Privacy policy
This privacy policy provides information on the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in connection with our online services — including our website, platform features, customer communication, and external online presences — as well as the provision of our core product: interactive email technology.
Section I: Person responsible and overview of data processing
Responsible:
Excyte
Fürstenackerstr. 5
81477 Munich
Germany
Managing Director: Josef Bichlmeier
Phone: +49 176 19352112
Imprint: https://www.excyte.co/imprint
The controller is hereinafter referred to as "we" or "us".
Description of our core services:
We offer a platform for creating and delivering interactive emails that allow end users to complete actions such as shopping, submitting reviews, or managing subscriptions directly within the email itself. When you use our platform, we process personal and usage data required to create, customize, and deliver these interactive email experiences.
If you contact us via our website or sign up for early access or product updates, we collect and store your contact details and any additional information you voluntarily provide. This information is used to respond to your inquiry, provide updates, or schedule a demo.
If you are a business customer using our services, we process data such as names, email addresses, and campaign content to enable interactive elements inside your emails. Depending on your use case, we may also process product or customer data (e.g., product IDs, order history) in order to render personalized experiences inside the email.
We do not sell or share your data with third parties unless required for the provision of our services (e.g., email delivery, analytics, or hosting infrastructure). In such cases, we only work with carefully selected and GDPR-compliant partners.
Consent:
Consent form:
By submitting your contact request (by clicking the "Send" button), you agree that we may process your name and contact details (phone number and email address) to process your request and contact you.
Right of revocation:
Consent can be revoked at any time without any formalities, e.g. by email to info@excyte.co or by letter to Excyte Josef Bichlmeier, Fürstenackerstr. 5, 81477 Munich, with effect for the future.
Types of data processed:
- Inventory data (e.g. names, company names, roles)
- Contact details (e.g. email addresses, telephone numbers)
- Content data (e.g. message contents, uploaded assets, product and campaign data)
- Contract data (e.g. subject matter of the contract, services used, billing information)
- Usage data (e.g. usage of interactive email features, open and click rates, access times)
- Meta/communication data (e.g. device information, browser type, IP addresses)
- Shop/customer data (e.g. product information, shopping cart contents, order status, purchase history, customer IDs)
Purpose of processing:
- Providing access to and functionality of the interactive email platform
- Enabling the creation, customization, and delivery of interactive email content
- Processing data to support e-commerce use cases (e.g. cart building, reviews, subscriptions)
- Handling customer inquiries and communication with users
- Providing contractual services, technical support, and account management
- Marketing, usage analysis, and product improvement
- Ensuring the security and stability of our platform
- Managing applications and recruitment processes
Automated decisions in individual cases (Art. 22 GDPR):
No automated decisions are made in individual cases.
Section II:
Rights of data subjects, legal bases, and general information
Rights of the data subjects:
According to Art. 15 GDPR, you have the right to receive information about the data we process about you.
According to Art. 16 GDPR, you have the right to request the correction of inaccurate or completion of your personal data stored by us.
According to Art. 17 GDPR, you have the right to have your data stored by us deleted.
According to Art. 18 GDPR, you have the right to restrict the processing of your data.
According to Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, common, and machine-readable format or to request that it be transmitted to another controller.
According to Art. 21 GDPR, you have the right to object to the processing of your personal data.
According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority.
Right of withdrawal:
You have the right to revoke your consent at any time in accordance with Art. 7 Para. 3 GDPR.
Right of objection:
You can object to the future processing of your data in accordance with Art. 21 GDPR at any time, in particular processing for direct marketing purposes.
Cookies and right of objection in direct marketing:
We use temporary and permanent cookies, i.e. small files that are stored on users' devices (see the last section of this privacy policy for an explanation of the term and function). Some of the cookies we use are for security purposes, are necessary for the operation of our online offering (e.g. to display the website) or for providing evidence (storing decisions and other actions of the user). In addition, we or our technology partners use cookies for the purposes of range measurement and marketing, about which users are informed in this privacy policy.
If users do not want cookies to be stored on their computer, we ask them to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Excluding cookies can lead to functional restrictions of this online service.
Exclusively automated data processing:
According to Art. 22 GDPR, you have the right not to be subjected to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or significantly affects you in a similar way. We do not carry out any exclusively automated data processing.
Deletion of data and archiving obligations:
The data we process is deleted or restricted in accordance with Art. 17 and 18 GDPR. Unless otherwise stated in this privacy policy, the data stored by us is deleted as soon as it is no longer required for its intended purpose and there are no statutory retention periods to the contrary. If the data is not deleted because it is required for other permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In accordance with the statutory provisions, the storage period is in particular for 6 years in accordance with Section 257 Para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with Section 147 Para. 1 AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
In addition, the data will be stored for a period of three years from the end of the contractual relationship in accordance with the regular statutory limitation periods (§§ 195, 199 BGB), provided that this data could possibly be required for warranty and compensation claims or similar complaints based on previous business experience and standard business processes in the industry.
Changes and updates to this privacy policy:
We ask you to regularly review the content of our privacy policy. We will adapt the privacy policy if changes in the data processing we carry out make this necessary. We will inform you of changes if your cooperation (e.g. consent) or individual notification is required.
Relevant legal bases:
In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing. Unless stated otherwise in the data protection declaration, the following legal bases apply: The legal basis for obtaining consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual measures as well as answering inquiries is Art. 6 Para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 Para. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 Para. 1 lit. f GDPR. If the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Art. 6 Para. 1 lit. d GDPR serves as the legal basis.
The basis for commercial communication outside of business relationships, in particular by post, telephone, fax, and e-mail, is contained in Section 7 of the UWG.
Security of data processing:
In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons. The measures include in particular ensuring the confidentiality, integrity, and availability of the data by controlling physical access to the data as well as access, input, transfer, securing availability, and separation of the data. In addition, we have set up procedures to exercise the rights of the data subjects, delete data, and respond to threats to the data. We take the protection of personal data into account when developing or selecting hardware, software, and procedures in accordance with the principle of data protection through technology design and data protection-friendly default settings (Art. 25 GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
Our employees are obliged to comply with data protection, have been instructed and trained on the importance of data protection, and are informed of the possible consequences of data protection violations.
Disclosure and transfer of data:
If, as part of our processing, we disclose, transmit, or otherwise grant access to data to other persons and companies (contract processors or third parties), this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, is necessary to fulfill the contract in accordance with Art. 6 Para. 1 lit. b GDPR), if you have given your consent, a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using service providers, etc.).
If we commission third parties to process data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR.
If we disclose, transmit, or otherwise grant access to data to other companies in our group, this is done in particular for administrative purposes as a legitimate interest and is based on a data processing agreement.
Transfer to third countries:
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transmission of data to third parties, this will only take place if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or due to our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 ff. GDPR are met. This includes, for example, the determination of an appropriate level of data protection by an officially recognized body or the observance of officially recognized special contractual obligations (so-called "standard contractual clauses").
Joint responsibility according to Art. 26 GDPR:
Excyte, Josef Bichlmeier in accordance with Art. 4 No. 19 GDPR. The legal basis for the joint processing and transmission of personal data is the legitimate interest of the parties involved in accordance with Art. 6 Paragraph 1 Clause 1 Letter f in conjunction with Recital 48 GDPR to transmit personal data within the group of companies for internal administrative purposes, including the processing of personal data of customers and employees. For further information on joint responsibility, please refer to the agreement on joint responsibility for the processing of personal data in the appendix.
This privacy policy was last updated on Jun 25, 2025. Please check the content regularly as changes and updates may be made.
Processing processes
The following section provides an overview of the processing activities we carry out, which we have divided into different areas. Please note that these areas are for guidance only and that there may be overlaps in processing activities (e.g. the same data may be processed in several procedures).
Note: In the appendix to this privacy policy you will find an explanation of frequently used terms to improve clarity and comprehensibility.
I. Core area of data processing
This section provides information about our core services, which include the development, customization, and delivery of interactive email experiences. These services support actions such as product selection, reviews, and subscription management directly within the email. We also provide integration, analytics, and customer success services.
II. Order initiation and offer preparation
We process the information provided by prospective clients and business partners as part of requests for demos, access to our platform, or individual feature development. This processing serves the purpose of initiating, preparing, and if applicable, executing contracts for the use of our interactive email technology.
III. Logging of prospective and customer inquiries
We log the data you provide when requesting a demo, contacting support, or engaging in onboarding or integration discussions. This logging ensures we can meet our legal accountability obligations in accordance with Article 5(2) GDPR.
Data processed:
- Inventory data
- Contact and communication data
- Contract data
- Content data
- Usage and meta data (including IP address, timestamp, and optionally a screenshot of the request)
Special categories of personal data: No
Categories of data subjects: Prospective clients, website visitors, users, customers, business partners
Purpose of processing: Provision of contractual services, customer service, documentation
Legal basis for processing: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations)
Necessity/legitimate interest: The data is necessary to initiate and fulfil service agreements and to comply with statutory accountability and documentation requirements.
