PRIVACY POLICY

In effect since May 16, 2026

Haro GbR – Daniel Hauck & Kathrin Roth


Table of Contents

  1. Controller
  2. Data Collection When Visiting the Website
  3. Hosting and Data Storage
  4. Transfer of Data to the USA
  5. Cookies
  6. User Account
  7. Support Access to Customer Accounts
  8. AI Interfaces and Third-Party AI Services
  9. Payment Processing – Stripe
  10. Newsletter and Email Marketing
  11. Web Analytics – Matomo
  12. Instagram / Social Media
  13. Webinar Registration
  14. Webinar Delivery
  15. Platform Features and Security
  16. Tools and Miscellaneous
  17. Use for Direct Marketing
  18. Rights of Data Subjects
  19. Retention Periods for Personal Data
  20. Data Security
  21. Currency of this Privacy Policy


1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States, as well as other data protection provisions, is:


Haro GbR

Daniel Hauck & Kathrin Roth

Friedhofstr. 21

71577 Großerlach

Germany

Email: [email protected]


A data protection officer has not been appointed, as the statutory requirements for such appointment are not met. For data protection enquiries, please contact the email address stated above.


2. Data Collection When Visiting the Website

2.1 Server Log Files

When you access our website, our server automatically collects information transmitted by your browser. These so-called server log files contain:

  • Accessed page (URL)
  • Date and time of access
  • Volume of data transferred
  • Source/referrer from which you reached the page
  • Browser and operating system used
  • IP address (anonymized where applicable)

Processing is carried out pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in ensuring the stability and security of our website. The data is not disclosed or used for any other purpose. We reserve the right, however, to review server log files retrospectively if there are specific indications of unlawful use. The data is automatically deleted after 30 days.

2.2 SSL/TLS Encryption

Data transmission on our website is secured using current SSL/TLS technology in order to protect your data against unauthorized access. An encrypted connection can be identified by the “https://” prefix in your browser’s address bar.


3. Hosting and Data Storage

3.1 Hetzner Online GmbH

Our platform is hosted on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (www.hetzner.com). All data we collect is stored and processed on these servers within the European Union.

We have entered into a Data Processing Agreement (DPA) with Hetzner in accordance with Art. 28 GDPR, which ensures the protection of data belonging to visitors to our website and prohibits unauthorized disclosure to third parties.

3.2 Processing in the Context of SaaS Use

When using our SaaS platform, the data you enter is processed on our platform. This includes:

  • Storage of branding data and templates
  • Management of user accounts and access credentials
  • Processing and temporary storage of generated content (e.g. social media posts, presentations)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).


4. Transfer of Data to the USA

Some of the services we use are based in the USA or transfer data to servers in the USA. These providers are covered by the EU–US Data Privacy Framework (DPF). This framework ensures compliance with European data protection standards on the basis of an adequacy decision by the European Commission.

Participating companies undertake to comply with strict EU data protection requirements. An up-to-date list of certified providers and further information on the EU–US Data Privacy Framework can be found on the website of the European Commission.

The transfer of personal data to these providers is carried out on the basis of Art. 45 GDPR. Where individual providers additionally use Standard Contractual Clauses, such transfers are based on Art. 46 GDPR. Details can be found in the descriptions of the respective providers within this Privacy Policy.


5. Cookies

Our website uses only technically necessary cookies, which do not store personal data and do not require consent.

Technically necessary cookies:

  • Session cookies: expire at the end of the session
  • Security cookies: protection against unauthorized access

No cookie banner is required, as no consent obligation exists.


6. User Account

6.1 User Account

Pursuant to Art. 6(1)(b) GDPR, personal data is collected and processed to the extent necessary when you provide it to us during registration of a user account. The mandatory information required for account registration is indicated on the respective input form on our website.

The data collected includes in particular:

  • Name and email address
  • Company name (for B2B customers)
  • Access credentials (password, stored in encrypted form)
  • Billing and contract data

You may request the deletion of your user account at any time by contacting the controller at the address stated above. Following deletion of your user account, your data will be deleted provided that all contracts concluded through the account have been fully processed, no statutory retention obligations apply, and there is no legitimate interest in continued storage.

6.2 Google Sign-In

For registration, we optionally offer sign-up via Google Sign-In, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. If you use Google Sign-In, Google will share general profile information (user ID, name, email address) with us upon your express consent, which we use to set up your user account. Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future. Data transfers to the USA are based on the EU–US Data Privacy Framework (see § 4). Further information: https://policies.google.com/privacy


7. Support Access to Customer Accounts

In order to assist you with support requests, error analysis, or technical issues, it may be necessary for authorized employees of Haro GbR to temporarily access your customer account. Any such access is carried out exclusively for the purpose of resolving technical problems and improving service quality.

