In effect since May 16, 2026
Haro GbR – Daniel Hauck & Kathrin Roth
Table of Contents
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States, as well as other data protection provisions, is:
Haro GbR
Daniel Hauck & Kathrin Roth
Friedhofstr. 21
71577 Großerlach
Germany
Email: [email protected]
A data protection officer has not been appointed, as the statutory requirements for such appointment are not met. For data protection enquiries, please contact the email address stated above.
2.1 Server Log Files
When you access our website, our server automatically collects information transmitted by your browser. These so-called server log files contain:
Processing is carried out pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in ensuring the stability and security of our website. The data is not disclosed or used for any other purpose. We reserve the right, however, to review server log files retrospectively if there are specific indications of unlawful use. The data is automatically deleted after 30 days.
2.2 SSL/TLS Encryption
Data transmission on our website is secured using current SSL/TLS technology in order to protect your data against unauthorized access. An encrypted connection can be identified by the “https://” prefix in your browser’s address bar.
3.1 Hetzner Online GmbH
Our platform is hosted on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (www.hetzner.com). All data we collect is stored and processed on these servers within the European Union.
We have entered into a Data Processing Agreement (DPA) with Hetzner in accordance with Art. 28 GDPR, which ensures the protection of data belonging to visitors to our website and prohibits unauthorized disclosure to third parties.
3.2 Processing in the Context of SaaS Use
When using our SaaS platform, the data you enter is processed on our platform. This includes:
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Some of the services we use are based in the USA or transfer data to servers in the USA. These providers are covered by the EU–US Data Privacy Framework (DPF). This framework ensures compliance with European data protection standards on the basis of an adequacy decision by the European Commission.
Participating companies undertake to comply with strict EU data protection requirements. An up-to-date list of certified providers and further information on the EU–US Data Privacy Framework can be found on the website of the European Commission.
The transfer of personal data to these providers is carried out on the basis of Art. 45 GDPR. Where individual providers additionally use Standard Contractual Clauses, such transfers are based on Art. 46 GDPR. Details can be found in the descriptions of the respective providers within this Privacy Policy.
Our website uses only technically necessary cookies, which do not store personal data and do not require consent.
Technically necessary cookies:
No cookie banner is required, as no consent obligation exists.
6.1 User Account
Pursuant to Art. 6(1)(b) GDPR, personal data is collected and processed to the extent necessary when you provide it to us during registration of a user account. The mandatory information required for account registration is indicated on the respective input form on our website.
The data collected includes in particular:
You may request the deletion of your user account at any time by contacting the controller at the address stated above. Following deletion of your user account, your data will be deleted provided that all contracts concluded through the account have been fully processed, no statutory retention obligations apply, and there is no legitimate interest in continued storage.
6.2 Google Sign-In
For registration, we optionally offer sign-up via Google Sign-In, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. If you use Google Sign-In, Google will share general profile information (user ID, name, email address) with us upon your express consent, which we use to set up your user account. Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time with effect for the future. Data transfers to the USA are based on the EU–US Data Privacy Framework (see § 4). Further information: https://policies.google.com/privacy
In order to assist you with support requests, error analysis, or technical issues, it may be necessary for authorized employees of Haro GbR to temporarily access your customer account. Any such access is carried out exclusively for the purpose of resolving technical problems and improving service quality.
This access is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR in efficient troubleshooting and customer support. In cases where access is required for the performance of a contract, processing is additionally carried out pursuant to Art. 6(1)(b) GDPR.
Access is strictly limited to authorized employees and is logged. No unauthorized use or disclosure of data takes place. Objecting to this access may result in limitations in the handling of your support requests.
Our platform provides a Model Context Protocol (MCP) interface through which users may independently connect external AI services of their choice (e.g. Anthropic Claude, OpenAI GPT, or other MCP-compatible services).
API Key and mcp.json: To establish the connection between the platform and the chosen AI tool, users may generate an API key within their account. The API key is displayed once in plain text and must be stored securely by the user – it cannot be viewed again through the platform after the initial display. If lost, a new API key may be generated at any time; the previous key must be deleted by the user. Haro GbR stores the API key in encrypted form on the server, exclusively for the purpose of authenticating incoming requests. The platform also provides a ready-made configuration file (mcp.json) that the user inserts into their AI tool to establish the connection. Haro GbR does not store any API keys belonging to third-party providers. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Important information regarding data processing when using external AI services:
Legal basis for providing the MCP interface: Art. 6(1)(b) GDPR (performance of a contract).
