Privacy Policy

1. Controller and Contact

ellamind GmbH ("we", "us", "our") is the controller for processing personal data on this website and related online presences.

2. Purposes and Legal Bases (GDPR Art. 6)

• Website delivery and security (server logs, fraud and abuse prevention): legitimate interests (Art. 6(1)(f) GDPR).
• Contact requests (contact form, email): performance of a contract or steps prior to entering into a contract (Art. 6(1)(b) GDPR) and legitimate interests in responding to B2B inquiries (Art. 6(1)(f) GDPR).
• Cookie-based analytics (PostHog, incl. heatmaps and session replay): consent (Art. 6(1)(a) GDPR) and prior consent for device access/storage under Sec. 25 TDDDG (DE). Analytics only runs after you consent in our cookie banner.
• Error logs and availability monitoring: legitimate interests (Art. 6(1)(f) GDPR).

3. Categories of Data We Process

• Identification and contact details (e.g., name, business email)
• Content of messages submitted via forms
• Technical data (IP address, timestamp, URL, referrer, user agent, device/browser metadata)
• Cookie/consent preferences if you provide consent (analytics only)

4. Cookies and Consent (Sec. 25 TDDDG)

We use essential cookies that are necessary to provide the website (e.g., access control cookie for the login gate). These do not require consent. We only set non-essential analytics cookies after your prior consent via our cookie banner.

• Essential: Access/session cookie for gated access (strictly necessary).
• Analytics (PostHog EU): Set only after consent; used to understand website usage and interactions (including heatmaps and session replays). You can withdraw consent at any time.

5. Recipients and Processing in Third Countries

• Hosting/CDN: Vercel (EU data residency enabled). Technical logs may be processed for security and reliability.
• Analytics: PostHog EU Cloud for analytics (including session replay and heatmaps), only after consent. Data is processed in the EU according to the provider’s EU setup.
• Contact form routing: Slack Technologies (notification via webhook) to route B2B requests internally. This may involve data transfer to the US under Standard Contractual Clauses (Art. 46 GDPR).

Where providers are located outside the EU/EEA or access from there may occur, we rely on appropriate safeguards (especially EU Standard Contractual Clauses) and implement additional measures where appropriate.

6. Retention

We retain personal data only as long as necessary for the purposes outlined above or as required by law. Contact requests are retained as long as needed to respond and to comply with statutory retention obligations. Server and security logs are retained for a period appropriate to security and operational requirements and deleted when no longer needed. Analytics data is retained as long as needed for the stated purposes and/or until you withdraw consent; thereafter we may keep aggregated, non-personal statistics.

7. Your Rights (GDPR Art. 15–22)

• Access, rectification, erasure
• Restriction of processing and data portability
• Right to object to processing based on Art. 6(1)(f) GDPR
• Right to withdraw consent at any time (affects future processing)
• Right to lodge a complaint with a supervisory authority; our lead authority is the Data Protection Authority in Bremen, Germany: Der Landesbeauftragte für Datenschutz und Informationsfreiheit, Arndtstraße 1, 27570 Bremerhaven, Germany, Tel. +49 421 3612010 or +49 471 5962010, Email: office@datenschutz.bremen.de.
• We do not carry out automated decision-making within Art. 22 GDPR.

8. Changes to This Notice

We may update this privacy notice from time to time. The current version applies. Material changes will be highlighted where appropriate.

9. Contact

For privacy questions or to exercise your rights, contact our DPO at datenschutz@heydata.eu or the controller at info@ellamind.com, or by post at the controller address above.