This access is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in efficient troubleshooting and customer support. In cases where access is required for the performance of a contract, processing is additionally carried out pursuant to Art. 6(1)(b) GDPR.

Access is strictly limited to authorized employees and is logged. No unauthorized use or disclosure of data takes place. Objecting to this access may result in limitations in the handling of your support requests.


8. AI Interfaces and Third-Party AI Services

Our platform provides a Model Context Protocol (MCP) interface through which users may independently connect external AI services of their choice (e.g. Anthropic Claude, OpenAI GPT, or other MCP-compatible services).


API Key and mcp.json: To establish the connection between the platform and the chosen AI tool, users may generate an API key within their account. The API key is displayed once in plain text and must be stored securely by the user – it cannot be viewed again through the platform after the initial display. If lost, a new API key may be generated at any time; the previous key must be deleted by the user. Haro GbR stores the API key in encrypted form on the server, exclusively for the purpose of authenticating incoming requests. The platform also provides a ready-made configuration file (mcp.json) that the user inserts into their AI tool to establish the connection. Haro GbR does not store any API keys belonging to third-party providers. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).


Important information regarding data processing when using external AI services:

  • The integration of an external AI service is carried out exclusively by the user. Haro GbR provides the technical interface but assumes no data protection responsibility for the data processing carried out by the chosen AI provider.
  • When using external AI services, data (e.g. input texts, branding information) is transmitted directly to the chosen AI provider. The respective privacy policies of the provider apply.
  • Users are solely responsible for verifying, prior to connecting an AI service, whether its data protection practices are compatible with their own data protection obligations – in particular with regard to the processing of third-party data (e.g. customer data) and any data processing agreements required with the AI provider.
  • Many AI providers are based outside the EU. Users are solely responsible for assessing the lawfulness of any such third-country transfer in accordance with Art. 44 et seq. GDPR.

Legal basis for providing the MCP interface: Art. 6(1)(b) GDPR (performance of a contract).


9. Payment Processing – Stripe

9.1 Stripe as Payment Service Provider

We use Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, for payment processing.

Stripe offers various online payment methods (e.g. credit card, SEPA direct debit). All payment transactions are processed exclusively via Stripe. Haro GbR does not store complete payment data. Further information on data protection at Stripe can be found at: https://stripe.com/privacy

9.2 Technical Stripe Account Creation Upon Registration

When a user account is registered, a technical Stripe account is automatically created in the background in order to prepare for future payment processing and to ensure smooth contract management. In this context, personal data such as your email address, user ID, and IP address may be transmitted to Stripe.

This processing is based on:

  • Art. 6(1)(b) GDPR (pre-contractual measures)
  • Our legitimate interest in an automated, user-friendly payment infrastructure pursuant to Art. 6(1)(f) GDPR

This technical setup does not create any payment obligation. The Stripe account remains inactive until the user actively selects a paid plan.

9.3 Data Transfer During the Payment Process

When you select a paid payment method, the payment data you provide (name, address, card details, transaction number, etc.) along with your order information is transmitted to Stripe pursuant to Art. 6(1)(b) GDPR.

Stripe is certified under the EU–US Data Privacy Framework (see § 4). A Data Processing Agreement (DPA) in accordance with Art. 28 GDPR has been concluded with Stripe.


10. Newsletter and Email Marketing

10.1 Newsletter Distribution

If you subscribe to our newsletter, we will send you regular information about our offerings. The mandatory information required for the newsletter is your email address. The provision of further data is voluntary and is used for personalized communication.

We use a double opt-in procedure: you will only receive the newsletter after you have expressly confirmed your consent by clicking on a confirmation link in a confirmation email. Legal basis: Art. 6(1)(a) GDPR.

You may unsubscribe from the newsletter at any time – via the unsubscribe link in each newsletter email or by notifying us informally. Your consent may be withdrawn at any time with effect for the future.

10.2 Newsletter Tool

For sending our newsletter, we use Brevo (formerly Sendinblue), a service of Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France. Brevo processes your email address and name for the purpose of sending the newsletter on servers within the EU. A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Brevo. Further information: https://www.brevo.com/legal/privacypolicy/

10.3 Marketing to Existing Customers

If you have provided us with your email address in connection with the purchase of services, we reserve the right to send you regular offers for similar services from our portfolio by email. Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 7(3) of the German Act Against Unfair Competition (UWG). You may object to the use of your email address for marketing purposes at any time with effect for the future – via the unsubscribe link in each email or by notifying us.