9.1 Stripe as Payment Service Provider
We use Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, for payment processing.
Stripe offers various online payment methods (e.g. credit card, SEPA direct debit). All payment transactions are processed exclusively via Stripe. Haro GbR does not store complete payment data. Further information on data protection at Stripe can be found at: https://stripe.com/privacy
9.2 Technical Stripe Account Creation Upon Registration
When a user account is registered, a technical Stripe account is automatically created in the background in order to prepare for future payment processing and to ensure smooth contract management. In this context, personal data such as your email address, user ID, and IP address may be transmitted to Stripe.
This processing is based on:
This technical setup does not create any payment obligation. The Stripe account remains inactive until the user actively selects a paid plan.
9.3 Data Transfer During the Payment Process
When you select a paid payment method, the payment data you provide (name, address, card details, transaction number, etc.) along with your order information is transmitted to Stripe pursuant to Art. 6(1)(b) GDPR.
Stripe is certified under the EU–US Data Privacy Framework (see § 4). A Data Processing Agreement (DPA) in accordance with Art. 28 GDPR has been concluded with Stripe.
10.1 Newsletter Distribution
If you subscribe to our newsletter, we will send you regular information about our offerings. The mandatory information required for the newsletter is your email address. The provision of further data is voluntary and is used for personalized communication.
We use a double opt-in procedure: you will only receive the newsletter after you have expressly confirmed your consent by clicking on a confirmation link in a confirmation email. Legal basis: Art. 6(1)(a) GDPR.
You may unsubscribe from the newsletter at any time – via the unsubscribe link in each newsletter email or by notifying us informally. Your consent may be withdrawn at any time with effect for the future.
10.2 Newsletter Tool
For sending our newsletter, we use Brevo (formerly Sendinblue), a service of Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France. Brevo processes your email address and name for the purpose of sending the newsletter on servers within the EU. A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Brevo. Further information: https://www.brevo.com/legal/privacypolicy/
10.3 Marketing to Existing Customers
If you have provided us with your email address in connection with the purchase of services, we reserve the right to send you regular offers for similar services from our portfolio by email. Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 7(3) of the German Act Against Unfair Competition (UWG). You may object to the use of your email address for marketing purposes at any time with effect for the future – via the unsubscribe link in each email or by notifying us.
We use the open-source software Matomo on this website for the anonymized analysis of visitor behaviour. It is installed locally on our own servers at Hetzner Online GmbH within the European Union. No data is transmitted to third parties.
Matomo is configured such that:
Due to this privacy-friendly configuration, Matomo is permissible without consent. Processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR in the statistical analysis of website usage in order to improve our offering. As no cookies are used and no data is transmitted to third parties, no cookie banner is required. Further information on Matomo and data protection can be found at: https://matomo.org/privacy
You may object to the anonymized recording of your page visits at any time using the opt-out function at the bottom of this page.
We operate a company profile on the Instagram platform (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland). When you visit our Instagram page, Meta collects and processes personal data. Haro GbR has no influence over the nature and extent of this data processing by Meta.
We use Instagram exclusively for corporate communication and to announce our offerings (e.g. webinars, product updates). We only process personal data ourselves when users actively contact us (e.g. via direct messages).
In the context of using Instagram Insights, we are jointly responsible with Meta pursuant to Art. 26 GDPR. Meta provides an additional agreement for this purpose (Page Controller Addendum), which we have accepted.
Legal basis for our use of Instagram: Art. 6(1)(f) GDPR (legitimate interest in corporate communication and marketing).
Further information on data processing by Meta can be found at: https://privacycenter.instagram.com/policy
We regularly offer free webinars, which you can register for via a landing page. The following data is collected during registration:
Registration is completed using a double opt-in procedure: after submitting the form, you will receive a confirmation email containing a confirmation link. Your registration is only activated after you click on this link. We record the time of consent and the IP address used as proof of consent.
The purpose of processing is to conduct the booked webinar and to send reminder and follow-up emails in connection with the webinar.
Legal basis: Art. 6(1)(a) GDPR (consent).
Separate consent to receive the newsletter is only obtained if you expressly and separately agree to this. Consent to participate in the webinar does not automatically entitle us to contact you further for marketing purposes.
You may withdraw your consent at any time with effect for the future – via the unsubscribe link in each email or by notifying us informally. After the webinar, your data will be deleted unless you have given further consent (e.g. to the newsletter). Statutory retention obligations remain unaffected.
