Privacy Notice

1. Name and Address of the Data Controller

The controller under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Law (BDSG) is:

Postera Capital GmbH
Wilhelm-Tell-Str. 26
40219 Düsseldorf
Germany
Email: info(at)postera.io

2. Processing Purposes and Legal Basis

a) Server Log Files

When you visit our website, we automatically collect general data including browser type and version, operating system, referrer URL, pages accessed, date and time of access, and your IP address. This data is processed on the basis of Article 6(1)(f) GDPR based on our legitimate interests in ensuring website functionality and cybersecurity. Server log files are deleted no later than 14 days after collection unless legal obligations require longer retention.

b) Contact via Email

Personal data submitted through contact forms or email is stored for the purpose of processing your request. Processing occurs under Article 6(1)(f) GDPR. Data is deleted within six months unless legal justification or retention requirements exist.

c) User Accounts

When you register for an account, we collect your email address and a hashed version of your password. This data is processed under Article 6(1)(b) GDPR for the performance of a contract. Account data is retained for the duration of your account and deleted upon account deletion.

d) Payment Processing

Paid subscriptions are processed through Paddle.com Market Ltd, who acts as our Merchant of Record. We do not store your payment card details. Paddle processes your payment data as an independent controller under their own privacy policy. We store only your Paddle customer ID and subscription status under Article 6(1)(b) GDPR.

e) Cookies

This website uses only technically necessary cookies and local storage for authentication tokens. We do not use tracking cookies.

f) Web Analytics (Plausible)

We use Plausible Analytics, a privacy-focused web analytics service provided by Plausible Insights OÜ (Estonia). Plausible does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated and no individual visitors can be identified. Processing occurs under Article 6(1)(f) GDPR based on our legitimate interest in understanding website usage. For more information, see plausible.io/data-policy.

g) Content Delivery Network (Cloudflare)

Our website is served through the content delivery network and reverse proxy of Cloudflare, Inc. (USA). When you access our website, your connection is routed through Cloudflare servers, which may process your IP address, HTTP request headers, and connection metadata for the purposes of delivering content, protecting against attacks (DDoS mitigation), and ensuring website availability. Cloudflare may set technically necessary cookies for security purposes (e.g., bot detection). Processing occurs under Article 6(1)(f) GDPR based on our legitimate interest in website security and performance. Data transfers to the USA are covered by Cloudflare's Data Processing Addendum and Standard Contractual Clauses pursuant to Article 46 GDPR.

h) Bot Protection (Cloudflare Turnstile)

We use Cloudflare Turnstile, a CAPTCHA alternative provided by Cloudflare, Inc. (USA), to protect registration and authentication forms from automated abuse. Turnstile may process browser characteristics, interaction data, and your IP address to distinguish legitimate users from bots. No tracking cookies are set. Processing occurs under Article 6(1)(f) GDPR based on our legitimate interest in preventing abuse and ensuring service integrity.

i) Customer Support (Freshdesk)

We use Freshdesk, a customer support platform provided by Freshworks, Inc. (USA), to manage support tickets. When you create a support ticket, your email address, name (if provided), and the content of your messages are transmitted to and stored by Freshdesk. Processing occurs under Article 6(1)(b) GDPR for the performance of a contract and Article 6(1)(f) GDPR based on our legitimate interest in providing customer support. Data transfers to the USA are subject to appropriate safeguards pursuant to Article 46 GDPR.

3. Data Transfer

Your data may be transferred to the following third-party processors:

  • Paddle.com Market Ltd (UK) — payment processing and Merchant of Record.
  • Resend, Inc. (USA) — transactional emails (password resets, verification). Appropriate safeguards are in place pursuant to Article 46 GDPR.
  • Plausible Insights OÜ (Estonia) — privacy-focused web analytics. No personal data is collected.
  • Cloudflare, Inc. (USA) — content delivery network, DDoS protection, and bot protection (Turnstile). Appropriate safeguards are in place pursuant to Article 46 GDPR.
  • Freshworks, Inc. (USA) — customer support ticket management (Freshdesk). Appropriate safeguards are in place pursuant to Article 46 GDPR.

4. Automated Decision-Making

We do not employ automated decision-making or profiling as defined under Article 22 GDPR.

5. Your Rights

Under the GDPR, you have the right to:

  • Obtain confirmation and access regarding your personal data (Article 15 GDPR)
  • Rectify inaccurate data (Article 16 GDPR)
  • Obtain erasure of your data (“right to be forgotten”, Article 17 GDPR)
  • Restrict processing (Article 18 GDPR)
  • Data portability (Article 20 GDPR)
  • Object to processing based on legitimate interests (Article 21 GDPR)

To exercise any of these rights, please contact us at info(at)postera.io.

6. Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
Tel.: 0211/38424-0
Email: [email protected]