This Privacy Statement explains how Tenzir GmbH and its affiliates (“Tenzir”, “we”, “us”, "our") collect and use data from you (also “user” or “customer”) while you are browsing on our company website https://tenzir.com/ (“Website”), visiting our hosted platform at https://app.tenzir.com/ (“Platform”), or, navigate to our documentation at https://docs.tenzir.com (“Documentation”).

Data Controller

The controller under data protection law is Tenzir GmbH, Nagelsweg 41, 20097 Hamburg, Germany, info@tenzir.com, +49 40 209337260; entry in the commercial register under commercial register number HRB 148081; register court: Hamburg Local Court.

Collection and Processing of Personal Data

When visiting and using our Website, Platform and Documentation, we collect personal data from you. Personal data in the meaning of Art. 4 EU General Data Protection Regulation (GDPR) is any information relating to an identified or identifiable natural person, such as names, addresses, or email addresses.

Children’s Privacy

Our Website, Platform and Documentation are not directed to persons under the age of 16. We do not knowingly collect data from children. If we discover that we have collected data from children, we will delete it immediately. If you believe that we have processed such data, please contact us at legal@tenzir.com.

Special Categories of Personal Data

We do not process any special categories of personal data (e.g., data concerning racial or ethnic origin, political opinions, religious beliefs, health, or sexual orientation) unless you provide your explicit consent in accordance with Art. 9 para. 2 lit. a GDPR. Should this become necessary, we will inform you in advance and obtain your explicit consent.

Purpose and Legal Basis of Processing

We use your data only if necessary and only for a specified purpose. This may include preparing or concluding a contract between you and Tenzir or facilitating the use of our consulting and support services.

Unless otherwise stated in this Privacy Statement, the collection and processing of your personal data is based on legitimate interests according to Art. 6 para. 1 p. 1 lit. f. GDPR. These processing operations serve the legitimate interests of our company or a third party, such as ensuring the functionality and security of our services, improving the user experience, or fulfilling contractual obligations. We have conducted a balancing test to confirm that these interests do not override your fundamental rights and freedoms. Data processing occurs only when your rights do not prevail over our legitimate interests.

Data Transfers to Non-Eu Countries

While processing your personal data, we may transfer it to non-EU countries, such as the USA. The EU Commission issued an adequacy decision under Article 45 para 3 of the GDPR on July 10, 2023, ruling that the USA ensures an adequate level of protection for personal data transferred from the EU to companies based in the USA within the new EU-US Data Privacy Framework, provided that the respective company is certified under the EU-U.S. Data Privacy Framework.

Privacy Policy for Website Users

1) General Information

In the following, we provide you with an overview of which personal data is processed when you visit our website and don’t use our Platform. We explain the extent to which personal data is processed, for what purposes, on what legal basis and for how long it is stored. The processing of your personal data may be based on the following legal bases:

• Art. 6 para. 1 p. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing operation. 

• If the processing of personal data is necessary for the performance of a contract to which you are a party, the processing is based on Art. 6 para. 1 p. 1 lit. b GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures. 

• If we are subject to a legal obligation that requires the processing of personal data, the processing is based on Art. 6 para. 1 p. 1 lit. c GDPR. 

• Ultimately, processing operations could be based on Art. 6 para. 1 p. 1 lit. f GDPR. 

2) Web Hosting

We host Website with Framer B.V., Rozengracht 207 B, 1016 LZ Amsterdam, Netherlands (“Framer”), which collects the following information: 

• Types of data processed: Device and usage information (e.g., IP addresses, log data); other service-generated data and contact data.

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Provision of online offer.

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR); our legitimate interest lies in providing reliable and secure web hosting services. We have conducted a balancing test and concluded that the processing is necessary for the operation of the website and does not disproportionally affect your rights and freedoms.

• Security measures: Framer implements and maintains technical and organizational security measures designed to protect its customer’s data from security incidents and to preserve its security and confidentiality; for more information see Framer’s security information.

Framer may process data in the USA. To ensure compliance with the GDPR, data transfers are governed by the European Commission’s Standard Contractual Clauses (SCC) and additional safeguards, as detailed in Framer's Data Processing Agreement (DPA). These measures ensure that your data receives the same level of protection as within the European Economic Area (EEA). You can also consult Framer's Privacy Policy for further details on their privacy practices.