11. Web Analytics – Matomo

We use the open-source software Matomo on this website for the anonymized analysis of visitor behaviour. It is installed locally on our own servers at Hetzner Online GmbH within the European Union. No data is transmitted to third parties.

Matomo is configured such that:

  • no cookies are set,
  • IP addresses are fully anonymized before storage (the last two octets are deleted),
  • no personal data is transferred to third parties,
  • only aggregated, non-personal usage statistics are recorded.

Due to this privacy-friendly configuration, Matomo is permissible without consent. Processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in the statistical analysis of website usage in order to improve our offering. As no cookies are used and no data is transmitted to third parties, no cookie banner is required. Further information on Matomo and data protection can be found at: https://matomo.org/privacy

You may object to the anonymized recording of your page visits at any time using the opt-out function at the bottom of this page.


12. Instagram / Social Media

We operate a company profile on the Instagram platform (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland). When you visit our Instagram page, Meta collects and processes personal data. Haro GbR has no influence over the nature and extent of this data processing by Meta.

We use Instagram exclusively for corporate communication and to announce our offerings (e.g. webinars, product updates). We only process personal data ourselves when users actively contact us (e.g. via direct messages).

In the context of using Instagram Insights, we are jointly responsible with Meta pursuant to Art. 26 GDPR. Meta provides an additional agreement for this purpose (Page Controller Addendum), which we have accepted.

Legal basis for our use of Instagram: Art. 6(1)(f) GDPR (legitimate interest in corporate communication and marketing).

Further information on data processing by Meta can be found at: https://privacycenter.instagram.com/policy


13. Webinar Registration

We regularly offer free webinars, which you can register for via a landing page. The following data is collected during registration:

  • First name, last name
  • Email address
  • Timestamp of registration and consent

Registration is completed using a double opt-in procedure: after submitting the form, you will receive a confirmation email containing a confirmation link. Your registration is only activated after you click on this link. We record the time of consent and the IP address used as proof of consent.

The purpose of processing is to conduct the booked webinar and to send reminder and follow-up emails in connection with the webinar.

Legal basis: Art. 6(1)(a) GDPR (consent).

Separate consent to receive the newsletter is only obtained if you expressly and separately agree to this. Consent to participate in the webinar does not automatically entitle us to contact you further for marketing purposes.

You may withdraw your consent at any time with effect for the future – via the unsubscribe link in each email or by notifying us informally. After the webinar, your data will be deleted unless you have given further consent (e.g. to the newsletter). Statutory retention obligations remain unaffected.

For email distribution, we use Brevo (Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France). Brevo processes your email address and name solely for the purpose of sending webinar-related emails (registration confirmation, reminder, follow-up email) on servers within the EU. A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Brevo. Further information: https://www.brevo.com/legal/privacypolicy/


14. Webinar Delivery

For the delivery of our webinars, we use Zoom and Google Meet.


Zoom: The provider is Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA. When participating in a webinar via Zoom, personal data is processed, including name, email address, IP address, device information, and where applicable, video and audio data. Zoom is certified under the EU–US Data Privacy Framework (Art. 45 GDPR). A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Zoom. Further information: https://explore.zoom.us/privacy


Google Meet: The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When participating, personal data is processed, including name, email address, IP address, and where applicable, video and audio data. Google Ireland is certified under the EU–US Data Privacy Framework (Art. 45 GDPR). A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Google. Further information: https://policies.google.com/privacy


Legal basis for processing in the context of webinar delivery: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures).


Recording: Our webinars are recorded. Participants are automatically informed by the respective provider of the ongoing recording upon entering the webinar room. We additionally notify participants of the recording in the invitation email in advance. The recording is used exclusively for internal purposes and for optional provision to individual participants upon request. It is not automatically sent to all participants, and the complete recording is not published publicly. Recordings are deleted once the purpose for storage no longer applies and no statutory retention obligations prevent deletion. Where recordings are used to create short videos for social media purposes, this constitutes an independent processing purpose pursuant to Art. 6(1)(f) GDPR (legitimate interest in corporate marketing). Participants may deactivate their camera and microphone at any time and thereby participate in the recording without being personally identifiable.


