Privacy Policy

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:

If you have any questions about data protection, please contact us at any time at the address above or by email at hello@stackbox.de.

Please note that the German version of this Privacy Policy is the legally binding version. This English translation is provided for convenience only.

2. Principles of Data Processing

We only process personal data where permitted by law or where you have given your consent. We collect only the data necessary for the respective purpose (data minimisation) and delete it once that purpose no longer applies.

Processing of your data is based on the following legal grounds under the GDPR:

• Art. 6(1)(a) GDPR – Consent (e.g. for analytics cookies)
• Art. 6(1)(b) GDPR – Performance of a contract or pre-contractual measures
• Art. 6(1)(c) GDPR – Compliance with a legal obligation
• Art. 6(1)(f) GDPR – Legitimate interests of Stackbox or third parties

3. Data Collected When You Visit Our Website

When you visit our website, technical access data is automatically stored in server log files. This data includes:

• IP address (anonymised after a short period)
• Date and time of access
• URL accessed and data volume transferred
• Referrer URL (previously visited page)
• Browser type, version, and operating system

Processing is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the technical provision and security of the website, as well as the detection and defence against attacks. This data is automatically deleted after a maximum of 14 days and is not combined with other data sources.

4. Contact Form and Email Contact

When you contact us via the contact form or by email, we store the data you provide (name, email address, phone number, message content) in order to process your enquiry.

Processing is based on Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

We do not share this data with third parties without your consent. Data is deleted once your enquiry has been fully resolved and no statutory retention obligation applies.

5. Cookies and Analytics

Technically necessary cookies are used to provide basic website functionality (e.g. storing your cookie preferences). They are required for the website to operate and cannot be disabled. The legal basis is Art. 6(1)(f) GDPR.

Analytics cookies (Amplitude) are only used with your explicit consent pursuant to Art. 6(1)(a) GDPR. Amplitude is an analytics service provided by Amplitude, Inc., 631 Howard St., Suite 100, San Francisco, CA 94105, USA. We use Amplitude to anonymously analyse user behaviour on our website and improve our offering.

Amplitude processes pseudonymous usage and event data. For further information, please refer to Amplitude's Privacy Policy.

You can withdraw your consent to analytics cookies at any time via the Cookie Settings button in the footer of this website.

6. Data of Our Business Clients

In the context of our business relationships, we process personal data of contact persons and employees of our clients and partners. This includes in particular names, professional email addresses, phone numbers, and communication content.

Processing is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in conducting the business relationship).

Where we process personal data as a data processor on behalf of our clients in the course of projects, we conclude a data processing agreement (DPA) pursuant to Art. 28 GDPR.

7. Disclosure to Third Parties

We only disclose personal data to third parties where:

• you have given your explicit consent (Art. 6(1)(a) GDPR),
• disclosure is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
• a legal obligation requires it (Art. 6(1)(c) GDPR), or
• there is a legitimate interest in the disclosure (Art. 6(1)(f) GDPR).

We use external service providers (e.g. for hosting and analytics) who act as data processors under Art. 28 GDPR and are contractually bound to process data only on our instructions.

No data is shared with third parties for advertising purposes.

8. Transfers to Third Countries

Some of the service providers we use (including Amplitude) are based in the United States. Transfers of data to the USA are made on the basis of the EU Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR or on the basis of the EU–U.S. Data Privacy Framework where the provider is certified.

Please be aware that third countries may have a lower level of data protection than the EU. We take all reasonable measures to ensure an adequate level of protection.

9. Retention Periods

We retain personal data only for as long as necessary for the respective purpose or as required by statutory retention obligations. Specific periods include:

• Server log files: automatic deletion after 14 days
• Contact enquiries: deletion after resolution, no later than 3 years
• Contract data: retention for 10 years under commercial and tax law (§ 257 HGB, § 147 AO)
• Analytics data (Amplitude): deletion per our configuration, typically after 12 months

10. Your Rights as a Data Subject

With regard to your personal data, you have the following rights against Stackbox:

• Access (Art. 15 GDPR): You may request information about the data we hold about you.
• Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
• Erasure (Art. 17 GDPR): You may request deletion of your data where no statutory retention obligation applies.
• Restriction (Art. 18 GDPR): You may request restriction of processing under certain conditions.
• Data portability (Art. 20 GDPR): You may receive your data in a structured, machine-readable format.
• Objection (Art. 21 GDPR): You may object to processing based on legitimate interests.
• Withdrawal of consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.

To exercise these rights, contact us at hello@stackbox.de. We will respond to your request within 30 days.

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data. The supervisory authority responsible for Stackbox is:

12. Data Security

We implement technical and organisational security measures to protect your data against manipulation, loss, destruction, and unauthorised access. Our security measures are continuously updated in line with technological developments.

All data transmission between your browser and our servers is encrypted via HTTPS/TLS.

Despite all security measures, we cannot guarantee absolute security of data transmission over the internet. Please bear this in mind when transmitting sensitive information.

13. Updates to This Policy

This Privacy Policy is current as of March 2026 and may be updated at any time, particularly in response to changes to our website, new services, or changes in the law. The current version is always available at stackbox.de/en/privacy/.

In the event of material changes, we will notify you by email if we hold your contact details.