g. name, e-mail, payout information)

b) Purposes

  • Operation and management of our affiliate programme
  • Attribution of referred customers and calculation of commissions
  • Prevention of misuse and fraud

c) Legal bases

  • Article 6(1)(a) GDPR (consent) for setting cookies/tracking via our consent tool
  • Article 6(1)(b) GDPR for performance of partner contracts
  • Article 6(1)(f) GDPR (legitimate interests in fair and traceable commission billing)

d) Recipient

  • Endorsely as technical service provider for the affiliate programme (processor)

e) Transfers to third countries

Where Endorsely uses servers outside the EU, transfers are based on appropriate safeguards (in particular EU Standard Contractual Clauses pursuant to Article 46 GDPR).

9. Accounting & tax (Lexware)

a) Categories of data

  • Invoice and booking data (invoice number, amount, period of service)
  • Customer master data (name, address, business details where applicable)

b) Purposes

  • Legally compliant accounting
  • Fulfilment of commercial and tax law retention obligations

c) Legal bases

  • Article 6(1)(c) GDPR (legal obligation under commercial and tax law)
  • Article 6(1)(b) GDPR (performance of a contract)

d) Recipients

  • Accounting software provider (Lexware) as processor
  • Tax advisors or auditors where required by law

e) Storage period

  • As a rule, up to 10 years in accordance with commercial and tax law requirements.

10. Cookies

We use cookies and similar technologies to ensure the operation of our website, analyse usage and improve our services. Technically necessary cookies are used on the basis of Article 6(1)(f) GDPR (legitimate interests in operating a secure and stable website). Analytics and marketing cookies (e.g. for Google Analytics or affiliate tracking) are only used with your consent (Article 6(1)(a) GDPR), which you can provide via our consent tool and withdraw at any time with effect for the future.

11. Rights of data subjects

Under the GDPR, you have the following rights:

  • a. Right of access (Article 15)
  • b. Right to rectification (Article 16)
  • c. Right to erasure (Article 17)
  • d. Right to restriction of processing (Article 18)
  • e. Right to data portability (Article 20)
  • f. Right to object to processing based on Article 6(1)(f) GDPR (see Section II)
  • g. Right to lodge a complaint with a supervisory authority. The authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen), e-mail: poststelle@ldi.nrw.de, website: www.ldi.nrw.de.

II. Right to object (Article 21(1) GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(f) GDPR. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

III. Contact & supervisory authority

Contact for data protection matters

Supervisory authority

  • Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information NRW)
  • E-mail: poststelle@ldi.nrw.de
  • Website: https://www.ldi.nrw.de

Note: This privacy policy is reviewed regularly and updated where necessary.