Privacy Policy

Last updated: 15 August 2025

Thank you for your interest in emborado. Protecting your personal data matters to us. Below we inform you, pursuant to Art. 13 of the EU General Data Protection Regulation (GDPR), about how we process your data.

I. Information on Processing under Art. 13 GDPR

1. Controller and Data Protection Officer

The controller for this website is:

  • emborado eGbR
  • Mendelstraße 11 c/o Gründergarage
  • 48151 Münster, Germany
  • E-mail: info@emborado.de

We have not appointed a data protection officer, as this is currently not required for our organisation.

2. Data processed for website delivery, functionality and system administration

a) What data for which purposes?

Categories (incl. but not limited to):

  • Date/time of access, request/response IDs
  • IP address (IPv4/IPv6) of the requesting device, where applicable hostname
  • Requested URL/path, HTTP method, status code, amount of data transferred
  • Browser type/version, operating system, language setting (user agent), referrer URL (if provided)
  • Technical application event/error logs
  • Security-relevant events/rule hits of our Web Application Firewall (WAF), if enabled

Purposes:

  • Delivery and display of the website/platform
  • Stability/performance, error detection and remediation (monitoring/debugging)
  • IT security: detection, defence and investigation of attacks (incl. DDoS protection)
  • System administration and abuse/fraud prevention

b) Legal bases

  • Art. 6(1)(b) GDPR (contract/steps prior to entering into a contract) insofar as required for functions that require registration (e.g. login, account use)
  • Art. 6(1)(f) GDPR (legitimate interests) for operation, security, error analysis, stability and abuse prevention

c) Recipients or categories of recipients

  • Hosting & infrastructure (processors): Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (incl. S3/CloudFront, CloudWatch for logs/monitoring; AWS WAF for security functions, if enabled)
  • Internal recipients: administrators/DevOps only, role-based, need-to-know
  • Further disclosures: only where legally required (e.g. to law enforcement in case of attacks)

d) Storage periods

  • Web/application logs: typically accessible to admins for up to 24 hours
  • Backups/indirect safeguards: permanently deleted no later than four weeks
  • WAF/security events: only as long as necessary for detection/defence/forensics; afterwards deletion or anonymisation

e) Source of data / obligation to provide

  • Data arise automatically when you access our website/platform (your device’s HTTP/HTTPS requests)
  • Without processing these connection data, providing the website and core functions is technically impossible

f) Third countries / transfers

Processing takes place in EU/EEA regions of our infrastructure provider.

g) Automated decision-making

No solely automated decision-making with legal or similarly significant effect takes place (Art. 22 GDPR).

3. Payments

a) Purpose and data categories

When you purchase a subscription, we process payments via Stripe. Depending on the payment method, the following may be processed:

  • Identification/contact: name, e-mail address, billing address, country
  • Contract/transaction: plan, term, amounts, currency, timestamps, status, invoice/receipt numbers, customer number/Stripe customer ID
  • Payment data: payment method type, masking (e.g. last 4 digits), tokens/transaction IDs; we do not store full card numbers/CVC
  • Technical/fraud data (at Stripe): IP address, device/browser information, fingerprint/telemetry for fraud prevention

b) Roles & recipients

  • Payment service provider: Stripe Payments Europe, Limited (SPEL) & Stripe Technology Europe, Limited (STEL), 1 Grand Canal Street Lower, Dublin, Ireland
  • We have a data processing agreement with Stripe (Art. 28 GDPR). For certain purposes (e.g. PSD2 compliance, KYC/fraud prevention), Stripe acts as an independent controller.

c) Legal bases

  • Art. 6(1)(b) GDPR (contract/steps prior to entering into a contract)
  • Art. 6(1)(c) GDPR (legal obligation) for retention of invoices/accounting data (e.g. under commercial/tax law)
  • Art. 6(1)(f) GDPR (legitimate interests) for fraud prevention, abuse avoidance and payment enforcement

d) Storage periods

  • Contract/transaction/accounting data: regularly up to 10 years as required by law
  • Stripe retains data according to its own schedules; see Stripe’s privacy information

e) Third countries / transfers

Stripe may transfer data to third countries (incl. the USA). According to Stripe, such transfers rely on EU Standard Contractual Clauses (Art. 46 GDPR) and additional safeguards. Details: stripe.com/privacy.

f) Obligation to provide / consequences of non-provision

Providing the above payment and billing data is required to conclude and perform a paid subscription. Without such data, a contract cannot be concluded.

g) Automated decision-making

We do not take solely automated decisions. Stripe may use automated assessments for fraud prevention. See Stripe’s privacy information for details.

4. Registration and Account

a) Data categories

  • E-mail address, display name, account/customer IDs, timestamps (registration, last login), status information (e.g. verification)

b) Purposes

  • Set-up and management of your account, authentication/login, contract performance, security (e.g. abuse prevention), communication on account-related matters

c) Legal bases

  • Art. 6(1)(b) GDPR (contract/steps prior to entering into a contract)
  • Art. 6(1)(f) GDPR (legitimate interests) for IT security/abuse prevention

d) Recipients

  • Internal recipients (support/administration, role-based). External recipients only where necessary (e.g. hosting/e-mail/identity services as processors).

e) Storage periods

  • Until your account is deleted; afterwards data remain only in system logs/backups for the periods under section 2(d) and/or as required by law.

f) Obligation to provide

Without the above data, registration and the use of functions requiring registration are not possible.

5. Content Management

a) Data categories

  • Files you upload (file names, file contents/formats), generated previews/thumbnails
  • Extracted technical metadata (e.g. stitch count, colours, size)
  • Manually provided information (tags, notes)
  • AI-generated descriptions/tags/similarity information
  • Usage events (e.g. favourite, last used)

b) Purposes

  • Providing management, search/filter and similarity features, organisation and easy retrieval, preview display

c) Legal bases

  • Art. 6(1)(b) GDPR (contract/steps prior to entering into a contract)
  • Art. 6(1)(f) GDPR (legitimate interests) for stability, abuse prevention and quality assurance

d) Recipients

  • Internal recipients (role-based); external recipients only as processors (hosting/storage)

e) Storage periods

  • Until you delete them or your account is deleted; derived metadata (incl. previews, AI descriptions) are deleted together with the corresponding files

f) Obligation to provide

Providing content is voluntary; without content, the related management and search functions are unavailable.

6. Cookies

We use cookies to ensure the proper operation of our website, to analyse usage and to improve our offering. Technically necessary cookies are used on the basis of Art. 6(1)(f) GDPR. Non-essential cookies are used only with your consent (Art. 6(1)(a) GDPR).

7. Your Rights

Under the GDPR you have the following rights:

  • a. Right of access (Art. 15)
  • b. Right to rectification (Art. 16)
  • c. Right to erasure (Art. 17)
  • d. Right to restriction of processing (Art. 18)
  • e. Right to data portability (Art. 20)
  • f. Right to object to processing based on Art. 6(1)(f) (see section II)
  • g. Right to lodge a complaint with a supervisory authority. Our competent authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW): poststelle@ldi.nrw.de, www.ldi.nrw.de.

II. Right to Object (Art. 21(1) GDPR)

You may object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6(1)(f) GDPR. We will then no longer process the data unless we can demonstrate compelling legitimate grounds or the processing serves the establishment, exercise or defence of legal claims.

III. Contact & Supervisory Authority

Contact for privacy requests

Supervisory authority

Note: We review this privacy policy regularly and update it as needed.