Privacy policy

1. General information

The protection of your personal data is important to us. We process personal data exclusively within the framework of the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). This privacy policy informs you about the nature, scope and purpose of the processing of personal data when using Zweihundert.

2. Data controller

Controller within the meaning of the GDPR:

Company: Umwerk GmbH
Address: Herzogspitalstr. 10a, 80331 Munich, Germany
Represented by: Philipp Janowski, Albert Huber, Marco Lüdtke
Email: hi@umwerk.com
Phone: +49 (0) 711 674 382 50

3. Definitions

The definitions of Art. 4 GDPR apply, in particular for "personal data", "processing", "controller" and "processor".

4. Purpose of data processing

We process personal data exclusively for the following purposes:

• Provision and operation of the Zweihundert platform
• User management and authentication
• Contract performance and billing
• Technical security and system stability
• Customer communication and support
• Compliance with legal obligations

5. Legal bases for processing

The processing of personal data is based on the following legal grounds:

• Art. 6 (1) (b) GDPR – Contract performance
• Art. 6 (1) (f) GDPR – Legitimate interest (e.g. IT security, error analysis)
• Art. 6 (1) (c) GDPR – Legal obligation

6. Categories of processed data

When using Zweihundert, the following data in particular may be processed:

• Master data (name, business email address)
• Access credentials (encrypted)
• Usage and log data
• Contract and billing data
• Communication content (support requests)

7. Disclosure of data to third parties

In certain cases we disclose personal data to carefully selected third parties in order to provide our services:

Paddle.com — Payment processing

For payment processing, subscription management, tax compliance and invoicing we work with Paddle.com. Paddle acts as the Merchant of Record (MoR) for our products and services. During checkout, personal data (in particular name, email address, billing address and payment information) is transmitted to Paddle. Paddle is an independent controller for the processing of payment data. The transfer is based on Art. 6 (1) (b) GDPR (contract performance).

Paddle collects and processes this data under its own responsibility. For more information on data protection at Paddle, please see their privacy policy: paddle.com/legal/privacy

Other service providers

In addition we use technical service providers (e.g. hosting and email providers) who act exclusively as processors under Art. 28 GDPR and only receive access to personal data to the extent necessary.

8. Cookies and local storage

This website uses cookies and local storage. We distinguish between:

a) Technically required storage (no consent needed)

These are required for the operation of the application:

• Authentication tokens (localStorage): enable secure sign-in
• Theme setting (localStorage): stores your preferred appearance (light/dark)

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a user-friendly experience). You can delete or block cookies in your browser settings at any time. This may, however, impair the functionality of the application.

9. Data security

We use appropriate technical and organizational measures to protect personal data against loss, manipulation, unauthorized access or disclosure, including:

• Encryption
• Access restrictions
• Role and permission management
• Regular security updates

10. Retention period

Personal data is only stored for as long as necessary for the respective processing purposes or as required by statutory retention periods. Once the purpose ceases, the data is deleted or anonymized.

11. Rights of data subjects

Under the GDPR you have the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)

You can address requests at any time to the contact details listed above.

12. Right to lodge a complaint

You have the right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

13. Changes to this privacy policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or functional changes of the platform.