Privacy Policy

1. Introduction

Designation of the Responsible Party

saferspaces GmbH, c/o 105 VIERTEL GmbH & Ko. KG., Gänsemarkt 33, 20354 Hamburg.

The responsible party decides alone or jointly with others on the purposes and means of processing personal data (e.g., names, contact details, etc.).

If you have any questions about data protection, you can contact us at any time at kontakt@saferspaces.io.

Revocation of Your Consent to Data Processing

Some data processing operations are only possible with your express consent. A revocation of your already given consent is possible at any time. An informal notification by e-mail to kontakt@saferspaces.io is sufficient for the revocation. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to Complain to the Competent Supervisory Authority

As a data subject, you have the right to complain to the competent supervisory authority in the event of a data protection violation. The competent supervisory authority regarding data protection questions is the state data protection officer of the federal state in which our company is located.

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to third parties. The provision is made in a machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done insofar as it is technically feasible.

Right to Information, Correction, Blocking, Deletion

You have the right at any time within the framework of the applicable legal provisions to free information about your stored personal data, origin of the data, their recipients and the purpose of data processing and, if applicable, a right to correction, blocking or deletion of this data. For this purpose and for further questions on the subject of personal data, you can contact kontakt@saferspaces.io at any time.

SSL or TLS Encryption

For security reasons and to protect the transmission of confidential content that you send to us as site operator, our website uses SSL or TLS encryption. This means that data that you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the "https://" address line of your browser and the lock symbol in the browser line.

2. Which Data Do We Process?

Contact by E-Mail

When you contact us by e-mail, the data you provide (your e-mail address, possibly your name and telephone number) will be stored by us to answer your questions.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in answering your inquiry).

Storage period: We store the data arising in this context for as long as it is necessary to answer your inquiry and for further communication. You can request deletion of your data at any time. We delete the data as soon as it is no longer necessary for the fulfillment of the purpose, unless there are legal retention obligations or there is a legitimate interest in longer storage (e.g., in ongoing business relationships).

Registration on this Website

To use certain functions, you can register on our website. The transmitted data is used exclusively for the purpose of using the respective offer or service.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

Storage period: The processing of the data entered during registration is based on your consent. A revocation of your already given consent is possible at any time. After revocation of your consent, the data will be deleted, unless there are legal retention obligations.

Hosting & Provisioning of the Website (Vercel)

Our website is hosted by Vercel (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA). Vercel provides both the hosting environment and serverless/edge functions, CDN, routing and security mechanisms. The primary processing takes place in European regions (including Frankfurt, Stockholm, Paris).

In the course of operation, Vercel automatically processes technical data that is required for the execution of the application, the provision of server-side functions, security and performance optimization, including in particular:

  • The page from which the page was requested (so-called referrer URL)
  • Name and URL of the accessed page
  • Date and time of access
  • Browser type, browser version and browser language
  • IP address of the requesting computer (shortened so that it no longer has a direct personal reference)
  • Amount of data transferred
  • Operating system
  • Message whether the access was successful (access status/HTTP status code)
  • GMT time zone difference

This data is technically necessary to ensure the functionality, security and stability of the application. No profiling or merging with other data takes place.

Technical third-country references: Vercel operates a global edge and CDN network. Therefore, individual technically necessary operations such as:

  • Routing and load balancing,
  • DDoS/attack protection,
  • TLS termination,
  • Edge caching,
  • Logging and monitoring processes

may occur via non-European systems. These processes exclusively concern minimized, encrypted metadata (particularly IP address, User-Agent, HTTP headers). Personal content or functional data is executed exclusively in EU regions.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in operation, security, stability and efficient provision of a server-based web application).

Data processing agreement: Vercel processes personal data exclusively on our behalf and according to documented instructions. Where required, a data processing agreement pursuant to Art. 28 GDPR has been concluded with Vercel.

Data transfers to third countries: Transfers are secured by:

  • the EU-US Data Privacy Framework,
  • as well as supplementary Standard Contractual Clauses (SCC) of the EU Commission.

Transport routes are consistently TLS-encrypted, and the processed technical data is minimized to what is necessary.

Our Configuration & Protective Measures:

  • Execution of all serverless functions exclusively in European regions (europe-*)
  • Caching exclusively of static assets in the CDN (no personal content in the cache)
  • Exclusion of personal data (PII) from query parameters so that no PII enters CDN or edge caching
  • Log processing exclusively in EU regions with short retention period (only technically necessary log data)

Storage period: Vercel typically stores technical logs only for short periods (typically 24 hours to 7 days). They are used exclusively for operation, debugging, security and stability purposes. Longer storage only occurs if there is a legitimate interest, e.g., for investigating security-related incidents.

3. Use of External Services

Appointment Booking (cal.com)

On our website, we offer the possibility to book appointments via the external service cal.com. When you book an appointment, you will be redirected to the cal.com website. You can find cal.com's privacy policy at: https://cal.com/privacy

Legal basis: Art. 6 para. 1 lit. b GDPR (fulfillment of a contract or pre-contractual measures).

Note: We have no influence on data processing by cal.com. Please inform yourself directly with cal.com about their data protection practices.

Alt Text Generation (OpenAI)

Our website uses OpenAI's services (OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA) to automatically generate accessible alternative texts (alt texts) for images through our Alt Text Generator feature. This service helps users improve the accessibility of their own websites and content by providing descriptive texts for images that can be read by screen readers.

Purpose of processing: When you use our Alt Text Generator feature, uploaded images are processed by OpenAI to generate descriptive alt text. The images are transmitted to OpenAI's servers for processing.

Data processed:

  • Image data (in base64 format) that you upload through the Alt Text Generator
  • The generated alt text is returned to you and is not stored by OpenAI for training purposes when using the API

Important: We do not store uploaded images. Images are only processed temporarily to generate the alt text and are not retained on our servers or OpenAI's servers beyond the processing time.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in improving website accessibility and providing accessible content for users with visual impairments).

Data processing agreement: OpenAI processes personal data exclusively on our behalf and according to documented instructions. A data processing agreement pursuant to Art. 28 GDPR has been concluded with OpenAI.

Data transfers to third countries: Data transfers to the United States are secured by:

  • the EU-US Data Privacy Framework (where applicable),
  • as well as supplementary Standard Contractual Clauses (SCC) of the EU Commission.

Storage period: OpenAI does not use data submitted via the API to train or improve their models. According to OpenAI's privacy policy, API data is not used for model training. Images are processed only for the duration necessary to generate the alt text (typically a few seconds) and are not stored.

Your rights: You can use the Alt Text Generator without uploading images containing personal information. We recommend not uploading images with faces or other identifying features. If you do not wish to use this feature, you can simply not use the Alt Text Generator on our website.

Web Analytics (PostHog)

We use PostHog (PostHog, Inc., 2261 Market Street #4961, San Francisco, CA 94114, USA) for web analytics to understand how visitors interact with our website. This helps us improve our services and user experience. PostHog processes information such as page views, navigation patterns, time spent on pages, device and browser information, and user interactions (clicks, form submissions, etc.). IP addresses are anonymized.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent). We only use PostHog analytics with your explicit consent. You can withdraw your consent at any time.

Data processing agreement: PostHog processes personal data exclusively on our behalf and according to documented instructions. Where required, a data processing agreement pursuant to Art. 28 GDPR has been concluded with PostHog.

Data transfers to third countries: Transfers are secured by:

  • the EU-US Data Privacy Framework,
  • as well as supplementary Standard Contractual Clauses (SCC) of the EU Commission.

Transport routes are consistently TLS-encrypted, and the processed data is minimized to what is necessary for analytics purposes.

Our Configuration & Protective Measures:

  • Use of EU server locations (eu.i.posthog.com).
  • IP addresses are anonymized before processing.
  • Processing only of metadata required for analytics.
  • Opt-out of capturing by default - analytics only begin after explicit user consent.
  • User consent preferences are stored locally in the browser.
  • Cookieless mode enabled - PostHog does not store any cookies or other data in your browser. User identification is handled in a privacy-friendly manner on our servers, without storing personal information in your browser.

Storage period: Data is stored according to PostHog's data retention policies. You can find more information in PostHog's privacy policy: https://posthog.com/privacy

Your rights: You can opt out of PostHog analytics at any time by declining cookies in our consent banner or by managing your preferences in our Cookie Settings. When you opt out, PostHog will not collect or process your data for analytics purposes.

Note: For more information about PostHog's data protection practices, please visit: https://posthog.com/privacy