D.01Legal

Privacy Policy

With this Privacy Policy we inform you about how we process personal data on our website, in connection with contact enquiries, with demo and customer accounts, when displaying prices as well as when initiating and processing business relationships. Our offering is directed exclusively at companies and other entrepreneurs within the meaning of § 14 BGB. Insofar as individual processing activities are only activated after your consent, this only takes place after your selection in the consent banner.

01

Controller

uxspire GmbH
Stixchesstr. 107
51377 Leverkusen
Germany


Email address:
Imprint: https://uxspire.com/impressum
02

Data protection officer

We have currently not appointed a data protection officer. You may send data protection enquiries to the contact details stated in section 1. We continuously assess whether individual SaaS processing activities, legal changes or future product features trigger a statutory appointment obligation and update this information if required.

03

Data categories, data subjects and purposes

Data subjects: visitors of this website, contact persons at prospects, customers and business partners, applicants, users of demo and customer accounts as well as users of Stripe-hosted payment or contract administration pages.

Processed data categories:

  • Master data and contact data, e.g. name, business email address, telephone number, company, job title, country
  • Communication and content data, e.g. message content, attachments, enquiry types and conversation histories
  • Contract, order, invoice, subscription, account and access data, e.g. selected product, term, plan, invoice status, VAT identification number, login data, workspace and configuration settings
  • Payment-related data, e.g. transaction and payment status data as well as billing-relevant information
  • Application data, insofar as you submit application documents
  • Usage, device, log and security data, e.g. IP address, browser, operating system, referrer, timestamps and pages accessed
  • Consent and preference data, e.g. consent status, selection in the cookie banner and proof logs

Purposes of processing: provision and protection of the website, setup and administration of demo and customer accounts, answering enquiries, processing of demo, pricing, support and application enquiries, display of prices, contract initiation and contract performance, billing, consent management as well as - with consent - web analytics, reach measurement and marketing.

Insofar as customers use the SaaS to display surveys, NPS, CSAT or UEQ measurements, target group studies or comparable feedback and analytics functions, uxspire regularly processes the resulting end-user, response, free-text, segment and analytics data as processor for the respective customer. In these cases, the customer is responsible for content, purpose, legal basis, privacy notices, consents and objection options.

04

Legal bases

  • Art. 6(1)(a) GDPR: consent, in particular for optional analytics and marketing technologies
  • Art. 6(1)(b) GDPR: performance of pre-contractual measures and fulfilment of contracts or business enquiries
  • Art. 6(1)(c) GDPR: fulfilment of legal obligations, in particular commercial and tax retention obligations
  • Art. 6(1)(f) GDPR: safeguarding our legitimate interests, in particular in secure operation, abuse prevention, efficient communication and economic management
  • § 25(1) TDDDG: storage of information on terminal equipment and access thereto for technologies requiring consent
  • § 25(2) TDDDG: technically necessary storage/access, in particular for security, consent management and basic website functions
  • § 26 BDSG: processing of application data, insofar as an application is submitted
05

Provision of the website, hosting and security

To deliver the website, to optimise performance and to defend against abuse, bot and attack scenarios, we use infrastructure and security services from Cloudflare, Inc.. In particular, the IP address, date and time of the request, requested content, referrer URL, HTTP status, browser and device information as well as security-related log data are processed in the process.

Purposes: secure and stable provision of the website, load balancing, error analysis, abuse and attack detection, ensuring short loading times.

Legal basis: Art. 6(1)(f) GDPR as well as, insofar as technically necessary, § 25(2) TDDDG.

Storage period: We regularly retain security and error logs only as long as this is necessary for operational and security purposes, typically up to 14 days. Longer retention only takes place in the case of specific security incidents, for abuse prevention or for the assertion or defence of legal claims. Service-provider-side log durations may deviate from this.

06

Contact and contact form

If you contact us by email or via the contact form, we process your information to handle your enquiry. The following data in particular can be processed via the form: first name, last name, business email address, optional telephone number, company, job title, country, reason for enquiry, message, optional application documents as well as technical additional data such as timestamp and source of the enquiry.