3) Contact and Inquiry Management

When contacting us (e.g., via contact form, email, telephone or social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

The response to the contact inquiries as well as the management of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries and maintaining user or business relationships.

• Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., entries in online forms).

• Data subjects: Communication partners.

• Purposes of processing: Contact requests and communication.

• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR); Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

3.1) Contact Form

Our Website contact form gives you the possibility to contact us directly. 

• Types of data processed: First and last name, email address, company name, job title, message.

• Data subjects: Website visitors

• Purposes of processing: The ability to respond to inquiries, and optionally the ability to subscribe to our newsletter

• Security measures: Encryption via HTTPS

• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR); Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

3. 2) Newsletter

We use MailerLite for our newsletter subscription management. 

Double-Opt-in: The subscription process for our newsletter involves a double-opt-in procedure. This means you will receive an email after subscribing in which you are asked to confirm your subscription. This confirmation is necessary to ensure that no one can subscribe with someone else's email address.

Option to object (Opt-out): You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can otherwise use one of the above contact options, preferably email, for this purpose.

• Types of data processed: Name, email address 

• Data subjects: Website visitors

• Purposes of processing: Direct marketing via email

• Security measures: Encryption via HTTPS

• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a. GDPR)

Please note that MailerLite also processes data in the USA. The data processing conditions comply with the EU’s SCCs and are further regulated in MailerLite's DPA. Furthermore, MailerLite is part of the Data Privacy Framework. You can also consult MailerLite's Privacy Policy for further details on their privacy practices.

4) Third Party Integration

Based on your consent within the meaning of Art. 6 para. 1 p. 1 lit. a GDPR or our legitimate interest according to Art. 6 para. 1 p. 1 lit. f GDPR we integrate content and services (hereinafter uniformly referred to as "content").

This always presupposes that the third-party providers of this content are aware of the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content. 

We use Framer B.V.’s, Rozengracht 207 B, 1016 LZ Amsterdam, Netherlands (“Framer”) built-in analytics to understand how users interact with our website. Framer B.V., Singel 542, 1017 AZ Amsterdam, The Netherlands, does not require cookies and is fully compliant with GDPR, CCPA, and PECR. Framer's analytics are hosted in the EU and operate on European-owned cloud infrastructure. Please refer to Framer’s Privacy Policy for a complete list of collected metrics.

• Types of data processed: IP address; page URL; HTTP referrer; browser; operating system, device type, location.

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Collection of aggregate statistics on top sources, top pages, locations, and devices.

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR) to understand user interactions with our website.

• Security measures: Anonymization techniques, including hashing and truncation of IP addresses, to ensure privacy compliance.

Privacy Policy for Platform Users

1) General Information

In the following, we provide you with an overview of which personal data is processed when you visit our website and engage with the services of our Platform. We explain the extent to which personal data is processed, for what purposes, on what legal basis and for how long it is stored.

The processing of your personal data may be based on the following legal bases:

• Art. 6 para. 1 p. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing operation.

• If the processing of personal data is necessary for the performance of a contract to which you are a party, the processing is based on Art. 6 para. 1 p. 1 lit. b GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures.

• If we are subject to a legal obligation that requires the processing of personal data, the processing is based on Art. 6 para. 1 p. 1 lit. c GDPR.

• Ultimately, processing operations could be based on Art. 6 para. 1 p. 1 lit. f GDPR. These processing operations serve the legitimate interests of our company or a third party, and only if the interests do not outweigh the fundamental rights and freedom of the individual person (user).

2) Web Hosting

We host our Platform with Vercel. Vercel collects the following information: 

• Types of data processed: Device and usage information (e.g., IP addresses, log data); other service-generated data and contact data.

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Provision and maintenance of reliable and secure app hosting services, ensuring the proper functioning of Platform.

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR); our interest lies in providing a stable, reliable, and secure hosting environment for Platform. A balancing test has been conducted to ensure that your fundamental rights and freedoms are not disproportionately impacted by this processing activity.

• Security measures: Vercel implements state-of-the-art technical and organizational measures to protect customer data, including encryption, access controls, and regular security assessments. For further information, for more information see Vercel’s security FAQ.

Please note that Vercel Inc. also processes data in the USA. The data processing conditions comply with the EU’s standard contractual clauses (SCC) and are further regulated in Vercel's DPA. You can also consult Vercel's Privacy Policy for further details on their privacy practices.

3) Log-In and User Management

The Platform needs some personal data for authentication and user management. We use Auth0, with support for two types of authentication: (1) username and password, and (2) single sign-on.

Log-In via username and password

We collect the following information:

• Types of data processed: username, mail address, password

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Log-In and user management

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR); our interest lies in offering our Platform service

Log-In via Single Sign-On

To make it easier for you to access our Platform, we offer you the option to sign in using your Google, GitHub, or Microsoft account via single sign-on. This sign-in process allows you to use the same account that you already use for other services from these providers.

If you choose to sign in via single sign-on, we will retrieve some information from your chosen provider. This information typically includes:

• Types of data processed: name, mail address, possibly profile picture

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Log-In

• Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a GDPR)

We use this information to verify your account and grant you access to our Platform. We do not store any other personal data from your provider.

However, please note that data protection and data processing in connection with the use of single sign-on are subject to the data protection provisions of your chosen providers. We would therefore like to point out that we have no influence on the way your chosen provider collects and processes your personal data. We therefore strongly recommend that you read the privacy statements of the respective provider to find out how your personal data is handled.

Privacy statement Google: Google Privacy Statement

Privacy statement GitHub: GitHub General Privacy Statement - GitHub Docs

Privacy statement Microsoft: Microsoft Privacy Statement – Microsoft privacy

4) Product Analytics   

We are in the process of implementing product analytics and will update this section once the changes go live.

5) Third Party Integration

Based on your consent within the meaning of Art. 6 para. 1 p. 1 lit. a GDPR or our legitimate interest according to Art. 6 para. 1 p. 1 lit. f GDPR we integrate content and services. This always presupposes that the third-party providers of this content are aware of the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content.

Privacy Policy for Documentation Users

1) General Information

In the following, we provide you with an overview of which personal data is processed when you visit websites that host our documentation data. We explain the extent to which personal data is processed, for what purposes, on what legal basis and for how long it is stored. 

The processing of your personal data may be based on the following legal bases:

• Art. 6 para. 1 p. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing operation.

• If the processing of personal data is necessary for the performance of a contract to which you are a party, the processing is based on Art. 6 para. 1 p. 1 lit. b GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures.

• If we are subject to a legal obligation that requires the processing of personal data, the processing is based on Art. 6 para. 1 p. 1 lit. c GDPR.

• Ultimately, processing operations could be based on Art. 6 para. 1 p. 1 lit. f GDPR. These processing operations serve the legitimate interests of our company or a third party, and only if the interests do not outweigh the fundamental rights and freedom of the individual person (user).

2) Web Hosting

We host Documentation on GitHub Pages, Github B.V., Prins Bernhardplein 200, Amsterdam, 1097JB, Netherlands, collects the following information: 

• Types of data processed: Content data (e.g., entries in online forms); Usage data (e.g., web pages visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses)

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: Provision of online offer and user-friendliness

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR); our interest lays in offering our documentation service

• Security measures: industry-standard security measures to protect data, including encryption of data in transit (TLS/SSL), regular security audits, access controls, and monitoring for unauthorized access attempts.

Please note that GitHub B.V. may also transfer and process data in the USA. The receiver of such data is GitHub Inc., 88 Colin P Kelly Jr St, San Francisco California 94107. GitHub Inc. is certified under the EU-US-Data Privacy Framework and its privacy statement can be found here: GitHub General Privacy Statement - GitHub Docs.                

3) Analytics

We use Plausible as a lightweight and open source web analytics solution. Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia, does not require cookies and is fully compliant with GDPR, CCPA and PECR. Plausible is made and hosted in the EU, powered by European-owned cloud infrastructure. Please refer to Plausible's Privacy Policy for a complete list of collected metrics.

• Types of data processed: IP address; page URL; HTTP referrer; browser; operating system, device type, location

• Data subjects: Users (e.g., website visitors, users of online services).

• Purposes of processing: collection of aggregate statistics on top sources, top pages, locations, and devices.

• Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR) lays in the understanding of the interaction with our website

• Security measures: running data points through a hash function with a rotating salt and generating a random string of letters and numbers (anonymization of the IP addresses).

4) Third Party Integration

Based on your consent within the meaning of Art. 6 para. 1 p. 1 lit. a GDPR or our legitimate interest according to Art. 6 para. 1 p. 1 lit. f GDPR we integrate content and services, such as reCAPTCHA or fonts (hereinafter uniformly referred to as "content").

This always presupposes that the third-party providers of this content are aware of the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content.

Further Data Processing Procedures

1. Unsolicited Applications

When you apply to us, we use the personal data you provide to process your application and to respond to you accordingly. In addition, we may receive personal data about you from your previous employer or other reference. You can explore our current job openings on our careers page, where you can find all available positions and submit your application directly. 

• Types of data processed: All data provided by the applicant as part of their application; publicly available information (e.g., from the internet or social networks).

• Data subjects: Applicants submitting unsolicited applications.

• Purposes of processing: Evaluation of suitability for potential roles and execution of the application process.

• Legal basis: Contract initiation or execution (Art. 6 para. 1 p. 1 lit. b GDPR); compliance with labor law obligations (Art. 9 para. 2 lit. b and h GDPR); internal HR processes (Art. 88 para. 1 GDPR).

• Recipients of personal data: Authorized personnel involved in the application process, such as HR staff and relevant department leads; external service providers–we use Personio SE & Co. KG Seidlstraße 3 80335 Munich, Germany, as a human resources management tool; for further information, please refer to Personio’s Privacy Notice. 

• Retention period: Personal data will be deleted 180 days after receipt of the application. In cases where the application is withdrawn, data will be deleted immediately.

• Security measures: Data is securely stored in compliance with GDPR and is accessible only to authorized personnel for the purposes outlined above.

2. Customers’ Data

• Types of Data Processed: Data provided for contract initiation and execution; Additional data processed based on explicit consent (e.g., when using the contact form on our website).

• Data Subjects: Individuals involved in contract initiation or execution.

• Purposes of Processing: Contract initiation and execution, including offers, orders, sales, and invoicing; Quality assurance.

• Legal Basis: Contract initiation or execution (Art. 6 para. 1 p. 1 lit. b GDPR); Consent of the data subject (Art. 6 para. 1 p. 1 lit. a GDPR).

• Recipients of Personal Data: Public Authorities when required by overriding legal provisions; external service providers and contractors; Additional External Parties,  When the data subject has given consent or where legitimate interests allow it;

• Third-Country Transfers: In the context of contract initiation and execution, data may be processed by service providers outside the European Union, including but not limited to email providers.

• Retention Period: Personal data is retained in accordance with statutory retention obligations, typically for 10 years.

• Security Measures: Data is securely stored in compliance with GDPR and is accessible only to authorized personnel for the specified purposes.

Data Retention

Based on the principle of data avoidance and data economy, we retain your data for as long as it is necessary for us to perform a service that you have requested or for which you have granted your permission, unless legal requirements oblige us to retain your data for a longer period (e.g., storage periods according to trade or tax regulations).

Your Rights

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 para 1 GDPR, including profiling based on those provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

You are at any time entitled to request information on what data we store about you (Art. 15 GDPR) and ask for rectification (Art. 16 GDPR), deletion (entirely or partially, Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), to transfer your data in a machine-readable format to you or another provider (Art. 20 GDPR) and the right to object (Art. 21 GDPR). 

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

In case the processing of personal data is subject to your consent, you have the right to revoke this consent granted under data protection law in accordance with Art. 7 para 3 GDPR. To exercise your rights as a data subject in relation to the data processed for the operation of this website, please direct your concern to legal@tenzir.com. Should you consider the processing of your personal data as unlawful, you can directly submit your complaint (Art. 77 GDPR) with the responsible supervisory authority. The supervisory authority responsible for us is the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 7th floor, 20459 Hamburg; +49 40 42854 4040; mailbox@datenschutz.hamburg.de; https://www.datenschutz-hamburg.de.

Updates & Changes

The continuous development of legal requirements and technical or organizational measures makes it necessary for us to apply changes in this Privacy Statement from time to time. We reserve all rights to do so at any time. Hence, we kindly ask you to read this Privacy Statement before using our service.