For email distribution, we use Brevo (Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France). Brevo processes your email address and name solely for the purpose of sending webinar-related emails (registration confirmation, reminder, follow-up email) on servers within the EU. A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Brevo. Further information: https://www.brevo.com/legal/privacypolicy/
For the delivery of our webinars, we use Zoom and Google Meet.
Zoom: The provider is Zoom Video Communications, Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA. When participating in a webinar via Zoom, personal data is processed, including name, email address, IP address, device information, and where applicable, video and audio data. Zoom is certified under the EU–US Data Privacy Framework (Art. 45 GDPR). A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Zoom. Further information: https://explore.zoom.us/privacy
Google Meet: The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When participating, personal data is processed, including name, email address, IP address, and where applicable, video and audio data. Google Ireland is certified under the EU–US Data Privacy Framework (Art. 45 GDPR). A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Google. Further information: https://policies.google.com/privacy
Legal basis for processing in the context of webinar delivery: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures).
Recording: Our webinars are recorded. Participants are automatically informed by the respective provider of the ongoing recording upon entering the webinar room. We additionally notify participants of the recording in the invitation email in advance. The recording is used exclusively for internal purposes and for optional provision to individual participants upon request. It is not automatically sent to all participants, and the complete recording is not published publicly. Recordings are deleted once the purpose for storage no longer applies and no statutory retention obligations prevent deletion. Where recordings are used to create short videos for social media purposes, this constitutes an independent processing purpose pursuant to Art. 6(1)(f) GDPR (legitimate interest in corporate marketing). Participants may deactivate their camera and microphone at any time and thereby participate in the recording without being personally identifiable.
Short videos on social media: Excerpts from webinars in which only Haro GbR employees and presentation content are visible and audible may be published for marketing purposes on social media channels (in particular Instagram). Personal data of participants – in particular images, voices, names, or chat contributions – are neither processed nor published in this context. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in corporate marketing).
15.1 Cloudflare Turnstile
To protect our platform against automated access (bots), we use Cloudflare Turnstile, a service provided by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare Turnstile processes technical data such as IP address and browser information to distinguish between human and automated access. As this constitutes a security-relevant measure, Cloudflare Turnstile is technically necessary for the operation of the platform and cannot be deactivated via a cookie banner. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the platform). Data transfers to the USA are based on the EU–US Data Privacy Framework (see § 4).
16.1 Lexware
For accounting purposes, we use the cloud-based accounting software Lexware Office, a service provided by Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany. The provider processes incoming and outgoing invoices as well as, where applicable, bank transactions of our company for the purpose of generating accounting records. To the extent that personal data (e.g. names and addresses on invoices) is processed in this context, such processing is carried out on the basis of our legitimate interest in efficient accounting pursuant to Art. 6(1)(f) GDPR. A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with Haufe-Lexware.
16.2 Sentry
For the automatic transmission of error reports in the event of technical issues, we use Sentry, a service provided by Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. In the event of malfunctions, Sentry automatically sends error reports which may contain technical information such as IP address, browser used, timestamp, and URLs accessed. In individual cases, these reports may also contain personal customer data if the error occurs in connection with the processing of customer data. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient error analysis to improve platform reliability). Data transfers to the USA are based on the EU–US Data Privacy Framework (see § 4).
To the extent that we process personal data for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for those purposes.
You have the following rights with regard to your personal data:
To exercise your rights, please contact: [email protected]
RIGHT TO OBJECT
IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF A BALANCING OF INTERESTS, PURSUANT TO OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU, WITH EFFECT FOR THE FUTURE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA IN QUESTION. HOWEVER, CONTINUED PROCESSING REMAINS PERMISSIBLE IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSES OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSES OF SUCH MARKETING. YOU MAY EXERCISE YOUR RIGHT TO OBJECT AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA IN QUESTION FOR DIRECT MARKETING PURPOSES.
Retention periods are determined by the relevant legal basis, the purpose of processing, and applicable statutory retention obligations. In particular:
After expiry of the relevant period, the data is deleted or anonymized, unless another legal basis requires continued storage.
We implement technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorized access. Our security measures are continuously updated in line with technological developments. Data transmission between your browser and our platform is encrypted via HTTPS/TLS.
This Privacy Policy is currently valid and was last updated on 16 May 2026.
As our platform develops further, or as a result of changes in statutory or regulatory requirements, it may be necessary to update this Privacy Policy. The most current version of this Privacy Policy is available on our website. We recommend that you check it regularly.
You have the option to prevent the actions you take here from being analyzed and linked. This will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.