Privacy Policy

This privacy policy applies to the marketing website https://zweigen.cloud as well as the Zweigen web application (app), opt‑in features (Launch-Angebote Warteliste, discounts, product updates, Daten- und BI-Wissen) and our internal admin area (Admin Console).

We process data in accordance with the GDPR and applicable e‑privacy rules (e.g. TDDDG).

The website is aimed exclusively at businesses.

Zweigen is a B2B SaaS application. Depending on the processing activity, we act either as controller or as processor.

• As controller we process account, security, billing and support data that is required to provide and operate the service.
• For data that customers connect or upload to Zweigen (“Customer Content”), the customer typically acts as controller. We process such data as a processor under a DPA (Art. 28 GDPR).

Data subject rights note: If your data is included in a customer’s Customer Content (e.g. as an employee), please contact the respective customer (e.g. your employer). For requests about your Zweigen account data you can use the DSAR features in the in‑app privacy panel or contact us (support@zweigen.cloud).

No DPO appointed (not legally required).

We process personal data on the following legal bases:

• Art. 6(1)(a) GDPR (consent): web analytics (PostHog), opt-in email updates.
• Art. 6(1)(f) GDPR (legitimate interests): operation and security of the website, WAF filtering, rate‑limits, anti‑abuse, documentation of double opt‑in.
• Art. 6(1)(b) GDPR: pre‑contractual communications (email/phone).

You may withdraw consent at any time, e.g. via “Cookie settings” in the footer or by emailing support@zweigen.cloud.

Right to object (Art. 21 GDPR): You may object at any time to processing based on legitimate interests (Art. 6(1)(f) GDPR), e.g. by emailing support@zweigen.cloud.

Some data is required to provide certain functionality:

• Account/sign-in: without a business email and required authentication data we cannot provide an account.
• Billing: without contract and invoice data (e.g. company name, billing address; VAT ID where provided) we cannot correctly bill paid services.
• Optional: consent-based web analytics (PostHog) and opt-in email updates are optional; the service can generally be used without this consent.

Our website servers run in European data centres provided by OVHcloud S.A.S. (EU). Domain management and our email inboxes are provided by mittwald CM Service GmbH & Co. KG (Germany/EU).

We use an OVHcloud load balancer with Web Application Firewall (OWASP CRS) plus self‑hosted observability (OTEL/SigNoz, EU) and a dedicated Redis database for rate‑limits (EU).

When visiting our website and API we process:

• IP address
• date and time
• hostname, path, HTTP method, HTTP status
• user‑agent, referrer (if any)
• request/trace ID, rate‑limit decision
• no request bodies

Purposes: delivery, stability, security, abuse detection, rate‑limits.

IP addresses are not anonymized but used exclusively for security and operational purposes.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests: stability, security, abuse prevention).

Transport encryption according to current best practice.

We use locally hosted Klaro! to obtain and document consent for analytics cookies.

Processed data

• consent status
• timestamp
• pseudonymous browser identifier

Storage entry

• Name: klaro
• Lifetime: 365 days
• SameSite=Lax, Secure, host‑only
• Category: essential

Legal basis: e‑privacy (technical storage), Art. 6(1)(c/f) GDPR.

7.1 Essential cookies

• klaro – stores consent status (365 days).
• WAF security cookie (OVHcloud) – attack detection, ~30 minutes.
• Short-lived opt-in manage cookie (sandbank.marketing_optin_manage, 30 minutes) after email-link exchange; no login/session cookie for the public opt-in flow.

7.2 Analytics (only with consent)

• PostHog cookies/storage: pseudonymous IDs, events, technical data.

For login and security of the Zweigen app we use essential cookies. They are required to provide the service you explicitly requested.

