Privacy Policy

Last updated: March 2, 2026

1. Data Controller

The data controller for this website is:

Managing Director: Rafael Armbrust

2. Collection and Storage of Personal Data

2.1 When Visiting the Website

When you visit our website, the browser on your device automatically sends information to our website's server. This information is temporarily stored in a log file:

• IP address of the requesting device
• Date and time of access
• Name and URL of the retrieved file
• Website from which access occurred (referrer URL)
• Browser used and potentially your device's operating system

We process this data for the following purposes:

• Ensuring a smooth connection to the website
• Ensuring comfortable use of our website
• Evaluating system security and stability

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest follows from the purposes listed above.

2.2 When Registering and Using the Service

When registering and using our Preppino service, we collect:

• Email address (for login and communication)
• Name (optional, for profile and invoicing)
• Company name and address (optional, for invoicing)
• Password (stored encrypted as bcrypt hash)
• Product data (SKU, FNSKU, ASIN, EAN, product names, prices, etc.)
• Label settings and configurations
• Manufacturer and supplier information
• Usage data (generated labels, uploads, order data)

Processing is based on contract fulfillment (Art. 6(1)(b) GDPR) or your consent (Art. 6(1)(a) GDPR).

2.3 Payment Processing

For payment processing, we use the payment service provider Stripe (Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA). When subscribing to a paid plan, you are redirected to Stripe's payment page. Payment data processing is handled exclusively by Stripe. We only receive a payment confirmation and a customer ID from Stripe; your credit card details or bank information are not transmitted to us.

Stripe also processes data in the USA. Stripe is certified under the EU-US Data Privacy Framework. For more information, see the Stripe Privacy Policy.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).

3. Cookies

Our website uses cookies. Cookies are small text files stored in or by the internet browser on your computer system.

3.1 Necessary Cookies

These cookies are required for the basic functions of the website:

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

3.2 Statistics Cookies (Google Analytics 4)

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to analyze and improve the use of our website.

IP anonymization is enabled by default in Google Analytics 4. Google is certified under the EU-US Data Privacy Framework. These cookies are only set after you consent to the "Statistics" category.

Legal basis: Art. 6(1)(a) GDPR (consent). More information: Google Privacy Policy, Browser Opt-out Add-on.

3.3 Marketing Cookies (Google Ads)

We use Google Ads, an online advertising service provided by Google Ireland Limited, for conversion tracking and remarketing.

These cookies are only set after you consent to the "Marketing" category. Google is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6(1)(a) GDPR (consent). More information: Google Ads Settings, Google Privacy Policy.

3.4 Google Tag Manager

We use Google Tag Manager (GTM) by Google Ireland Limited to centrally manage the services mentioned above. GTM itself does not collect personal data and does not set cookies. GTM only controls the loading of analytics and marketing tags based on your consent settings.

We use Google Consent Mode v2: All tracking tags are disabled by default and are only activated after your explicit consent.

4. Data Processors and Data Sharing

We use the following service providers to deliver our service:

4.1 Hosting - Vercel

Our website is hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Content is served from EU data centers. Vercel processes server log files (IP addresses, access data) to provide the website.

Legal basis: Art. 6(1)(f) GDPR. More information: Vercel Privacy Policy.

4.2 Database - Supabase

All user data (accounts, products, labels, orders) is stored in a PostgreSQL database hosted by Supabase Inc. The database server is located in Frankfurt, Germany (EU region aws-eu-west-1). Data does not leave the EU.

The database is secured through SSL/TLS encryption, access controls, and regular backups. Passwords are stored exclusively as bcrypt hashes; we have no access to plain-text passwords.

Legal basis: Art. 6(1)(b) GDPR. More information: Supabase Privacy Policy.

4.3 Error Monitoring - Sentry

To detect and fix technical errors, we use Sentry (Functional Software, Inc., 132 Hawthorne St, San Francisco, CA 94107, USA). When an error occurs, technical information is automatically sent to Sentry:

• Error type and message
• Browser type and version
• Operating system
• URL where the error occurred
• Anonymized IP address

No personal data such as email, name, or product data is transmitted to Sentry. Sentry is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error resolution and stability). More information: Sentry Privacy Policy.

4.4 Email Delivery

For sending transactional emails (e.g., service provider invitations, order notifications), we use an email service provider. Only the data necessary for delivery (email address, subject, content) is transmitted.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).

5. Data Deletion and Retention

Your personal data is deleted once the purpose of storage no longer applies. When you delete your user account, all associated data (products, labels, orders, settings) is also deleted (cascade deletion). Statutory retention obligations (e.g., tax law: 10 years for invoice data) remain unaffected.

6. Your Rights

You have the right to:

• Request information about your personal data processed by us (Art. 15 GDPR)
• Request immediate correction of inaccurate or completion of your personal data stored by us (Art. 16 GDPR)
• Request deletion of your personal data stored by us (Art. 17 GDPR)
• Request restriction of processing of your personal data (Art. 18 GDPR)
• Receive your personal data in a structured, commonly used, and machine-readable format (data portability, Art. 20 GDPR)
• Revoke your consent at any time (Art. 7(3) GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for us is: Die Landesbeauftragte fuer den Datenschutz Niedersachsen, Prinzenstrasse 5, 30159 Hannover, Germany.

7. Right to Object

If your personal data is processed based on legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided there are grounds relating to your particular situation.

To exercise your right to object, please send an email to: marosaug@gmail.com

8. Data Security

We use the following technical and organizational security measures:

• SSL/TLS encryption for all data transmissions (HTTPS)
• Encrypted password storage (bcrypt hash)
• Access control through role-based permissions (Seller, Service Provider, Admin)
• CSRF protection for all forms
• Rate limiting to prevent brute-force attacks
• Regular security updates of deployed software
• Database backups by Supabase

9. Updates to this Privacy Policy

This privacy policy is currently valid (as of March 2, 2026). Due to the further development of our website or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed at any time on this page.