The contact form is processed via Cloudflare Pages Functions. General enquiries and applications are stored privately in Cloudflare R2. Application documents can be submitted as a PDF, DOC or DOCX file; the form checks the file type and file size and allows attachments up to 8 MB. Application attachments are not transmitted to Discord. The internal Discord notification only contains a notice of a new enquiry or application, category, source, timestamp and an internal R2 reference; names, email addresses, phone numbers, messages, file names and attachments are not transmitted to Discord. Application attachments are automatically deleted after 180 days.

Purposes: processing of demo, enterprise, pricing, support and other business enquiries, communication with prospects and business partners, processing of applications, spam and abuse prevention.

Legal bases: Art. 6(1)(b) GDPR for pre-contractual and contract-related communication, Art. 6(1)(f) GDPR for efficient communication and abuse prevention as well as, in the case of applications, additionally § 26 BDSG.

Storage period: We regularly delete general enquiries no later than 12 months after final processing, provided that no contractual relationship arises from them and no statutory retention obligations conflict with this. We regularly delete application documents and application attachments no later than after 180 days, provided that there is no consent to longer storage or an employment relationship is established.

07

Demo and customer accounts, prices, contract initiation, payments and billing

For the setup and administration of demo and customer accounts, we process in particular business master and contact data, account and access data, plan and contract data, workspace and configuration settings, support and communication data as well as usage, log and security data, insofar as this is necessary for provision, authentication, account administration, support, abuse prevention and contract performance. Where logged in the registration, checkout or contracting process, this may also include records of accepted contractual documents such as document version, time, organisation and user.

The SaaS application is operated on Microsoft Azure infrastructure within the EU; the concrete Azure region is set per environment via deployment configuration. Survey assets and consent proof are stored or delivered in Cloudflare R2 with EU jurisdiction. Insofar as uxspire processes personal data on behalf of the customer within demo, self-service or enterprise services, this takes place on the basis of a data processing agreement pursuant to Art. 28 GDPR. Details on data categories, purposes, sub-processors, technical and organisational measures as well as deletion and return rules result from the respective DPA.

In the current productive standard use, heatmaps, session recordings and funnel tracking are not active. If such modules are later contractually provided or activated, the relevant privacy information, DPA annexes and required configurations will be updated before productive use.

Infrastructure note The production infrastructure is documented per deployment. For customers, the applicable DPA, this Privacy Policy and the information provided in the account or contract are authoritative.

For the display of products, prices and conditions on our website, we retrieve price and product information server-side via Stripe. With the mere display of prices, generally no payment data of yours is transmitted to Stripe; the retrieval of the price structure takes place technically via our servers.

If you book a paid offering or make contract adjustments, you will be redirected to Stripe-hosted payment, checkout or contract administration pages. There, Stripe Technology Europe, Limited or Stripe Payments Europe, Limited as well as affiliated Stripe companies process the data required for this purpose.

The following in particular can be processed in the process: name, business contact and company data, billing address, VAT identification number, selected product or subscription, payment method, payment status, invoice and transaction data, amounts, currencies, device and browser information, IP address, timestamps as well as fraud prevention and compliance data.

Purposes: setup and administration of demo and customer accounts, presentation of offers, contract initiation, conclusion and administration of subscriptions, billing, payment processing, fraud prevention, accounting and tax documentation.

Legal bases: Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR; insofar as uxspire processes personal data exclusively as processor, the processing is additionally governed by the respective DPA.

Storage period: We regularly store account and contract master data for the duration of the contract and subsequently within the framework of statutory retention obligations. We regularly retain invoices, accounting vouchers and other tax-relevant documents 8 years from the end of the calendar year; received and sent business letters as well as comparable commercially relevant communication regularly 6 years. Pre-contractual data going beyond this we delete as soon as it is no longer necessary and no statutory obligations or legal claims conflict with this. Productive customer data that we process exclusively on behalf is treated in accordance with the DPA and the deletion or return obligations regulated therein. Stripe additionally stores data in accordance with its own regulatory and contractual obligations.

08

Cookies and similar technologies

We use cookies and comparable technologies such as local storage, pixels or tags. We use technically necessary technologies to operate the website securely and functionally. We only use analytics and marketing technologies if you have expressly consented to them.

Typical categories:

  • Necessary: security, consent and function storage
  • Statistics: reach measurement, usage analysis and optimisation
  • Marketing: campaign measurement, conversion measurement and ad attribution

Legal bases: Art. 6(1)(f) GDPR and § 25(2) TDDDG for necessary technologies; Art. 6(1)(a) GDPR and § 25(1) TDDDG for optional analytics and marketing technologies.