• app session cookie (__Host-sandbank.session-token, up to 4 hours)
• device identifier (__Host-sandbank.device-id, up to 180 days)
• CSRF protection (e.g. __Host-sandbank.csrf-token and __Host-sandbank.csrf-bff-token)
• language/locale (sandbank.locale)

The device identifier is only used to recognize a known browser profile for security functions. It remains in place after logout and expires no later than the stated retention period; we do not use fingerprinting or precise geolocation for this purpose.

Cookie names, lifetimes and categories are listed in the cookie overview (annex).

We process pseudonymous IDs, events, and technical data in the browser only after consent has been granted. API and worker calls do not emit server-side product analytics events. No third-country transfers. Session replay is disabled by default. Event retention: up to 180 days.

Legal basis: consent (Art. 6(1)(a) GDPR; applicable e‑privacy rules).

You can withdraw consent at any time via the cookie settings.

Public API /api/public/opt‑in processes:

• email address, optional name, locale
• preferences (categories), UTM parameters, path/referrer
• double‑opt‑in token (hash only), DOI status
• worker/job metadata (PgBoss), delivery status at the mail service

• Brevo: no open/click tracking enabled.

Legal basis: consent (Art. 6(1)(a) GDPR); proof/blacklist: Art. 6(1)(f) GDPR.

Retention: active subscriptions remain stored until withdrawn/unsubscribed. After unsubscribing, we delete email/name (PII) and keep only pseudonymous DOI proof (e.g. email hash, timestamps, status) for up to 3 years.

The Zweigen app allows you to connect external data sources (integrations), depending on the provider, via OAuth2, personal access token (PAT), or upload to build BI analytics and dashboards.

Core principles: credentials are processed server-side only, stored encrypted, and never exposed to the browser. Provider API calls are executed server-side only via allow-listed egress destinations. Uploads are processed without external provider authentication.

Important: For OAuth integrations you are redirected to the respective provider for authentication/authorization. Those providers process your data under their own responsibility. PAT and upload integrations do not involve such a redirect; the exact role, retention and transfer logic is shown per active provider in the overview below.

When you connect Google Analytics 4 or Google Search Console to Zweigen, you authorize the connection yourself through Google. We process the access, connection, and Google data you grant only to provide the selected integration, synchronize data, display it in Zweigen, and secure the connection technically. You can disconnect the integration at any time. The legal basis for the integration you actively enable is Art. 6(1)(b) GDPR; technical security and evidence data is processed under Art. 6(1)(f) GDPR.

Processed data (typically)

• OAuth tokens or PAT credentials (access/refresh/expiry, token/endpoint), stored encrypted
• account/provider identifiers (e.g. providerSubject) and resource IDs (e.g. property/site/account), where provided by the respective provider
• aggregated metrics, observability signals or imported datasets as read-models or customer data inventory within the allowed product and governance boundaries

Deletion on disconnect (full purge)

When you disconnect an integration, we start an async purge job and delete the related tokens, bindings, discovery snapshots/indexes, and all derived analytics data from the live store (full purge), unless statutory retention obligations apply. Only minimal audit/purge evidence remains; backups follow the separate backup retention described below. Depending on data volume, deletion may take a few minutes.

Integrations overview (active only)

Only currently active integrations with production processing are listed here. Planned providers are added only when they are actually activated and the privacy notice and DPA are updated in the same release.

Provider documents and privacy information

Google Analytics 4: Google API Terms of Service

Google Analytics 4: Google API Services User Data Policy

Google Analytics 4: GA4 data retention

Google Search Console: Google API Terms of Service

Google Search Console: Google API Services User Data Policy

Google Search Console: Search Console performance data

For billing and statutory obligations we process contract and invoice data (e.g. company, contact person, billing address, VAT ID where provided). Payment processing may be handled via Mollie; we do not store full card/bank details in our systems.

Retention: invoices and accounting evidence are typically retained for 10 years (statutory retention).

We store personal data only as long as required for the respective purposes or as required by law. For the app, technical backup retention also applies.

Exception to the general backup retention: for content from the Google Business Profile APIs we ensure that technical backups do not extend storage beyond 30 calendar days.

