Skip to content

Privacy Policy

Last Updated: 2026-04-16

1. Controller and Contact

1.1. The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Genz IT Solutions GmbH Brückengasse 1b 78462 Konstanz Germany E-mail: mail@genz-its.de

Authorised Managing Director: Robin Marcel Genz

1.2. No Data Protection Officer has been appointed. For data protection inquiries, please contact: privacy@capawesome.io

2. Scope

2.1. This Privacy Policy applies to the processing of Personal Data of website visitors, prospective customers and account holders by Genz IT Solutions GmbH ("Provider") acting as Controller.

2.2. End-user data that the customer transmits to the Provider's cloud services via Capawesome SDKs is processed on behalf of the customer. In that regard, the customer is the Controller; the provisions of the Data Processing Agreement (DPA) at https://capawesome.io/dpa apply. This Privacy Policy does not apply to such data.

2.3. In addition to the GDPR, this Privacy Policy also satisfies the information obligations under the Swiss Federal Act on Data Protection (revFADP). Swiss B2B customers may request a revFADP addendum to the Data Processing Agreement.

3. Processing Activities

3.1. Website Operation and Server Logs

  • Data: IP address, date and time of access, requested resource, HTTP status code, referrer URL, browser type and version, operating system
  • Purpose: Provision of the website, ensuring technical security, detection and prevention of misuse
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure provision of the website)
  • Retention period: 30 days, then deletion or anonymisation

3.2. Account and Contract Performance

  • Data: Name, e-mail address, company name, postal address, telephone number (where provided), login credentials (password hash), account settings, organisation and team membership
  • Purpose: Creation and administration of the customer account, provision of the contractual services, communication within the contractual relationship
  • Legal basis: Art. 6(1)(b) GDPR (performance of contract)
  • Retention period: Duration of the contractual relationship plus 30 days export period after termination. Thereafter deletion, subject to statutory retention obligations (§§ 147 AO, 257 HGB: up to 10 years)

3.3. Payment Processing (Self-Serve) via Merchant of Record

  • Data: Name, e-mail address, company name, billing address, VAT ID, selected product and billing period
  • Purpose: Payment processing, invoicing, tax calculation, refunds
  • Legal basis: Art. 6(1)(b) GDPR (performance of contract)
  • Recipients: Polar Software Inc. or Lemon Squeezy LLC as Merchant of Record. These act as independent controllers in the purchase process and are not processors of the Provider. Their own privacy policies apply.
  • Retention period: Stored by the Provider only to the extent necessary for subscription assignment. Payment details (credit card numbers, bank details) are processed exclusively by the MoR and are not transmitted to the Provider.

3.4. Invoicing and Tax Record Retention (Sales-Led)

  • Data: Name, e-mail address, company name, billing address, VAT ID, invoice line items, payment receipts
  • Purpose: Direct invoicing, bookkeeping, fulfilment of statutory tax retention obligations
  • Legal basis: Art. 6(1)(c) GDPR (legal obligation, §§ 147 AO, 257 HGB)
  • Retention period: 10 years from the end of the calendar year in which the invoice was issued (§ 147(3) AO)

3.5. Newsletter and Marketing

  • Data: E-mail address, time of consent, name and company where provided
  • Purpose: Sending newsletters and product information
  • Legal basis: Art. 6(1)(a) GDPR (consent) for newsletters; Art. 6(1)(f) GDPR (legitimate interest) in conjunction with § 7(3) UWG (German Unfair Competition Act) for direct marketing to existing customers regarding similar services
  • Withdrawal: May be exercised at any time via the unsubscribe link in the newsletter or by e-mail to privacy@capawesome.io
  • Retention period: Until withdrawal of consent. After unsubscription the e-mail address is retained for up to 3 years in order to evidence the prior consent (legitimate interest, Art. 6(1)(f) GDPR).

3.6. Security and Abuse Prevention

  • Data: IP addresses, access patterns, account activities, security logs
  • Purpose: Detection and prevention of attacks, misuse and fraud; enforcement of the Acceptable Use Policy
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security of the services)
  • Retention period: 90 days; in the event of a concrete suspicion, until the conclusion of the investigation

3.7. Support Requests

  • Data: Name, e-mail address, content of the request, technical information for troubleshooting where applicable
  • Purpose: Handling of support requests, documentation of the support history
  • Legal basis: Art. 6(1)(b) GDPR (performance of contract) for existing customers; Art. 6(1)(f) GDPR (legitimate interest) for prospective customers
  • Retention period: Duration of the contractual relationship plus 3 years (standard limitation period, § 195 BGB)

3.8. CLI and Cloud Dashboard Telemetry

  • Data: Anonymised or pseudonymised usage data (features invoked, error messages, platform and version of the CLI tool or dashboard)
  • Purpose: Product improvement, error detection, capacity planning
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving the services)
  • Opt-out: Where technically feasible, the customer may disable telemetry
  • Retention period: 90 days, then deletion or irreversible anonymisation

3.9. Single Sign-On (SSO)

  • Data: Profile data transmitted by the SSO provider (typically name, e-mail address, profile picture, user ID)
  • Purpose: Authentication and account creation or linking
  • Legal basis: Art. 6(1)(b) GDPR (performance of contract)
  • Recipients: The respective SSO provider receives the information that the user is signing in to Capawesome. The Provider offers SSO via the following providers:
  • Microsoft — Privacy Policy
  • GitHub — Privacy Policy
  • GitLab — Privacy Policy
  • Bitbucket (Atlassian) — Privacy Policy
  • Retention period: The transmitted profile data is stored for the duration of the account. Deletion at the SSO provider is governed by that provider's own terms.