Additional information can also be found at https://uxspire.com/cookies.

10

Web analytics with Cloudflare Web Analytics

With your consent, we use Cloudflare Web Analytics on this website. The provider is Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. The service is embedded via a JavaScript beacon and is only loaded after you have consented to the Analytics category in the cookie settings.

Processed data: accessed pages or paths, referrer, time of the page view, browser, operating system and device information, approximate country, performance and load-time data as well as technical connection data that may arise during delivery and beacon transmission. Cloudflare provides us with the results in aggregated form. According to Cloudflare, Web Analytics does not track individual end users across different customer websites and does not collect query strings for Web Analytics reports.

Purposes: reach measurement, statistical evaluation of website usage, identification of popular content, technical performance analysis and website optimisation.

Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.

Recipients/place of processing: uxspire GmbH and Cloudflare. Cloudflare may also process data in the USA. Third-country transfers take place in accordance with Art. 44 et seq. GDPR, in particular on the basis of the EU-U.S. Data Privacy Framework, where applicable, as well as standard contractual clauses and supplementary safeguards under the Cloudflare Data Processing Addendum.

Storage period: We regularly store your Analytics category choice in the uxspire_consent cookie for up to 365 days. According to Cloudflare, Web Analytics data is currently available in the dashboard for the previous six months; unsampled beacon data is retained for the previous seven days and then aggregated.

12

LinkedIn Ads

LinkedIn Ads including the LinkedIn Insight Tag is currently not actively embedded on this website. The following description is prepared for later activation for campaign measurement, audience building and conversion tracking. The provider for users in the EEA is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; processing may also be carried out by LinkedIn Corporation, USA.

Processed data: URL and referrer of the visited page, IP address, device and browser characteristics, timestamps, page and event data as well as cookie identifiers. Insofar as activated by us, additionally hashed business contact identifiers can be processed for matching purposes.

Purposes: reach and campaign measurement, website retargeting, building of audiences, proof and optimisation of conversions.

Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.

Storage period: According to its own information, LinkedIn regularly removes direct identifiers within 7 days, pseudonymised data is subsequently regularly deleted within 180 days. In addition, reporting and aggregate data may remain available in your LinkedIn Ads account in accordance with the settings there.

13

Recipients and third-country transfers

Recipients or categories of recipients can in particular be:

  • internal bodies of uxspire GmbH, insofar as this is necessary for processing your enquiry or for contract performance
  • Cloudflare for website hosting, Pages Functions, private R2 storage of contact form submissions, consent proof and application attachments, security and performance services, Web Analytics after consent as well as R2/CDN for survey assets
  • Microsoft Azure for hosting, database, Key Vault, authentication infrastructure, email dispatch, logging and monitoring of the SaaS application
  • Stripe companies for price administration, billing, checkout, contract and payment processing
  • Google for Google Ads and the Google tag after marketing consent as well as LinkedIn for marketing purposes, insofar as the service is activated later and you have consented
  • Discord for internal notifications about website form enquiries and applications
  • tax advisors, legal advisors, authorities and other bodies, insofar as we are legally obliged to do so or legitimate interests require this

Some recipients also process data outside the EU or the EEA, in particular in the USA. Third-country transfers only take place in accordance with Art. 44 et seq. GDPR. Where available, these transfers are based on an adequacy decision, in particular the EU-U.S. Data Privacy Framework, or on standard contractual clauses and supplementary protective measures.

13a. Processors and sub-processors for uxspire

Insofar as we process personal data for customers on behalf, additionally the respective data processing agreement and Art. 28 GDPR apply. The public listing serves transparency about essential service providers and sub-processors; the legally binding approval, change notices and objection periods must be regulated in the DPA or in its annexes.

The following list contains the service providers derivable from code, website functions and Terraform. Provider data protection notices and DPA pages are linked, insofar as publicly available.