Short videos on social media: Excerpts from webinars in which only Haro GbR employees and presentation content are visible and audible may be published for marketing purposes on social media channels (in particular Instagram). Personal data of participants – in particular images, voices, names, or chat contributions – are neither processed nor published in this context. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in corporate marketing).


15. Platform Features and Security

15.1 Cloudflare Turnstile

To protect our platform against automated access (bots), we use Cloudflare Turnstile, a service provided by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare Turnstile processes technical data such as IP address and browser information to distinguish between human and automated access. As this constitutes a security-relevant measure, Cloudflare Turnstile is technically necessary for the operation of the platform and cannot be deactivated via a cookie banner. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the platform). Data transfers to the USA are based on the EU–US Data Privacy Framework (see § 4).


16. Tools and Miscellaneous

16.1 Lexware

For accounting purposes, we use the cloud-based accounting software Lexware Office, a service provided by Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany. The provider processes incoming and outgoing invoices as well as, where applicable, bank transactions of our company for the purpose of generating accounting records. To the extent that personal data (e.g. names and addresses on invoices) is processed in this context, such processing is carried out on the basis of our legitimate interest in efficient accounting pursuant to Art. 6(1)(f) GDPR. A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Haufe-Lexware.

16.2 Sentry

For the automatic transmission of error reports in the event of technical issues, we use Sentry, a service provided by Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. In the event of malfunctions, Sentry automatically sends error reports which may contain technical information such as IP address, browser used, timestamp, and URLs accessed. In individual cases, these reports may also contain personal customer data if the error occurs in connection with the processing of customer data. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient error analysis to improve platform reliability). Data transfers to the USA are based on the EU–US Data Privacy Framework (see § 4).


17. Use for Direct Marketing – Right to Object

To the extent that we process personal data for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for those purposes.


18. Rights of Data Subjects

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR): You may request information about the data we process about you.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may, under certain conditions, request the deletion of your data.
  • Right to restriction of processing (Art. 18 GDPR): You may request that processing be restricted.
  • Right to notification (Art. 19 GDPR): You have the right to be informed about rectifications, erasures, or restrictions.
  • Right to data portability (Art. 20 GDPR): You may receive your data in a structured, machine-readable format.
  • Right to withdraw consent (Art. 7(3) GDPR): Any consent given may be withdrawn at any time with effect for the future.
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You may lodge a complaint with the competent supervisory authority.

To exercise your rights, please contact: [email protected]


RIGHT TO OBJECT


IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF A BALANCING OF INTERESTS, PURSUANT TO OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU, WITH EFFECT FOR THE FUTURE.


IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA IN QUESTION. HOWEVER, CONTINUED PROCESSING REMAINS PERMISSIBLE IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS.


IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSES OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSES OF SUCH MARKETING. YOU MAY EXERCISE YOUR RIGHT TO OBJECT AS DESCRIBED ABOVE.


IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA IN QUESTION FOR DIRECT MARKETING PURPOSES.


19. Retention Periods for Personal Data

Retention periods are determined by the relevant legal basis, the purpose of processing, and applicable statutory retention obligations. In particular:

  • Server log files: 30 days, then automatically deleted.
  • Customer data: Following termination of a contract, customer data is deleted within 90 days, unless statutory or contractual retention obligations apply.
  • Billing and contract data: Retained in accordance with commercial and tax law retention periods, generally 10 years (Sections 238, 257 of the German Commercial Code (HGB); Section 147 of the German Fiscal Code (AO)).
  • Newsletter data: Until withdrawal of your consent.
  • Consent-based data (Art. 6(1)(a) GDPR): Until withdrawal of your consent.
  • Data processed on the basis of legitimate interests (Art. 6(1)(f) GDPR): Until exercise of your right to object pursuant to Art. 21 GDPR, unless compelling grounds exist to the contrary.

After expiry of the relevant period, the data is deleted or anonymized, unless another legal basis requires continued storage.


20. Data Security

We implement technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorized access. Our security measures are continuously updated in line with technological developments. Data transmission between your browser and our platform is encrypted via HTTPS/TLS.


21. Currency of this Privacy Policy

This Privacy Policy is currently valid and was last updated on 16 May 2026.

As our platform develops further, or as a result of changes in statutory or regulatory requirements, it may be necessary to update this Privacy Policy. The most current version of this Privacy Policy is available on our website. We recommend that you check it regularly.



Opt out of analytics tracking

You have the option to prevent the actions you take here from being analyzed and linked. This will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.

Analytics Opt-Out