4. Device Access (§ 25 TDDDG)

4.1. The Provider does not use HTTP cookies.

4.2. localStorage, sessionStorage and IndexedDB: The Provider uses browser-side storage mechanisms exclusively for strictly necessary functions:

  • Auth token and session state (localStorage/sessionStorage): Maintaining the login session. Legal basis: § 25(2) no. 2 TDDDG (German Telecommunications Digital Services Data Protection Act) (strictly necessary for the service explicitly requested by the user). Duration: Session token until the end of the browser session; auth token until logout or expiry.
  • User preferences (localStorage): Storage of interface preferences (e.g. theme, language). Legal basis: § 25(2) no. 2 TDDDG. Duration: Until manual deletion by the user.

4.3. Web analytics with Umami: The Provider uses Umami as a self-hosted, cookie-free web analytics tool. Umami does not collect Personal Data, does not set cookies and does not use browser fingerprinting. Analysis is based exclusively on aggregated, non-personal data. No data is transmitted to third parties. Legal basis: § 25(2) no. 2 TDDDG (audience measurement using anonymised data).

5. Recipients and Third-Party Services

5.1. The Provider uses the following recipients for the provision of its own services. The list below relates exclusively to data that the Provider processes as Controller. The sub-processor list for customer data processed by the Provider on behalf of customers is available at https://capawesome.io/subprocessors.

Recipient Purpose Location Transfer mechanism
Scaleway SAS Cloud infrastructure (compute, storage, build instances) France, EU Adequacy (EU)
Hetzner Online GmbH Hosting, server infrastructure Germany, EU Adequacy (EU)
netcup GmbH Server infrastructure Germany, EU Adequacy (EU)
Cloudflare, Inc. CDN, DDoS protection, DNS USA EU-US Data Privacy Framework (DPF-certified)
PlanetScale, Inc. Database services USA EU-US Data Privacy Framework (DPF-certified)
Sentry (Functional Software, Inc.) Error monitoring USA EU-US Data Privacy Framework (DPF-certified)
Crisp IM SAS Support chat France, EU Adequacy (EU)
Resend, Inc. E-mail delivery (transactional and newsletter) USA EU-US Data Privacy Framework (DPF-certified)

5.2. For all US recipients with DPF certification, the EU-US Data Privacy Framework serves as the primary transfer mechanism. In addition, EU Standard Contractual Clauses (SCCs) 2021/914 are in place as a fallback.

5.3. SSO providers: Microsoft, GitHub, GitLab and Bitbucket (Atlassian) are listed as recipients in the login flow in Section 3.9.

5.4. Merchant of Record: Polar Software Inc. and Lemon Squeezy LLC act as independent controllers in the purchase process, not as processors of the Provider. Their privacy policies are available on their respective websites.

6. International Data Transfers

6.1. Where Personal Data is transferred to recipients outside the EEA, the Provider ensures that an adequate level of data protection is maintained.

6.2. For US recipients certified under the EU-US Data Privacy Framework, an adequacy decision of the European Commission applies (Implementing Decision (EU) 2023/1795 of 10 July 2023).

6.3. Where no adequacy decision exists, EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) are used as the transfer mechanism.

6.4. Switzerland: For transfers from Switzerland, the Provider relies on the Federal Council's adequacy decision on the EU-US Data Privacy Framework (recognised on 15 September 2024) or on the Standard Contractual Clauses with Switzerland-specific amendments.

7. Data Subject Rights

7.1. Data Subjects have the following rights under the GDPR:

  • Access (Art. 15 GDPR): Right to confirmation and information about the data processed
  • Rectification (Art. 16 GDPR): Right to correction of inaccurate data
  • Erasure (Art. 17 GDPR): Right to erasure, provided no statutory retention obligation prevails
  • Restriction (Art. 18 GDPR): Right to restriction of Processing
  • Data portability (Art. 20 GDPR): Right to receive one's own data in a machine-readable format
  • Objection (Art. 21 GDPR): Right to object to Processing based on legitimate interests

7.2. Consent given may be withdrawn at any time with effect for the future, without affecting the lawfulness of the Processing carried out prior to the withdrawal.

7.3. Right to lodge a complaint: Data Subjects have the right to lodge a complaint with a Supervisory Authority. The competent Supervisory Authority for the Provider is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW) Lautenschlagerstraße 20 70173 Stuttgart https://www.baden-wuerttemberg.datenschutz.de

For Data Subjects in Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.

8. No Automated Decision-Making

8.1. The Provider does not employ automated decision-making including profiling within the meaning of Art. 22 GDPR that produces legal effects concerning Data Subjects or similarly significantly affects them.

9. Contact for Data Protection Inquiries

9.1. For all data protection inquiries, please contact:

Genz IT Solutions GmbH privacy@capawesome.io

10. Amendments to this Privacy Policy

10.1. The Provider reserves the right to amend this Privacy Policy where required by changes in processing activities, legal requirements or technical developments. The current version is available at https://capawesome.io/privacy.

10.2. In the event of a sale, merger or transfer of a business unit, the Provider may transfer Personal Data to the acquirer or successor where necessary to continue the contractual services. The existing data protection standards shall remain in effect. In such a case, the Provider shall inform Data Subjects in advance.