Provider / service Role Purpose Data categories Location / status
Microsoft Ireland Operations Ltd. / Microsoft Azure
Privacy · Microsoft DPA
Processor or sub-processor Hosting of the SaaS application on Azure Container Apps, PostgreSQL database, Key Vault, Log Analytics, Application Insights, Microsoft Entra External ID and Better-Auth integration Account, contract, workspace, configuration, event, survey, VoC, target group study, response, cluster assignment, log and security data EU hosting; the Azure region is set via deployment configuration. Microsoft DPA and data protection provisions apply including the transfer mechanisms described therein. The specific production region used and relevant support/diagnostic data processing are documented per deployment and reflected in customer or DPA information.
Microsoft Azure Communication Services
Privacy · Microsoft DPA
Processor or sub-processor, insofar as Azure email is used productively Transactional emails, system messages, invitations and delivery logs of the SaaS application Email address, message content, dispatch status, technical delivery data Production default of the SaaS stack: mail provider azure. The ACS data location is configurable via Terraform mail_data_location; user engagement tracking is deactivated in the Terraform default. The production ACS data location is documented per deployment and reflected in customer or DPA information.
Cloudflare, Inc. / Cloudflare R2 and CDN
Privacy · DPA
Processor or sub-processor Website hosting and Pages Functions, processing of contact forms, private storage of contact form submissions, consent proof and application attachments in R2, delivery, storage and caching of website and survey assets, security and performance functions as well as Cloudflare Web Analytics after consent IP address, request and security logs, contact form request data, contact form content, consent ID, consent choices, timestamp, language, accessed path, referrer, browser, operating system and device information, performance and load-time data, application attachments, asset files, technical request data Cloudflare R2 is used productively with EU jurisdiction. The Cloudflare DPA describes the Data Privacy Framework, standard contractual clauses and further protective measures for restricted transfers.
Stripe Technology Europe, Limited / Stripe Payments Europe, Limited and affiliated Stripe companies
Privacy · DPA
Recipient; depending on the processing, own controller and/or processor Price administration, checkout, customer portal, subscription and payment processing, fraud prevention, webhooks Contact, company, invoice, payment, transaction, device and compliance data EU/Ireland with possible intra-group third-country references. Not to be classified as a pure sub-processor.
Discord, Inc.
Privacy
Recipient for internal notifications Internal notification about new website contact form enquiries and applications via separate webhooks or channels Notification metadata: contact reason or category, source, timestamp, internal R2 reference and indication whether an attachment exists; names, email addresses, phone numbers, messages, file names and attachments are not transmitted to Discord Discord processes notification metadata under its own privacy terms with possible third-country references. Access to internal channels is organisationally restricted to management. Form contents and application attachments remain in Cloudflare R2 and are not transmitted to Discord.

In this presentation, Google and LinkedIn are not sub-processors of the uxspire SaaS, but recipients for our own marketing and analytics processing. Google Ads is only loaded after marketing consent; LinkedIn is currently not actively embedded.

14

Storage period

Unless otherwise regulated in the individual sections, we store personal data only as long as this is necessary for the respective purpose or statutory retention obligations exist.

  • Security and error logs: regularly up to 14 days
  • General contact enquiries: regularly up to 12 months after final processing
  • Application documents and application attachments: regularly no later than after 180 days
  • Consent settings and consent proof: until change/withdrawal, renewed request or regular deletion after 365 days at the latest
  • Web Analytics data: according to provider information, dashboard access regularly for the previous 6 months; unsampled beacon data for 7 days and subsequently aggregated
  • Demo, account and contract master data as well as records of accepted contractual documents: generally for the contract term and subsequently in accordance with statutory retention and limitation periods
  • Invoices and accounting vouchers: regularly 8 years from the end of the calendar year
  • Commercial and business letters as well as comparable correspondence: regularly 6 years from the end of the calendar year

Longer storage can take place if this is necessary for the assertion, exercise or defence of legal claims or to fulfil legal obligations.

15

Rights of data subjects

Within the scope of the statutory requirements, you have in particular the following rights:

  • Access to the processed personal data (Art. 15 GDPR)
  • Rectification of inaccurate or completion of incomplete data (Art. 16 GDPR)
  • Erasure of your data, insofar as the requirements are met (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing on the basis of Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Withdrawal of granted consents with effect for the future (Art. 7(3) GDPR)
  • Complaint to a data protection supervisory authority (Art. 77 GDPR)

If you would like to assert a right, a message to the contact details stated under this Privacy Policy is sufficient.

Contact for data protection questions

Email: