Privacy Policy

This Privacy Policy explains which types of your personal data we process, for what purposes, and to what extent. This Privacy Policy applies to all data processing activities carried out by us.

Last updated: February 8, 2026

Table of Contents

  1. Data Controller
  2. Overview of Processing
  3. Legal Basis
  4. Security Measures
  5. Data Transfers
  6. Data Retention
  7. Your Rights
  8. Registration and Login
  9. Transactions and Payments
  10. Ratings and Reviews
  11. Payment Service Providers
  12. Hosting and Infrastructure
  13. Contact

1. Data Controller

Philipp Riedele Digital Solutions
Sole Proprietor
Philipp Riedele
Rieden 22
88317 Aichstetten
Germany

Email: [email protected]

Legal Notice: /legal/impressum

2. Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing.

Types of Data Processed

  • Identity data (e.g. names, addresses)
  • Contact data (e.g. email addresses, phone numbers)
  • Content data (e.g. reviews, text inputs)
  • Contract data (e.g. subject of contract, duration)
  • Payment data (e.g. bank details, invoices, PayPal email)
  • Usage data (e.g. visited pages, access times)
  • Meta/communication data (e.g. IP addresses, timestamps)

Categories of Data Subjects

  • Buyers
  • Sellers
  • Communication partners
  • Users (e.g. website visitors)

Purposes of Processing

  • Provision of our online services and user experience
  • Fulfillment of contractual obligations and customer service
  • Contact requests and communication
  • Security measures
  • Administration and response to inquiries
  • Processing of transactions and payments
  • Rating and reputation system

4. Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, to ensure a level of protection appropriate to the risk.

Measures include:

  • Encryption of data transmission (SSL/TLS)
  • Encrypted storage of passwords (bcrypt hashing)
  • Encrypted storage of codes in the database
  • Access control and authentication (JWT)
  • Regular security updates
  • Logging of security-relevant events

5. Data Transfers

In the course of processing personal data, it may occur that data is transmitted to or disclosed to other entities, companies, or persons. Recipients of this data may include service providers entrusted with IT tasks or providers of services and content integrated into a website.

Data recipients:

  • Stripe: Payment processing (USA, adequate data protection level)
  • PayPal: Seller payouts (EU, Luxembourg)
  • Mailjet: Transactional emails (EU, France)
  • IONOS: Server hosting (Germany)

Data transfers to third countries: Where we process data in a third country (outside the EU/EEA), this is done on the basis of Standard Contractual Clauses (Art. 46 GDPR) or an adequacy decision by the EU Commission.

6. Data Retention

Data processed by us will be deleted in accordance with legal requirements as soon as the consent for processing is revoked or other permissions cease to apply.

Retention periods:

  • Account data: As long as the account is active, plus 30 days after deletion
  • Transaction data: 10 years (statutory tax retention obligation)
  • Ratings: Permanently (legitimate interest in transparency)
  • Logs and records: 90 days
  • Payment data: In accordance with payment service provider requirements

7. Your Rights

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data is being processed and to receive information about that data.
  • Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate data or the completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data without undue delay.
  • Right to restriction (Art. 18 GDPR): You have the right to request the restriction of processing.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your data at any time on grounds relating to your particular situation.
  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority of your usual place of residence or of our business location.

Contact for data requests: [email protected]

8. Registration, Login, and User Account

Types of data processed:

  • Identity data (e.g. name)
  • Contact data (e.g. email address)
  • Content data (e.g. codes, ratings)
  • Meta/communication data (e.g. IP address, timestamp)

Data subjects: Users, Buyers, Sellers

Purposes: Provision of our online services, fulfillment of contractual obligations, security measures, administration and response to inquiries.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Users may create an account. During registration, users are informed of the required mandatory fields, which are processed for the purpose of providing the user account. Data processed includes email address, name (optional), and password (stored in encrypted form).

9. Transactions and Payment Processing

Types of data processed:

  • Contract data (e.g. purchased code, price)
  • Payment data (e.g. Stripe Payment ID)
  • Contact data (e.g. email address)
  • Usage data (e.g. purchase timestamp)

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR).

In the context of contractual and other legal relationships, we process transaction data to process payments and pay out sellers. Data is shared with payment service providers (Stripe, PayPal).

Retention period: Transaction data is retained for 10 years (statutory tax retention obligation pursuant to Sections 147 AO, 257 HGB).

10. Ratings and Reviews

Types of data processed:

  • Content data (e.g. POSITIVE/NEGATIVE rating, comments)
  • Contract data (e.g. rated transaction)
  • Usage data (e.g. rating timestamp)

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Users may submit ratings for purchased codes. Ratings are displayed publicly and affect the Seller Score. We process this data to create transparency and help buyers make informed purchase decisions.

Deletion of ratings: Ratings are stored permanently unless they violate applicable law or are demonstrably false.

11. Payment Service Providers

Stripe

Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

Privacy Policy: https://stripe.com/privacy

PayPal

Provider: PayPal (Europe) S.a r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full

12. Hosting and Infrastructure

Types of data processed:

  • Usage data (e.g. visited pages, access times)
  • Meta/communication data (e.g. IP addresses)
  • Content data (e.g. stored codes, transactions)

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Hosting provider: IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany

Database: MariaDB, hosted on the same IONOS server in Germany

Email service: Mailjet SAS, 13-13bis rue de l'Aubrac, 75012 Paris, France (for transactional emails)

To provide our online services securely and efficiently, we use the services of hosting providers. All servers are located in Germany (EU). No data is transferred to third countries for hosting purposes.

13. Contact

Types of data processed:

  • Contact data (e.g. email address, name)
  • Content data (e.g. message text)
  • Meta/communication data (e.g. timestamp)

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR), Performance of a contract (Art. 6(1)(b) GDPR)

When contacting us (e.g. by email), the data of the requesting person is processed to the extent necessary for responding to the contact request.

Retention: Inquiries are deleted after resolution and expiry of any statutory retention periods (typically 3 years).

Last updated: February 8, 2026

Data Controller: See Legal Notice