For operations, support, and administration we use an internal admin area (Admin Console). Access is restricted to authorized personnel only and protected by technical controls (e.g. access-restricted network environment, rate-limits) as well as authentication and role-based access control (RBAC).

Processed data

• Admin account: user ID, email address, roles/permissions, session key, MFA claims (as provided by the IdP).
• Tenant & user administration: organization/tenant IDs, user IDs, invites (email, role, status, timestamps, invitedBy/revokedBy), suspension/deactivation reasons (if provided).
• Support inbox: support case IDs, organization reference, requester email address, status/category, snippets and reply texts; where applicable ticket references (e.g. Zammad ticket ID/link).
• Marketing/opt‑in administration: opt‑in status/preferences, sending status (outbox), template key, delivery status (no open/click tracking).
• API keys (admin): name, prefix, permissions, rate-limits, expiration (plain key only on issuance).
• Technical & audit data: IP address, user‑agent, request ID, timestamps, actions/resources (audit logs).

Cookies/storage (admin area)

The admin area uses essential, host-only cookies/storage keys for authentication and session security (session, CSRF, device identifier). Cookie/storage details for public surfaces (marketing site + app) are listed in the cookie overview (annex).

Legal bases: Art. 6(1)(b) GDPR (contract performance/support) and Art. 6(1)(f) GDPR (operations, security, abuse prevention, auditability). Where required, legal obligations may apply as well (Art. 6(1)(c) GDPR), e.g. compliance/retention duties.

Recipients/processors: ZITADEL (authentication/IdP), OVHcloud (hosting) and – where applicable – ticketing (self-hosted; tool: Zammad). No marketing analytics/tracking is performed in the admin area.

Note: The admin area is an internal area for employees/operators and not intended for customers/end users.

Some personal data is not collected directly from you, but comes from customer contexts or connected providers.

• Customer Content: data processed by a customer in Zweigen is provided to us by that customer.
• Integrations/OAuth: after your authorization, connected providers deliver data to our server-side interfaces.
• System events: audit, security and workflow metadata is generated technically during service usage.

Where Art. 14 GDPR applies, we provide transparent information on categories, purposes, recipients and retention periods. For customer content, the respective customer is typically responsible for primary notice.

Data: name (if provided), email address, content, meta/header data.

Recipient: our email provider mittwald CM Service GmbH & Co. KG (Germany/EU).

Storage: until completion of the request and up to 12 months thereafter unless longer statutory retention applies.

Legal basis: Art. 6(1)(b) GDPR (contract/pre-contract) and Art. 6(1)(f) GDPR (legitimate interest in replying to requests).

Static links. No data transfer without click.

• no videos
• no maps
• no chat widgets
• no social plugins

• access
• rectification
• erasure
• restriction
• data portability
• objection
• withdraw consent

How to exercise rights: In the app, the privacy panel provides DSAR features for data export and account deletion. You can also contact us via email: support@zweigen.cloud.

If your data is included in a customer’s Customer Content, please direct requests to the respective customer as controller, as we usually cannot associate data subjects without a customer reference.

Zweigen is operated in the EU by default. For specific integrations, provider-side processing outside the EU/EEA may still occur.

• Where an adequacy decision of the EU Commission exists, we rely on that transfer mechanism.
• Otherwise we rely on EU Standard Contractual Clauses (Art. 46 GDPR) and supplementary technical/organizational safeguards.
• The exact transfer scenario depends on the connected provider and its product configuration.

We provide additional details on transfer safeguards on request (support@zweigen.cloud).

You may lodge a complaint with a supervisory authority. The authority competent for our company is the Independent State Centre for Data Protection Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.

No profiling, no automated decisions.

We update this policy when services, legal requirements or technical processes change. The current version is always available on this page.

Subprocessors process personal data on our behalf where necessary for hosting, operations and support. At this time, we only use subprocessors located within the EU.