Privacy Policy

1. Data Controller

toastingcode UG (haftungsbeschränkt)
Haasenäckerstr. 9
78224 Singen
Germany
Represented by the Managing Director: Holger Staudacher
Email: info@toastingcode.com

2. General Information

The protection of your personal data is of great importance to us. We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection laws. This privacy policy informs you about which data we process, for what purpose, and what rights you have.

3. Scope and Purpose of Data Processing

We process personal data in order to provide, operate, and continuously improve our cloud-based software solution (Software-as-a-Service). Processing is carried out in particular for the following purposes:

Provision of user accounts
Authentication and authorization
Use of the software features
Payment processing and billing
Support, maintenance, and error analysis
Provision of AI-powered features

4. Categories of Personal Data

Depending on usage, we process the following data in particular:

Master data (e.g., name, email address)
Authentication data (e.g., OAuth tokens, login information)
Usage and metadata
Payment and billing data
Content data, insofar as entered by the user

5. Categories of Data Subjects

Users of our software
Customers (B2B & B2C)
Employees and agents of our customers
Other authorized users

6. Legal Basis for Processing

Processing is based on:

Art. 6 (1) (b) GDPR (performance of a contract)
Art. 6 (1) (f) GDPR (legitimate interest in operation, security, and optimization)
Art. 6 (1) (a) GDPR (consent, e.g., for optional features)
Art. 6 (1) (c) GDPR (legal obligations)

7. Data Processing on Behalf

Where we process personal data on behalf of our customers, we act as a data processor within the meaning of Art. 28 GDPR. A corresponding Data Processing Agreement (DPA) can be concluded via our website or upon request.

8. Use of Sub-Processors

To provide our services, we engage carefully selected sub-processors:

a) Appwrite

Hosting, database, and authentication services.

b) OpenAI

AI-powered processing of inputs for the provision of contractually agreed features. Processing is purpose-limited and not used for training purposes.

c) Stripe

Payment processing, invoicing, and fraud prevention.

d) Google (OAuth)

Authentication via Google login (OAuth).

All sub-processors are contractually bound to comply with the GDPR.

9. Transfer to Third Countries

Personal data is only transferred to countries outside the EU/EEA if:

an adequacy decision by the EU exists, or
appropriate safeguards (e.g., EU Standard Contractual Clauses) are in place.

10. Technical and Organizational Measures

We implement appropriate technical and organizational measures pursuant to Art. 32 GDPR, including:

Encryption of data in transit and at rest
Role-based access controls
Tenant separation
Logging of security-relevant events
Backup and recovery procedures

11. Data Retention and Deletion

Personal data is stored only for as long as necessary for the respective purposes.

Account data: deletion no later than 30 days after contract termination
Backups: automatic deletion no later than 90 days
Statutory retention obligations remain unaffected

12. Data Subject Rights

You have the right at any time to:

Access (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of processing (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Object to processing (Art. 21 GDPR)

Please direct any requests to the contact address stated above.

If processing is based on your consent, you may withdraw it at any time with effect for the future.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence or place of work.

15. Changes to This Privacy Policy

We reserve the right to update this privacy policy in order to adapt it to changed legal requirements or technical developments.