Further information on processing procedures, methods, and services:
We use cloud services such as Google Cloud Storage, cloud infrastructure services, and cloud-based application software from Google. For more information about Google Cloud privacy policy, please visit: https://cloud.google.com/terms/cloud-privacy-notice
Pipedrive: We use customer relationship management (CRM) and process customer and prospect data for sales purposes. For more information about Pipedrive's privacy policy, see: https://www.pipedrive.com/en/privacy
Deletion of data:
The data is generally deleted 30 days after the purpose has been fulfilled (e.g. cancellation or refusal). Deletion takes place no later than six months after the end of the contract, unless there is a legal obligation to retain data or a different requirement for storing the data. Inventory data and evidence of contractual relationships/consents are stored for up to three years. The necessity of storing the data is reviewed annually. In the case of conflicting legal archiving obligations, deletion takes place after these obligations have expired (e.g. commercial or tax law retention obligations), at
the latest after 6 or 10 years.
IV. External online presences
In this section you will find information about our data processing in connection with external online presences, such as social media.
Online presence in social media
We maintain online presences in social networks and platforms in order to get in touch with our customers, interested parties, and users and to inform them about our services. When visiting these networks and platforms, the terms and conditions and data protection guidelines of the respective operators apply. Unless otherwise stated in our data protection declaration, we process the data of users who communicate with us within the social networks and platforms, e.g. by writing posts on our online presences or sending us messages.
Embedded content and functions
In this section we inform you about which content, software, or functions (short "content") of other providers we embed in our online offering on the basis of Art. 6 Paragraph 1 Letter f of GDPR ("embedding"). This is done to make our online offering more interesting for our users or for legal reasons, e.g. to be able to display videos or social media posts within our online offering. Embedding can also serve to improve the speed or security of the online offering, e.g. when software elements or fonts are obtained from other sources. In all cases, the data processed includes the users' usage and metadata as well as the IP address required to embed the content. The persons affected are the visitors to our online offering, including users, customers, and interested parties. Further explanations of the functions and protective measures can be found at the end of this data protection declaration in the definitions of terms.
V. Web server and security
Hosting
Our website is hosted on a server in a data center within the European Union that is under our control. The data center is operated by a US company with whom a data processing agreement based on the EU standard contractual clauses exists in order to meet the requirements of the GDPR.
server logs
Data processed: Usage data and metadata (name of the website accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type and version, user's operating system, referrer URL, IP address and requesting provider). Special categories of personal data: no. Processing basis: Art. 6 Para. 1 lit. f GDPR. Affected persons: Customers, interested parties, visitors to our website. Purpose of processing: Optimization of server operation and security monitoring. Necessity/interest in processing: Security, business interests.
Processing in third countries: no. Deletion of data: After 7 days from collection.
VI. Payment service providers
In this section we inform you about the data processing we carry out for payment purposes.
PayPal
PayPal is an online payment service provider. We have integrated PayPal components on our website. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. It is also possible to process virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address; there is no classic account number. PayPal enables online payments to third parties or the receipt of payments. PayPal also acts as a trustee and offers buyer protection services. If the data subject selects the "PayPal" option as a payment method during the ordering process, data is automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transmission of personal data to PayPal for the purpose of payment processing.
Stripe
Stripe is a technology platform for processing online payments. We use Stripe to handle credit card and other payment transactions on our website. When selecting Stripe as a payment method, payment details and personal data such as name, email address, and billing information are transmitted to Stripe in order to process the payment. Stripe complies with the applicable data protection regulations and offers a high level of security for transaction processing. The transmission of data to Stripe takes place for the purpose of fulfilling the contract and on the basis of the data subject's consent.
Data processed:
Payment data, inventory data, communication data. Processing basis: contract fulfillment (Art. 6 Para. 1 lit. b GDPR) and legitimate interest (Art. 6 Para. 1 lit. f GDPR) in the use of the PayPal payment service. Disclosure to third parties: PayPal may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfill the contractual obligations or if the data is to be processed on behalf of them. Data subjects: customers, users, interested parties. Purpose of processing: payment processing, fraud prevention. Processing in third countries: no. Further information:
- PayPal's privacy policy can be found at: https://www.paypal.com/us/legalhub/paypal/privacy-full
- Stripe privacy policy can be found at: https://stripe.com/privacy
Please note that this is intended to be only an excerpt of a privacy policy and may not contain all information or specific details. It is recommended that you have a complete and up-to-date privacy policy drafted by a legal advisor or contact a company specializing in data protection to ensure that your privacy policy complies with legal requirements.
Here is a paraphrase of the content, keeping the content intact:
Payment option via PayPal:
If you use the "PayPal" payment option on our website, data is automatically transmitted to PayPal. This includes the following information: first name, last name, address, email address, IP address, telephone number, mobile phone number and other personal data related to your order. This data is processed using social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking and remarketing. Please note PayPal's privacy policy at the following link: https://www.paypal.com/us/legalhub/paypal/privacy-full
Marketing:
In this section we inform you about the data processing we carry out to optimize our marketing and market research.
Personalized newsletter:
We only send newsletters, emails and other electronic notifications with advertising information (hereinafter "newsletter") with your consent or legal permission. In order to be able to prove your registration, the subscribers' data is logged. In addition to your email address, we may collect further information such as your name in order to personalize the newsletter and adapt it to your interests.
Content of the newsletter:
The content of the newsletter includes information about our services and our company, as stated in the registration form.
Data processed:
When processing the data, inventory data (email address) and usage data (registration time, double opt-in confirmation time, IP address, opening of the email, time and place, time and click on a link in the newsletter) are used. No special categories of personal data are processed.
Processing basis:
The processing of the data is based on Art. 6 Para. 1 lit. a, Art. 7 GDPR and Section 7 Para. 2 No. 3 UWG (shipping & performance measurement) as well as Art. 6 Para. 1 lit. c in conjunction with Art. 7 Para. 1 GDPR (logging, performance measurement, if not part of the consent).
Purpose of processing:
The data is processed for the purpose of sending the newsletter, optimizing the content and proving consent.
Type, scope and functioning of the processing:
Processing is carried out using a web beacon. Providing your email address is required, while the other information is voluntary and serves to personalize and optimize the content. Logging serves to prove consent. For users whose consent includes success measurement, success is measured on the basis of consent and otherwise on the basis of legitimate interests in optimizing the content and for business reasons.
A link to unsubscribe is included in every newsletter.
External disclosure:
The newsletter is sent via the Pipedrive in the USA. For more information, see Pipedrive privacy policy at the following link: https://www.pipedrive.com/en/privacy
Communication via email, messaging platforms, telephone, or postal mail:
We use communication channels such as email, telephone, WhatsApp, Intercom (live chat), Slack, Microsoft Teams, Google Meet, and, where applicable, postal mail to respond to inquiries, provide product information, support onboarding and integration processes, or to initiate, manage, or terminate service relationships related to the use of our interactive email platform.
You may object to communication via WhatsApp, Intercom, Slack, Microsoft Teams or Google Meet at any time by sending an email to info@excyte.co or by using the opt-out or unsubscribe options provided within the respective communication platform, where available.
Data processed:
The data processed includes inventory data, contact data, contract data and content data. No special categories of personal data are processed.
Processing basis:
The processing of the data is based on Art. 6 Para. 1 lit. a GDPR in the case of consent, Art. 6 Para. 1 lit. b GDPR in the case of contact in the context of contract execution and Art. 6 Para. 1 lit. f GDPR in conjunction with legal requirements for advertising communications.
Purpose of processing:
The data is processed for advertising purposes.
Type, scope and functioning of the processing:
Contact will only be made with the consent of the contact partner or within the scope of legal permissions.
Necessity / interest in processing:
The processing serves information and business interests.
External disclosure and purpose:
There is no external disclosure of the data.
Processing in third countries:
Some of the service providers we use (e.g. communication or analytics tools) may process data in third countries outside the European Union (EU) or the European Economic Area (EEA). In such cases, we ensure that the requirements of Art. 44 ff. GDPR are met — for example through the use of EU standard contractual clauses or other recognized safeguards — to ensure an appropriate level of data protection.
Deletion of data:
The data will be deleted if an objection or revocation is made or if the legal basis for contacting us no longer applies. The data of interested parties is stored in accordance with the information on the deletion of the data within the scope of the processing activity mentioned above.
Optimization and security:
We process data to ensure the stability, security, and performance of our platform and to continuously improve the user experience. This includes technical logging, load balancing, error tracking, and anonymized usage analysis to optimize content and user flows.
Access data such as IP address, browser type, access time, and visited pages may be temporarily stored in server log files. This data is processed exclusively for security monitoring (e.g. to detect abusive or fraudulent behavior) and system optimization. The data is automatically deleted after a short retention period unless it is required for security incident resolution.
No personal data is used for optimization purposes unless required for the functionality of the platform or explicitly consented to.
Reach measurement, online marketing and technology partners:
In this section we inform you about the services we use for online marketing and reach measurement. They are used on the basis of Article 6 paragraph 1 letter f of the GDPR and our interest in increasing user-friendliness, optimizing our offering and increasing profitability. In all cases, usage and metadata are processed. Further explanations of the functions and protective measures can be found at the end of this data protection declaration in the definitions of terms. The data is deleted in accordance with the data protection declarations of the technology partners, unless otherwise stated.
V
Further information on processing procedures, procedures and services
Google Tag Manager
Google Tag Manager is a solution that allows us to manage website tags via an interface (e.g. integrating Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of users. Information on the processing of personal data of users can be found in the following information on Google services.
Terms of Use: https://www.google.com/intl/de/tagmanager/usepolicy.html
Google Analytics
We use Google Analytics to measure reach and create target groups.
Data processed: Usage data, metadata, customer ID with us (Google only receives the customer ID as pseudonymous data without the associated inventory data such as the customer's name, address or email). Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/. Processing in third countries: No. Deletion of data: 14 months.
Google AdWords
We use Google AdWords to place ads in the Google advertising network and to show them to users who are likely to be interested in the ads (so-called "conversion"). We also measure the success of the ads. However, the success measurement is limited to the anonymous total number of users who clicked on our ad and were redirected to a page that has a measurement point set by us (so-called "conversion tracking tag"). We do not receive any information that can be used to identify users.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Consent (Article 6 Paragraph 1 Sentence 1 Letter a GDPR). Website:https://marketingplatform.google.com. Privacy policy:https://policies.google.com/privacy. Further information: Types of processing and data processed:https://privacy.google.com/businesses/adsservices. Data processing conditions between controllers and standard contractual clauses for third country transfers of data:https://business.safety.google/adscontrollerterms.
Google DoubleClick
We use Google AdWords to measure the success of our ads placed on Google.
Data processed: Usage data, metadata, customer ID with us (Google only receives the customer ID as pseudonymous data without the associated inventory data such as the customer's name, address or email). Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:https://www.google.com/policies/privacy/. Processing in third countries: No. Deletion of data: 14 months.
Google Optimize
Our website uses the web analysis and optimization service "Google Optimize" to increase the attractiveness, content and functionality of our website by displaying new functions and content to a percentage of our users and statistically evaluating changes in usage.
Google Optimize is a service that falls under Google Analytics (see Google Analytics section). Using cookies, Google Optimize enables the optimization and analysis of how users use our website. The information on the use of our website generated through these cookies is usually transferred to a Google server in the USA and stored there. We use Google Optimize with activated IP anonymization, which means that your IP address is shortened by Google within the member states of the European Union or in other contracting states to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate the use of our website, compile reports on optimization tests and related website activity, and provide us with other services related to website and Internet usage.
Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:https://www.google.com/policies/privacy/. Processing in third countries: No. Data deletion: 14 months.
Facebook ads:
We place ads on the Facebook platform and evaluate the success of the ads. The processing serves the purpose of targeted advertising and target group formation. Event data of users of the Facebook platform is processed, including behavioral and interest information.
External disclosure: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Consent (Art. 6 Para. 1 Clause 1 lit. a GDPR). Website:https://www.facebook.com; Privacy Policy:https://www.facebook.com/about/privacy; Opt-out option: Please refer to the data protection settings for profiles and advertising on the Facebook platform as well as to the contact options provided in Facebook's privacy policy for exercising information and other data subject rights; Further information: We have entered into an agreement with Meta Platforms Ireland Limited regarding joint responsibility with Facebook or Meta ("Add for Controllers",https://www.facebook.com/legal/controller_addendum). Joint responsibility only applies to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transmission of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Facebook pixel:
We use the Facebook pixel to only show advertisements to those Facebook users who have shown interest in our online offering or who have certain characteristics (e.g. interest in certain topics or services that can be seen from the websites visited) that we transmit to Facebook (so-called "custom audiences"). The Facebook pixel also enables us to record the effectiveness of Facebook advertisements statistically and for market research purposes by checking whether users were redirected to our website after clicking on a Facebook advertisement (so-called "conversion measurement").
Data processed:
Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (data that indicates the location of an end user's device). Purposes of processing: Tracking (e.g. interest/behavior-related profiling, use of cookies), remarketing, evaluation of website activities, interest- and behavior-based marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (e.g. access statistics, recognition of returning visitors), target group formation (determination of target groups relevant for marketing purposes or provision of other content), cross-device tracking (processing of user data across multiple devices for marketing purposes). Special protective measures: IP masking (pseudonymization of the IP address), encrypted communication between Facebook and our online offering. Legal basis: Consent (Art. 6 Para. 1 Clause 1 lit. a. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 lit. f. GDPR). Opt-out: We refer to the data protection information of the respective providers and the objection options specified there (so-called "opt-out"). If no explicit opt-out option is specified, you can deactivate cookies in the settings of your browser. However, this may limit the functions of our online offering. We therefore also recommend the following opt-out options:https://www.facebook.com/settings?tab=ads,https://www.youronlinechoices.com/uk/yourad-choices/ (EU),https://www.aboutads.info/choices/ (USA). External disclosure: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA. Privacy Policy:https://www.facebook.com/about/privacy/. Data deletion: The data will be deleted by Facebook as part of the termination.
Bing Universal Event Tracking (UET):
Our website uses Bing Ads technologies to collect and store data from which usage profiles are created using pseudonyms. A Bing UET tag is integrated into our website. This tag is a code that, in conjunction with the cookie, stores certain non-personal data about the use of the website.
Data processed: time spent on the website, areas of the website accessed and the advert through which users reached the website. No information about identity is collected.
Conversion - Conversion or conversion measurement is a method of measuring the effectiveness of marketing efforts. It typically involves storing a cookie on users' devices when they visit websites that carry out marketing efforts. This cookie is then retrieved again when users visit the target website, for example to determine whether the ads placed on other websites were successful.
Cookies - "Cookies" are small files that are stored on users' computers. A cookie can store various information. A cookie is mainly used to store information about a user (or the device on which the cookie is stored) during or after visiting an online service. Temporary cookies, also called "session cookies" or "transient cookies", are deleted after a user leaves an online service and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online shop or the login status in a community. "Permanent" or "persistent" cookies, on the other hand, remain stored even after the browser is closed. For example, they can store the login status in a community when users visit it again after several days. Such cookies can also store the interests of users, which are used for range measurement or marketing purposes (e.g. remarketing). "Third-party cookies" are cookies from providers other than the controller who operates the online service. If only cookies from the responsible party are used, these are called "first-party cookies".
Demographic data – Demographic data is general information about groups of people or individuals, such as age, gender, place of residence and social characteristics such as occupation, marital status or income. Demographic data is used in the context of reach measurement and in online marketing to determine target groups or for business analyses.
Third party – A “third party” means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor or persons authorised to process personal data under the direct responsibility of the controller or processor.
Third country – “Third countries” are countries in which the General Data Protection Regulation (GDPR) does not directly apply. These are generally countries that belong neither to the European Union (EU) nor to the European Economic Area (EEA).
Consent – “Consent” of the data subject occurs when the data subject freely gives his or her informed and unambiguous indication of his or her agreement to the processing of his or her personal data, by a statement or by a clear affirmative action.
Embedding – Embedding involves integrating third-party content or software functions into your own online presence and displaying or executing them there. No copy of the content is created, but it is retrieved from the original server (e.g. videos, images, posts on social networks, rating widgets). When embedding, it is technically necessary for the content provider to record the user's IP address in order to display the embedded content in the user's browser. The content provider can also store cookies on the user's devices.
Advanced Matching - "Advanced Matching" is a Facebook pixel option that sends user inventory data such as phone numbers, email addresses, or Facebook IDs to Facebook in encrypted form to create audiences for Facebook ads and use them exclusively for that purpose.
IP address - The IP address (Internet Protocol address) is a string of numbers that can be used to identify devices connected to the Internet. When a user visits a website on a server, they tell the server their IP address. The server then knows to send the data packets containing the website's content to that IP address.
IP masking – "IP masking" is a method in which the last two numbers of an IP address are deleted in order to prevent the IP address from being clearly assigned to a specific person. IP masking is used to pseudonymize processing procedures, especially in online marketing.
Interest-based marketing or interest and behavioral advertising - Interest and behavioral advertising refers to the use of profiling to determine users' potential interest in advertisements (also known as "online behavioral advertising", or OBA for short). This process typically uses cookies and web beacons.
Opt-In – The term "opt-in" means registration. With double opt-in (DOI), a registration (e.g. by entering an email address in an online form field) is confirmed by sending a confirmation email to the owner of the email address.
Opt-Out – The term "opt-out" means unsubscribing and can, for example, represent an objection (e.g. against tracking) or a cancellation (e.g. for newsletter subscriptions).
Personal data/personal reference – “Personal data” means all information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics that express his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Plugins/Social Plugins – "Plugins" (or "social plugins" in the case of social functions) are external software functions that are integrated into the online offering. They can, for example, provide interaction elements (e.g. "Like" button) or content (e.g. external comment functions or posts in social networks).
Profiling - "Profiling" refers to any form of automated processing of personal data where these data are used to analyse, evaluate or predict certain personal aspects relating to a natural person. This may include information such as age, gender, location data, interactions with websites and their content, shopping behaviour or social interactions with other people. Cookies and web beacons are often used for profiling purposes.
Pseudonymisation/pseudonyms – Pseudonymisation refers to the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately. This allows data to be processed pseudonymously, for example by storing a precise profile of the user's interests in a cookie, but without the user's name. However, if personal data such as the name or IP address is stored, the processing is no longer pseudonymous.
Reach measurement – Reach measurement is used to evaluate the flow of visitors to an online offering and can include information about behavior, interests or demographic characteristics such as age or gender. Using reach analysis, website operators can, for example, identify what type of people visit their website at what time and what content they are interested in. This enables them to better adapt the content of their website to the needs of their visitors. Cookies and web beacons are often used for reach analysis.
Session cookies – See “Cookies”.
Tracking – Tracking refers to the tracking of user behavior across multiple online offerings, e.g. for remarketing purposes. Behavioral and interest information collected in connection with the online offerings used is stored in cookies or on servers of marketing service providers (e.g. Google or Facebook).
Controller – The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, decides on the purposes and means of processing personal data.
Processing – "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This term is very broad and covers virtually any handling of data.
This privacy policy provides information on the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in connection with our online services — including our website, platform features, customer communication, and external online presences — as well as the provision of our core product: interactive email technology.
Section I: Person responsible and overview of data processing
Responsible:
Excyte
Fürstenackerstr. 5
81477 Munich
Germany
Managing Director: Josef Bichlmeier
Phone: +49 176 19352112
Imprint: https://www.excyte.co/imprint
The controller is hereinafter referred to as "we" or "us".
Description of our core services:
We offer a platform for creating and delivering interactive emails that allow end users to complete actions such as shopping, submitting reviews, or managing subscriptions directly within the email itself. When you use our platform, we process personal and usage data required to create, customize, and deliver these interactive email experiences.
If you contact us via our website or sign up for early access or product updates, we collect and store your contact details and any additional information you voluntarily provide. This information is used to respond to your inquiry, provide updates, or schedule a demo.
If you are a business customer using our services, we process data such as names, email addresses, and campaign content to enable interactive elements inside your emails. Depending on your use case, we may also process product or customer data (e.g., product IDs, order history) in order to render personalized experiences inside the email.
We do not sell or share your data with third parties unless required for the provision of our services (e.g., email delivery, analytics, or hosting infrastructure). In such cases, we only work with carefully selected and GDPR-compliant partners.
Consent:
Consent form:
By submitting your contact request (by clicking the "Send" button), you agree that we may process your name and contact details (phone number and email address) to process your request and contact you.
Right of revocation:
Consent can be revoked at any time without any formalities, e.g. by email to info@excyte.co or by letter to Excyte Josef Bichlmeier, Fürstenackerstr. 5, 81477 Munich, with effect for the future.
Types of data processed:
- Inventory data (e.g. names, company names, roles)
- Contact details (e.g. email addresses, telephone numbers)
- Content data (e.g. message contents, uploaded assets, product and campaign data)
- Contract data (e.g. subject matter of the contract, services used, billing information)
- Usage data (e.g. usage of interactive email features, open and click rates, access times)
- Meta/communication data (e.g. device information, browser type, IP addresses)
- Shop/customer data (e.g. product information, shopping cart contents, order status, purchase history, customer IDs)
Purpose of processing:
- Providing access to and functionality of the interactive email platform
- Enabling the creation, customization, and delivery of interactive email content
- Processing data to support e-commerce use cases (e.g. cart building, reviews, subscriptions)
- Handling customer inquiries and communication with users
- Providing contractual services, technical support, and account management
- Marketing, usage analysis, and product improvement
- Ensuring the security and stability of our platform
- Managing applications and recruitment processes
Automated decisions in individual cases (Art. 22 GDPR):
No automated decisions are made in individual cases.
Section II:
Rights of data subjects, legal bases, and general information
Rights of the data subjects:
According to Art. 15 GDPR, you have the right to receive information about the data we process about you.
According to Art. 16 GDPR, you have the right to request the correction of inaccurate or completion of your personal data stored by us.
According to Art. 17 GDPR, you have the right to have your data stored by us deleted.
According to Art. 18 GDPR, you have the right to restrict the processing of your data.
According to Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, common, and machine-readable format or to request that it be transmitted to another controller.
According to Art. 21 GDPR, you have the right to object to the processing of your personal data.
According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority.
Right of withdrawal:
You have the right to revoke your consent at any time in accordance with Art. 7 Para. 3 GDPR.
Right of objection:
You can object to the future processing of your data in accordance with Art. 21 GDPR at any time, in particular processing for direct marketing purposes.
Cookies and right of objection in direct marketing:
We use temporary and permanent cookies, i.e. small files that are stored on users' devices (see the last section of this privacy policy for an explanation of the term and function). Some of the cookies we use are for security purposes, are necessary for the operation of our online offering (e.g. to display the website) or for providing evidence (storing decisions and other actions of the user). In addition, we or our technology partners use cookies for the purposes of range measurement and marketing, about which users are informed in this privacy policy.
If users do not want cookies to be stored on their computer, we ask them to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Excluding cookies can lead to functional restrictions of this online service.
Exclusively automated data processing:
According to Art. 22 GDPR, you have the right not to be subjected to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or significantly affects you in a similar way. We do not carry out any exclusively automated data processing.
Deletion of data and archiving obligations:
The data we process is deleted or restricted in accordance with Art. 17 and 18 GDPR. Unless otherwise stated in this privacy policy, the data stored by us is deleted as soon as it is no longer required for its intended purpose and there are no statutory retention periods to the contrary. If the data is not deleted because it is required for other permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In accordance with the statutory provisions, the storage period is in particular for 6 years in accordance with Section 257 Para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with Section 147 Para. 1 AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
In addition, the data will be stored for a period of three years from the end of the contractual relationship in accordance with the regular statutory limitation periods (§§ 195, 199 BGB), provided that this data could possibly be required for warranty and compensation claims or similar complaints based on previous business experience and standard business processes in the industry.
Changes and updates to this privacy policy:
We ask you to regularly review the content of our privacy policy. We will adapt the privacy policy if changes in the data processing we carry out make this necessary. We will inform you of changes if your cooperation (e.g. consent) or individual notification is required.
Relevant legal bases:
In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing. Unless stated otherwise in the data protection declaration, the following legal bases apply: The legal basis for obtaining consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual measures as well as answering inquiries is Art. 6 Para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 Para. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 Para. 1 lit. f GDPR. If the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Art. 6 Para. 1 lit. d GDPR serves as the legal basis.
The basis for commercial communication outside of business relationships, in particular by post, telephone, fax, and e-mail, is contained in Section 7 of the UWG.
Security of data processing:
In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons. The measures include in particular ensuring the confidentiality, integrity, and availability of the data by controlling physical access to the data as well as access, input, transfer, securing availability, and separation of the data. In addition, we have set up procedures to exercise the rights of the data subjects, delete data, and respond to threats to the data. We take the protection of personal data into account when developing or selecting hardware, software, and procedures in accordance with the principle of data protection through technology design and data protection-friendly default settings (Art. 25 GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
Our employees are obliged to comply with data protection, have been instructed and trained on the importance of data protection, and are informed of the possible consequences of data protection violations.
Disclosure and transfer of data:
If, as part of our processing, we disclose, transmit, or otherwise grant access to data to other persons and companies (contract processors or third parties), this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, is necessary to fulfill the contract in accordance with Art. 6 Para. 1 lit. b GDPR), if you have given your consent, a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using service providers, etc.).
If we commission third parties to process data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR.
If we disclose, transmit, or otherwise grant access to data to other companies in our group, this is done in particular for administrative purposes as a legitimate interest and is based on a data processing agreement.
Transfer to third countries:
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transmission of data to third parties, this will only take place if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or due to our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 ff. GDPR are met. This includes, for example, the determination of an appropriate level of data protection by an officially recognized body or the observance of officially recognized special contractual obligations (so-called "standard contractual clauses").
Joint responsibility according to Art. 26 GDPR:
Excyte, Josef Bichlmeier in accordance with Art. 4 No. 19 GDPR. The legal basis for the joint processing and transmission of personal data is the legitimate interest of the parties involved in accordance with Art. 6 Paragraph 1 Clause 1 Letter f in conjunction with Recital 48 GDPR to transmit personal data within the group of companies for internal administrative purposes, including the processing of personal data of customers and employees. For further information on joint responsibility, please refer to the agreement on joint responsibility for the processing of personal data in the appendix.
This privacy policy was last updated on Jun 25, 2025. Please check the content regularly as changes and updates may be made.
Processing processes
The following section provides an overview of the processing activities we carry out, which we have divided into different areas. Please note that these areas are for guidance only and that there may be overlaps in processing activities (e.g. the same data may be processed in several procedures).
Note: In the appendix to this privacy policy you will find an explanation of frequently used terms to improve clarity and comprehensibility.
I. Core area of data processing
This section provides information about our core services, which include the development, customization, and delivery of interactive email experiences. These services support actions such as product selection, reviews, and subscription management directly within the email. We also provide integration, analytics, and customer success services.
II. Order initiation and offer preparation
We process the information provided by prospective clients and business partners as part of requests for demos, access to our platform, or individual feature development. This processing serves the purpose of initiating, preparing, and if applicable, executing contracts for the use of our interactive email technology.
III. Logging of prospective and customer inquiries
We log the data you provide when requesting a demo, contacting support, or engaging in onboarding or integration discussions. This logging ensures we can meet our legal accountability obligations in accordance with Article 5(2) GDPR.
Data processed:
- Inventory data
- Contact and communication data
- Contract data
- Content data
- Usage and meta data (including IP address, timestamp, and optionally a screenshot of the request)
Special categories of personal data: No
Categories of data subjects: Prospective clients, website visitors, users, customers, business partners
Purpose of processing: Provision of contractual services, customer service, documentation
Legal basis for processing: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations)
Necessity/legitimate interest: The data is necessary to initiate and fulfil service agreements and to comply with statutory accountability and documentation requirements.
Further information on processing procedures, methods, and services:
We use cloud services such as Google Cloud Storage, cloud infrastructure services, and cloud-based application software from Google. For more information about Google Cloud privacy policy, please visit: https://cloud.google.com/terms/cloud-privacy-notice
Pipedrive: We use customer relationship management (CRM) and process customer and prospect data for sales purposes. For more information about Pipedrive's privacy policy, see: https://www.pipedrive.com/en/privacy
Deletion of data:
The data is generally deleted 30 days after the purpose has been fulfilled (e.g. cancellation or refusal). Deletion takes place no later than six months after the end of the contract, unless there is a legal obligation to retain data or a different requirement for storing the data. Inventory data and evidence of contractual relationships/consents are stored for up to three years. The necessity of storing the data is reviewed annually. In the case of conflicting legal archiving obligations, deletion takes place after these obligations have expired (e.g. commercial or tax law retention obligations), at
the latest after 6 or 10 years.
IV. External online presences
In this section you will find information about our data processing in connection with external online presences, such as social media.
Online presence in social media
We maintain online presences in social networks and platforms in order to get in touch with our customers, interested parties, and users and to inform them about our services. When visiting these networks and platforms, the terms and conditions and data protection guidelines of the respective operators apply. Unless otherwise stated in our data protection declaration, we process the data of users who communicate with us within the social networks and platforms, e.g. by writing posts on our online presences or sending us messages.
Embedded content and functions
In this section we inform you about which content, software, or functions (short "content") of other providers we embed in our online offering on the basis of Art. 6 Paragraph 1 Letter f of GDPR ("embedding"). This is done to make our online offering more interesting for our users or for legal reasons, e.g. to be able to display videos or social media posts within our online offering. Embedding can also serve to improve the speed or security of the online offering, e.g. when software elements or fonts are obtained from other sources. In all cases, the data processed includes the users' usage and metadata as well as the IP address required to embed the content. The persons affected are the visitors to our online offering, including users, customers, and interested parties. Further explanations of the functions and protective measures can be found at the end of this data protection declaration in the definitions of terms.
V. Web server and security
Hosting
Our website is hosted on a server in a data center within the European Union that is under our control. The data center is operated by a US company with whom a data processing agreement based on the EU standard contractual clauses exists in order to meet the requirements of the GDPR.
server logs
Data processed: Usage data and metadata (name of the website accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type and version, user's operating system, referrer URL, IP address and requesting provider). Special categories of personal data: no. Processing basis: Art. 6 Para. 1 lit. f GDPR. Affected persons: Customers, interested parties, visitors to our website. Purpose of processing: Optimization of server operation and security monitoring. Necessity/interest in processing: Security, business interests.
Processing in third countries: no. Deletion of data: After 7 days from collection.
VI. Payment service providers
In this section we inform you about the data processing we carry out for payment purposes.
PayPal
PayPal is an online payment service provider. We have integrated PayPal components on our website. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. It is also possible to process virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address; there is no classic account number. PayPal enables online payments to third parties or the receipt of payments. PayPal also acts as a trustee and offers buyer protection services. If the data subject selects the "PayPal" option as a payment method during the ordering process, data is automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transmission of personal data to PayPal for the purpose of payment processing.
Stripe
Stripe is a technology platform for processing online payments. We use Stripe to handle credit card and other payment transactions on our website. When selecting Stripe as a payment method, payment details and personal data such as name, email address, and billing information are transmitted to Stripe in order to process the payment. Stripe complies with the applicable data protection regulations and offers a high level of security for transaction processing. The transmission of data to Stripe takes place for the purpose of fulfilling the contract and on the basis of the data subject's consent.
Data processed:
Payment data, inventory data, communication data. Processing basis: contract fulfillment (Art. 6 Para. 1 lit. b GDPR) and legitimate interest (Art. 6 Para. 1 lit. f GDPR) in the use of the PayPal payment service. Disclosure to third parties: PayPal may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfill the contractual obligations or if the data is to be processed on behalf of them. Data subjects: customers, users, interested parties. Purpose of processing: payment processing, fraud prevention. Processing in third countries: no. Further information:
- PayPal's privacy policy can be found at: https://www.paypal.com/us/legalhub/paypal/privacy-full
- Stripe privacy policy can be found at: https://stripe.com/privacy
Please note that this is intended to be only an excerpt of a privacy policy and may not contain all information or specific details. It is recommended that you have a complete and up-to-date privacy policy drafted by a legal advisor or contact a company specializing in data protection to ensure that your privacy policy complies with legal requirements.
Here is a paraphrase of the content, keeping the content intact:
Payment option via PayPal:
If you use the "PayPal" payment option on our website, data is automatically transmitted to PayPal. This includes the following information: first name, last name, address, email address, IP address, telephone number, mobile phone number and other personal data related to your order. This data is processed using social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking and remarketing. Please note PayPal's privacy policy at the following link: https://www.paypal.com/us/legalhub/paypal/privacy-full
Marketing:
In this section we inform you about the data processing we carry out to optimize our marketing and market research.
Personalized newsletter:
We only send newsletters, emails and other electronic notifications with advertising information (hereinafter "newsletter") with your consent or legal permission. In order to be able to prove your registration, the subscribers' data is logged. In addition to your email address, we may collect further information such as your name in order to personalize the newsletter and adapt it to your interests.
Content of the newsletter:
The content of the newsletter includes information about our services and our company, as stated in the registration form.
Data processed:
When processing the data, inventory data (email address) and usage data (registration time, double opt-in confirmation time, IP address, opening of the email, time and place, time and click on a link in the newsletter) are used. No special categories of personal data are processed.
Processing basis:
The processing of the data is based on Art. 6 Para. 1 lit. a, Art. 7 GDPR and Section 7 Para. 2 No. 3 UWG (shipping & performance measurement) as well as Art. 6 Para. 1 lit. c in conjunction with Art. 7 Para. 1 GDPR (logging, performance measurement, if not part of the consent).
Purpose of processing:
The data is processed for the purpose of sending the newsletter, optimizing the content and proving consent.
Type, scope and functioning of the processing:
Processing is carried out using a web beacon. Providing your email address is required, while the other information is voluntary and serves to personalize and optimize the content. Logging serves to prove consent. For users whose consent includes success measurement, success is measured on the basis of consent and otherwise on the basis of legitimate interests in optimizing the content and for business reasons.
A link to unsubscribe is included in every newsletter.
External disclosure:
The newsletter is sent via the Pipedrive in the USA. For more information, see Pipedrive privacy policy at the following link: https://www.pipedrive.com/en/privacy
Communication via email, messaging platforms, telephone, or postal mail:
We use communication channels such as email, telephone, WhatsApp, Intercom (live chat), Slack, Microsoft Teams, Google Meet, and, where applicable, postal mail to respond to inquiries, provide product information, support onboarding and integration processes, or to initiate, manage, or terminate service relationships related to the use of our interactive email platform.
You may object to communication via WhatsApp, Intercom, Slack, Microsoft Teams or Google Meet at any time by sending an email to info@excyte.co or by using the opt-out or unsubscribe options provided within the respective communication platform, where available.
Data processed:
The data processed includes inventory data, contact data, contract data and content data. No special categories of personal data are processed.
Processing basis:
The processing of the data is based on Art. 6 Para. 1 lit. a GDPR in the case of consent, Art. 6 Para. 1 lit. b GDPR in the case of contact in the context of contract execution and Art. 6 Para. 1 lit. f GDPR in conjunction with legal requirements for advertising communications.
Purpose of processing:
The data is processed for advertising purposes.
Type, scope and functioning of the processing:
Contact will only be made with the consent of the contact partner or within the scope of legal permissions.
Necessity / interest in processing:
The processing serves information and business interests.
External disclosure and purpose:
There is no external disclosure of the data.
Processing in third countries:
Some of the service providers we use (e.g. communication or analytics tools) may process data in third countries outside the European Union (EU) or the European Economic Area (EEA). In such cases, we ensure that the requirements of Art. 44 ff. GDPR are met — for example through the use of EU standard contractual clauses or other recognized safeguards — to ensure an appropriate level of data protection.
Deletion of data:
The data will be deleted if an objection or revocation is made or if the legal basis for contacting us no longer applies. The data of interested parties is stored in accordance with the information on the deletion of the data within the scope of the processing activity mentioned above.
Optimization and security:
We process data to ensure the stability, security, and performance of our platform and to continuously improve the user experience. This includes technical logging, load balancing, error tracking, and anonymized usage analysis to optimize content and user flows.
Access data such as IP address, browser type, access time, and visited pages may be temporarily stored in server log files. This data is processed exclusively for security monitoring (e.g. to detect abusive or fraudulent behavior) and system optimization. The data is automatically deleted after a short retention period unless it is required for security incident resolution.
No personal data is used for optimization purposes unless required for the functionality of the platform or explicitly consented to.
Reach measurement, online marketing and technology partners:
In this section we inform you about the services we use for online marketing and reach measurement. They are used on the basis of Article 6 paragraph 1 letter f of the GDPR and our interest in increasing user-friendliness, optimizing our offering and increasing profitability. In all cases, usage and metadata are processed. Further explanations of the functions and protective measures can be found at the end of this data protection declaration in the definitions of terms. The data is deleted in accordance with the data protection declarations of the technology partners, unless otherwise stated.
V
Further information on processing procedures, procedures and services
Google Tag Manager
Google Tag Manager is a solution that allows us to manage website tags via an interface (e.g. integrating Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of users. Information on the processing of personal data of users can be found in the following information on Google services.
Terms of Use: https://www.google.com/intl/de/tagmanager/usepolicy.html
Google Analytics
We use Google Analytics to measure reach and create target groups.
Data processed: Usage data, metadata, customer ID with us (Google only receives the customer ID as pseudonymous data without the associated inventory data such as the customer's name, address or email). Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/. Processing in third countries: No. Deletion of data: 14 months.
Google AdWords
We use Google AdWords to place ads in the Google advertising network and to show them to users who are likely to be interested in the ads (so-called "conversion"). We also measure the success of the ads. However, the success measurement is limited to the anonymous total number of users who clicked on our ad and were redirected to a page that has a measurement point set by us (so-called "conversion tracking tag"). We do not receive any information that can be used to identify users.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Consent (Article 6 Paragraph 1 Sentence 1 Letter a GDPR). Website:https://marketingplatform.google.com. Privacy policy:https://policies.google.com/privacy. Further information: Types of processing and data processed:https://privacy.google.com/businesses/adsservices. Data processing conditions between controllers and standard contractual clauses for third country transfers of data:https://business.safety.google/adscontrollerterms.
Google DoubleClick
We use Google AdWords to measure the success of our ads placed on Google.
Data processed: Usage data, metadata, customer ID with us (Google only receives the customer ID as pseudonymous data without the associated inventory data such as the customer's name, address or email). Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:https://www.google.com/policies/privacy/. Processing in third countries: No. Deletion of data: 14 months.
Google Optimize
Our website uses the web analysis and optimization service "Google Optimize" to increase the attractiveness, content and functionality of our website by displaying new functions and content to a percentage of our users and statistically evaluating changes in usage.
Google Optimize is a service that falls under Google Analytics (see Google Analytics section). Using cookies, Google Optimize enables the optimization and analysis of how users use our website. The information on the use of our website generated through these cookies is usually transferred to a Google server in the USA and stored there. We use Google Optimize with activated IP anonymization, which means that your IP address is shortened by Google within the member states of the European Union or in other contracting states to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate the use of our website, compile reports on optimization tests and related website activity, and provide us with other services related to website and Internet usage.
Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:https://www.google.com/policies/privacy/. Processing in third countries: No. Data deletion: 14 months.
Facebook ads:
We place ads on the Facebook platform and evaluate the success of the ads. The processing serves the purpose of targeted advertising and target group formation. Event data of users of the Facebook platform is processed, including behavioral and interest information.
External disclosure: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Consent (Art. 6 Para. 1 Clause 1 lit. a GDPR). Website:https://www.facebook.com; Privacy Policy:https://www.facebook.com/about/privacy; Opt-out option: Please refer to the data protection settings for profiles and advertising on the Facebook platform as well as to the contact options provided in Facebook's privacy policy for exercising information and other data subject rights; Further information: We have entered into an agreement with Meta Platforms Ireland Limited regarding joint responsibility with Facebook or Meta ("Add for Controllers",https://www.facebook.com/legal/controller_addendum). Joint responsibility only applies to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transmission of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Facebook pixel:
We use the Facebook pixel to only show advertisements to those Facebook users who have shown interest in our online offering or who have certain characteristics (e.g. interest in certain topics or services that can be seen from the websites visited) that we transmit to Facebook (so-called "custom audiences"). The Facebook pixel also enables us to record the effectiveness of Facebook advertisements statistically and for market research purposes by checking whether users were redirected to our website after clicking on a Facebook advertisement (so-called "conversion measurement").
Data processed:
Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (data that indicates the location of an end user's device). Purposes of processing: Tracking (e.g. interest/behavior-related profiling, use of cookies), remarketing, evaluation of website activities, interest- and behavior-based marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (e.g. access statistics, recognition of returning visitors), target group formation (determination of target groups relevant for marketing purposes or provision of other content), cross-device tracking (processing of user data across multiple devices for marketing purposes). Special protective measures: IP masking (pseudonymization of the IP address), encrypted communication between Facebook and our online offering. Legal basis: Consent (Art. 6 Para. 1 Clause 1 lit. a. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 lit. f. GDPR). Opt-out: We refer to the data protection information of the respective providers and the objection options specified there (so-called "opt-out"). If no explicit opt-out option is specified, you can deactivate cookies in the settings of your browser. However, this may limit the functions of our online offering. We therefore also recommend the following opt-out options:https://www.facebook.com/settings?tab=ads,https://www.youronlinechoices.com/uk/yourad-choices/ (EU),https://www.aboutads.info/choices/ (USA). External disclosure: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA. Privacy Policy:https://www.facebook.com/about/privacy/. Data deletion: The data will be deleted by Facebook as part of the termination.
Bing Universal Event Tracking (UET):
Our website uses Bing Ads technologies to collect and store data from which usage profiles are created using pseudonyms. A Bing UET tag is integrated into our website. This tag is a code that, in conjunction with the cookie, stores certain non-personal data about the use of the website.
Data processed: time spent on the website, areas of the website accessed and the advert through which users reached the website. No information about identity is collected.
Conversion - Conversion or conversion measurement is a method of measuring the effectiveness of marketing efforts. It typically involves storing a cookie on users' devices when they visit websites that carry out marketing efforts. This cookie is then retrieved again when users visit the target website, for example to determine whether the ads placed on other websites were successful.
Cookies - "Cookies" are small files that are stored on users' computers. A cookie can store various information. A cookie is mainly used to store information about a user (or the device on which the cookie is stored) during or after visiting an online service. Temporary cookies, also called "session cookies" or "transient cookies", are deleted after a user leaves an online service and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online shop or the login status in a community. "Permanent" or "persistent" cookies, on the other hand, remain stored even after the browser is closed. For example, they can store the login status in a community when users visit it again after several days. Such cookies can also store the interests of users, which are used for range measurement or marketing purposes (e.g. remarketing). "Third-party cookies" are cookies from providers other than the controller who operates the online service. If only cookies from the responsible party are used, these are called "first-party cookies".
Demographic data – Demographic data is general information about groups of people or individuals, such as age, gender, place of residence and social characteristics such as occupation, marital status or income. Demographic data is used in the context of reach measurement and in online marketing to determine target groups or for business analyses.
Third party – A “third party” means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor or persons authorised to process personal data under the direct responsibility of the controller or processor.
Third country – “Third countries” are countries in which the General Data Protection Regulation (GDPR) does not directly apply. These are generally countries that belong neither to the European Union (EU) nor to the European Economic Area (EEA).
Consent – “Consent” of the data subject occurs when the data subject freely gives his or her informed and unambiguous indication of his or her agreement to the processing of his or her personal data, by a statement or by a clear affirmative action.
Embedding – Embedding involves integrating third-party content or software functions into your own online presence and displaying or executing them there. No copy of the content is created, but it is retrieved from the original server (e.g. videos, images, posts on social networks, rating widgets). When embedding, it is technically necessary for the content provider to record the user's IP address in order to display the embedded content in the user's browser. The content provider can also store cookies on the user's devices.
Advanced Matching - "Advanced Matching" is a Facebook pixel option that sends user inventory data such as phone numbers, email addresses, or Facebook IDs to Facebook in encrypted form to create audiences for Facebook ads and use them exclusively for that purpose.
IP address - The IP address (Internet Protocol address) is a string of numbers that can be used to identify devices connected to the Internet. When a user visits a website on a server, they tell the server their IP address. The server then knows to send the data packets containing the website's content to that IP address.
IP masking – "IP masking" is a method in which the last two numbers of an IP address are deleted in order to prevent the IP address from being clearly assigned to a specific person. IP masking is used to pseudonymize processing procedures, especially in online marketing.
Interest-based marketing or interest and behavioral advertising - Interest and behavioral advertising refers to the use of profiling to determine users' potential interest in advertisements (also known as "online behavioral advertising", or OBA for short). This process typically uses cookies and web beacons.
Opt-In – The term "opt-in" means registration. With double opt-in (DOI), a registration (e.g. by entering an email address in an online form field) is confirmed by sending a confirmation email to the owner of the email address.
Opt-Out – The term "opt-out" means unsubscribing and can, for example, represent an objection (e.g. against tracking) or a cancellation (e.g. for newsletter subscriptions).
Personal data/personal reference – “Personal data” means all information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics that express his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Plugins/Social Plugins – "Plugins" (or "social plugins" in the case of social functions) are external software functions that are integrated into the online offering. They can, for example, provide interaction elements (e.g. "Like" button) or content (e.g. external comment functions or posts in social networks).
Profiling - "Profiling" refers to any form of automated processing of personal data where these data are used to analyse, evaluate or predict certain personal aspects relating to a natural person. This may include information such as age, gender, location data, interactions with websites and their content, shopping behaviour or social interactions with other people. Cookies and web beacons are often used for profiling purposes.
Pseudonymisation/pseudonyms – Pseudonymisation refers to the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately. This allows data to be processed pseudonymously, for example by storing a precise profile of the user's interests in a cookie, but without the user's name. However, if personal data such as the name or IP address is stored, the processing is no longer pseudonymous.
Reach measurement – Reach measurement is used to evaluate the flow of visitors to an online offering and can include information about behavior, interests or demographic characteristics such as age or gender. Using reach analysis, website operators can, for example, identify what type of people visit their website at what time and what content they are interested in. This enables them to better adapt the content of their website to the needs of their visitors. Cookies and web beacons are often used for reach analysis.
Session cookies – See “Cookies”.
Tracking – Tracking refers to the tracking of user behavior across multiple online offerings, e.g. for remarketing purposes. Behavioral and interest information collected in connection with the online offerings used is stored in cookies or on servers of marketing service providers (e.g. Google or Facebook).
Controller – The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, decides on the purposes and means of processing personal data.
Processing – "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This term is very broad and covers virtually any handling of data.
This privacy policy provides information on the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in connection with our online services — including our website, platform features, customer communication, and external online presences — as well as the provision of our core product: interactive email technology.
Section I: Person responsible and overview of data processing
Responsible:
Excyte
Fürstenackerstr. 5
81477 Munich
Germany
Managing Director: Josef Bichlmeier
Phone: +49 176 19352112
Imprint: https://www.excyte.co/imprint
The controller is hereinafter referred to as "we" or "us".
Description of our core services:
We offer a platform for creating and delivering interactive emails that allow end users to complete actions such as shopping, submitting reviews, or managing subscriptions directly within the email itself. When you use our platform, we process personal and usage data required to create, customize, and deliver these interactive email experiences.
If you contact us via our website or sign up for early access or product updates, we collect and store your contact details and any additional information you voluntarily provide. This information is used to respond to your inquiry, provide updates, or schedule a demo.
If you are a business customer using our services, we process data such as names, email addresses, and campaign content to enable interactive elements inside your emails. Depending on your use case, we may also process product or customer data (e.g., product IDs, order history) in order to render personalized experiences inside the email.
We do not sell or share your data with third parties unless required for the provision of our services (e.g., email delivery, analytics, or hosting infrastructure). In such cases, we only work with carefully selected and GDPR-compliant partners.
Consent:
Consent form:
By submitting your contact request (by clicking the "Send" button), you agree that we may process your name and contact details (phone number and email address) to process your request and contact you.
Right of revocation:
Consent can be revoked at any time without any formalities, e.g. by email to info@excyte.co or by letter to Excyte Josef Bichlmeier, Fürstenackerstr. 5, 81477 Munich, with effect for the future.
Types of data processed:
- Inventory data (e.g. names, company names, roles)
- Contact details (e.g. email addresses, telephone numbers)
- Content data (e.g. message contents, uploaded assets, product and campaign data)
- Contract data (e.g. subject matter of the contract, services used, billing information)
- Usage data (e.g. usage of interactive email features, open and click rates, access times)
- Meta/communication data (e.g. device information, browser type, IP addresses)
- Shop/customer data (e.g. product information, shopping cart contents, order status, purchase history, customer IDs)
Purpose of processing:
- Providing access to and functionality of the interactive email platform
- Enabling the creation, customization, and delivery of interactive email content
- Processing data to support e-commerce use cases (e.g. cart building, reviews, subscriptions)
- Handling customer inquiries and communication with users
- Providing contractual services, technical support, and account management
- Marketing, usage analysis, and product improvement
- Ensuring the security and stability of our platform
- Managing applications and recruitment processes
Automated decisions in individual cases (Art. 22 GDPR):
No automated decisions are made in individual cases.
Section II:
Rights of data subjects, legal bases, and general information
Rights of the data subjects:
According to Art. 15 GDPR, you have the right to receive information about the data we process about you.
According to Art. 16 GDPR, you have the right to request the correction of inaccurate or completion of your personal data stored by us.
According to Art. 17 GDPR, you have the right to have your data stored by us deleted.
According to Art. 18 GDPR, you have the right to restrict the processing of your data.
According to Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, common, and machine-readable format or to request that it be transmitted to another controller.
According to Art. 21 GDPR, you have the right to object to the processing of your personal data.
According to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority.
Right of withdrawal:
You have the right to revoke your consent at any time in accordance with Art. 7 Para. 3 GDPR.
Right of objection:
You can object to the future processing of your data in accordance with Art. 21 GDPR at any time, in particular processing for direct marketing purposes.
Cookies and right of objection in direct marketing:
We use temporary and permanent cookies, i.e. small files that are stored on users' devices (see the last section of this privacy policy for an explanation of the term and function). Some of the cookies we use are for security purposes, are necessary for the operation of our online offering (e.g. to display the website) or for providing evidence (storing decisions and other actions of the user). In addition, we or our technology partners use cookies for the purposes of range measurement and marketing, about which users are informed in this privacy policy.
If users do not want cookies to be stored on their computer, we ask them to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Excluding cookies can lead to functional restrictions of this online service.
Exclusively automated data processing:
According to Art. 22 GDPR, you have the right not to be subjected to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or significantly affects you in a similar way. We do not carry out any exclusively automated data processing.
Deletion of data and archiving obligations:
The data we process is deleted or restricted in accordance with Art. 17 and 18 GDPR. Unless otherwise stated in this privacy policy, the data stored by us is deleted as soon as it is no longer required for its intended purpose and there are no statutory retention periods to the contrary. If the data is not deleted because it is required for other permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In accordance with the statutory provisions, the storage period is in particular for 6 years in accordance with Section 257 Para. 1 HGB (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with Section 147 Para. 1 AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).
In addition, the data will be stored for a period of three years from the end of the contractual relationship in accordance with the regular statutory limitation periods (§§ 195, 199 BGB), provided that this data could possibly be required for warranty and compensation claims or similar complaints based on previous business experience and standard business processes in the industry.
Changes and updates to this privacy policy:
We ask you to regularly review the content of our privacy policy. We will adapt the privacy policy if changes in the data processing we carry out make this necessary. We will inform you of changes if your cooperation (e.g. consent) or individual notification is required.
Relevant legal bases:
In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing. Unless stated otherwise in the data protection declaration, the following legal bases apply: The legal basis for obtaining consent is Art. 6 Para. 1 lit. a and Art. 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual measures as well as answering inquiries is Art. 6 Para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 Para. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 Para. 1 lit. f GDPR. If the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Art. 6 Para. 1 lit. d GDPR serves as the legal basis.
The basis for commercial communication outside of business relationships, in particular by post, telephone, fax, and e-mail, is contained in Section 7 of the UWG.
Security of data processing:
In accordance with Art. 32 GDPR, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons. The measures include in particular ensuring the confidentiality, integrity, and availability of the data by controlling physical access to the data as well as access, input, transfer, securing availability, and separation of the data. In addition, we have set up procedures to exercise the rights of the data subjects, delete data, and respond to threats to the data. We take the protection of personal data into account when developing or selecting hardware, software, and procedures in accordance with the principle of data protection through technology design and data protection-friendly default settings (Art. 25 GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
Our employees are obliged to comply with data protection, have been instructed and trained on the importance of data protection, and are informed of the possible consequences of data protection violations.
Disclosure and transfer of data:
If, as part of our processing, we disclose, transmit, or otherwise grant access to data to other persons and companies (contract processors or third parties), this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, is necessary to fulfill the contract in accordance with Art. 6 Para. 1 lit. b GDPR), if you have given your consent, a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using service providers, etc.).
If we commission third parties to process data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 GDPR.
If we disclose, transmit, or otherwise grant access to data to other companies in our group, this is done in particular for administrative purposes as a legitimate interest and is based on a data processing agreement.
Transfer to third countries:
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or the disclosure or transmission of data to third parties, this will only take place if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or due to our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements of Art. 44 ff. GDPR are met. This includes, for example, the determination of an appropriate level of data protection by an officially recognized body or the observance of officially recognized special contractual obligations (so-called "standard contractual clauses").
Joint responsibility according to Art. 26 GDPR:
Excyte, Josef Bichlmeier in accordance with Art. 4 No. 19 GDPR. The legal basis for the joint processing and transmission of personal data is the legitimate interest of the parties involved in accordance with Art. 6 Paragraph 1 Clause 1 Letter f in conjunction with Recital 48 GDPR to transmit personal data within the group of companies for internal administrative purposes, including the processing of personal data of customers and employees. For further information on joint responsibility, please refer to the agreement on joint responsibility for the processing of personal data in the appendix.
This privacy policy was last updated on Jun 25, 2025. Please check the content regularly as changes and updates may be made.
Processing processes
The following section provides an overview of the processing activities we carry out, which we have divided into different areas. Please note that these areas are for guidance only and that there may be overlaps in processing activities (e.g. the same data may be processed in several procedures).
Note: In the appendix to this privacy policy you will find an explanation of frequently used terms to improve clarity and comprehensibility.
I. Core area of data processing
This section provides information about our core services, which include the development, customization, and delivery of interactive email experiences. These services support actions such as product selection, reviews, and subscription management directly within the email. We also provide integration, analytics, and customer success services.
II. Order initiation and offer preparation
We process the information provided by prospective clients and business partners as part of requests for demos, access to our platform, or individual feature development. This processing serves the purpose of initiating, preparing, and if applicable, executing contracts for the use of our interactive email technology.
III. Logging of prospective and customer inquiries
We log the data you provide when requesting a demo, contacting support, or engaging in onboarding or integration discussions. This logging ensures we can meet our legal accountability obligations in accordance with Article 5(2) GDPR.
Data processed:
- Inventory data
- Contact and communication data
- Contract data
- Content data
- Usage and meta data (including IP address, timestamp, and optionally a screenshot of the request)
Special categories of personal data: No
Categories of data subjects: Prospective clients, website visitors, users, customers, business partners
Purpose of processing: Provision of contractual services, customer service, documentation
Legal basis for processing: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations)
Necessity/legitimate interest: The data is necessary to initiate and fulfil service agreements and to comply with statutory accountability and documentation requirements.
Further information on processing procedures, methods, and services:
We use cloud services such as Google Cloud Storage, cloud infrastructure services, and cloud-based application software from Google. For more information about Google Cloud privacy policy, please visit: https://cloud.google.com/terms/cloud-privacy-notice
Pipedrive: We use customer relationship management (CRM) and process customer and prospect data for sales purposes. For more information about Pipedrive's privacy policy, see: https://www.pipedrive.com/en/privacy
Deletion of data:
The data is generally deleted 30 days after the purpose has been fulfilled (e.g. cancellation or refusal). Deletion takes place no later than six months after the end of the contract, unless there is a legal obligation to retain data or a different requirement for storing the data. Inventory data and evidence of contractual relationships/consents are stored for up to three years. The necessity of storing the data is reviewed annually. In the case of conflicting legal archiving obligations, deletion takes place after these obligations have expired (e.g. commercial or tax law retention obligations), at the latest after 6 or 10 years.
IV. External online presences
In this section you will find information about our data processing in connection with external online presences, such as social media.
Online presence in social media
We maintain online presences in social networks and platforms in order to get in touch with our customers, interested parties, and users and to inform them about our services. When visiting these networks and platforms, the terms and conditions and data protection guidelines of the respective operators apply. Unless otherwise stated in our data protection declaration, we process the data of users who communicate with us within the social networks and platforms, e.g. by writing posts on our online presences or sending us messages.
Embedded content and functions
In this section we inform you about which content, software, or functions (short "content") of other providers we embed in our online offering on the basis of Art. 6 Paragraph 1 Letter f of GDPR ("embedding"). This is done to make our online offering more interesting for our users or for legal reasons, e.g. to be able to display videos or social media posts within our online offering. Embedding can also serve to improve the speed or security of the online offering, e.g. when software elements or fonts are obtained from other sources. In all cases, the data processed includes the users' usage and metadata as well as the IP address required to embed the content. The persons affected are the visitors to our online offering, including users, customers, and interested parties. Further explanations of the functions and protective measures can be found at the end of this data protection declaration in the definitions of terms.
V. Web server and security
hosting
Our website is hosted on a server in a data center within the European Union that is under our control. The data center is operated by a US company with whom a data processing agreement based on the EU standard contractual clauses exists in order to meet the requirements of the GDPR.
server logs
Data processed: Usage data and metadata (name of the website accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type and version, user's operating system, referrer URL, IP address and requesting provider). Special categories of personal data: no. Processing basis: Art. 6 Para. 1 lit. f GDPR. Affected persons: Customers, interested parties, visitors to our website. Purpose of processing: Optimization of server operation and security monitoring. Necessity/interest in processing: Security, business interests. Processing in third countries: no. Deletion of data: After 7 days from collection.
VI. Payment service providers
In this section we inform you about the data processing we carry out for payment purposes.
PayPal
PayPal is an online payment service provider. We have integrated PayPal components on our website. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. It is also possible to process virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address; there is no classic account number. PayPal enables online payments to third parties or the receipt of payments. PayPal also acts as a trustee and offers buyer protection services. If the data subject selects the "PayPal" option as a payment method during the ordering process, data is automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transmission of personal data to PayPal for the purpose of payment processing.
Stripe
Stripe is a technology platform for processing online payments. We use Stripe to handle credit card and other payment transactions on our website. When selecting Stripe as a payment method, payment details and personal data such as name, email address, and billing information are transmitted to Stripe in order to process the payment. Stripe complies with the applicable data protection regulations and offers a high level of security for transaction processing. The transmission of data to Stripe takes place for the purpose of fulfilling the contract and on the basis of the data subject's consent.
Data processed:
Payment data, inventory data, communication data. Processing basis: contract fulfillment (Art. 6 Para. 1 lit. b GDPR) and legitimate interest (Art. 6 Para. 1 lit. f GDPR) in the use of the PayPal payment service. Disclosure to third parties: PayPal may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfill the contractual obligations or if the data is to be processed on behalf of them. Data subjects: customers, users, interested parties. Purpose of processing: payment processing, fraud prevention. Processing in third countries: no. Further information:
- PayPal's privacy policy can be found at: https://www.paypal.com/us/legalhub/paypal/privacy-full
- Stripe privacy policy can be found at: https://stripe.com/privacy
Please note that this is intended to be only an excerpt of a privacy policy and may not contain all information or specific details. It is recommended that you have a complete and up-to-date privacy policy drafted by a legal advisor or contact a company specializing in data protection to ensure that your privacy policy complies with legal requirements.
Here is a paraphrase of the content, keeping the content intact:
Payment option via PayPal:
If you use the "PayPal" payment option on our website, data is automatically transmitted to PayPal. This includes the following information: first name, last name, address, email address, IP address, telephone number, mobile phone number and other personal data related to your order. This data is processed using social plugins, permanent cookies, third-party cookies, interest-based marketing, tracking and remarketing. Please note PayPal's privacy policy at the following link: https://www.paypal.com/us/legalhub/paypal/privacy-full
Marketing:
In this section we inform you about the data processing we carry out to optimize our marketing and market research.
Personalized newsletter:
We only send newsletters, emails and other electronic notifications with advertising information (hereinafter "newsletter") with your consent or legal permission. In order to be able to prove your registration, the subscribers' data is logged. In addition to your email address, we may collect further information such as your name in order to personalize the newsletter and adapt it to your interests.
Content of the newsletter:
The content of the newsletter includes information about our services and our company, as stated in the registration form.
Data processed:
When processing the data, inventory data (email address) and usage data (registration time, double opt-in confirmation time, IP address, opening of the email, time and place, time and click on a link in the newsletter) are used. No special categories of personal data are processed.
Processing basis:
The processing of the data is based on Art. 6 Para. 1 lit. a, Art. 7 GDPR and Section 7 Para. 2 No. 3 UWG (shipping & performance measurement) as well as Art. 6 Para. 1 lit. c in conjunction with Art. 7 Para. 1 GDPR (logging, performance measurement, if not part of the consent).
Purpose of processing:
The data is processed for the purpose of sending the newsletter, optimizing the content and proving consent.
Type, scope and functioning of the processing:
Processing is carried out using a web beacon. Providing your email address is required, while the other information is voluntary and serves to personalize and optimize the content. Logging serves to prove consent. For users whose consent includes success measurement, success is measured on the basis of consent and otherwise on the basis of legitimate interests in optimizing the content and for business reasons.
A link to unsubscribe is included in every newsletter.
External disclosure:
The newsletter is sent via the Pipedrive in the USA. For more information, see Pipedrive privacy policy at the following link: https://www.pipedrive.com/en/privacy
Communication via post, email, SMS or telephone:
We use communication channels such as email, telephone, WhatsApp, Intercom (live chat), Slack, Microsoft Teams, Google Meet, and, where applicable, postal mail to respond to inquiries, provide product information, support onboarding and integration processes, or to initiate, manage, or terminate service relationships related to the use of our interactive email platform.
You may object to communication via WhatsApp, Intercom, Slack, Microsoft Teams or Google Meet at any time by sending an email to info@excyte.co or by using the opt-out or unsubscribe options provided within the respective communication platform, where available.
Data processed:
The data processed includes inventory data, contact data, contract data and content data. No special categories of personal data are processed.
Processing basis:
The processing of the data is based on Art. 6 Para. 1 lit. a GDPR in the case of consent, Art. 6 Para. 1 lit. b GDPR in the case of contact in the context of contract execution and Art. 6 Para. 1 lit. f GDPR in conjunction with legal requirements for advertising communications.
Purpose of processing:
The data is processed for advertising purposes.
Type, scope and functioning of the processing:
Contact will only be made with the consent of the contact partner or within the scope of legal permissions.
Necessity / interest in processing:
The processing serves information and business interests.
External disclosure and purpose:
There is no external disclosure of the data.
Processing in third countries:
Communication via WhatsApp and Intercom may involve data transfers to third countries (e.g., the USA). These transfers are based on standard contractual clauses pursuant to Art. 46 GDPR.
Deletion of data:
The data will be deleted if an objection or revocation is made or if the legal basis for contacting us no longer applies. The data of interested parties is stored in accordance with the information on the deletion of the data within the scope of the processing activity mentioned above.
Optimization and security:
We process data to ensure the stability, security, and performance of our platform and to continuously improve the user experience. This includes technical logging, load balancing, error tracking, and anonymized usage analysis to optimize content and user flows.
Access data such as IP address, browser type, access time, and visited pages may be temporarily stored in server log files. This data is processed exclusively for security monitoring (e.g. to detect abusive or fraudulent behavior) and system optimization. The data is automatically deleted after a short retention period unless it is required for security incident resolution.
No personal data is used for optimization purposes unless required for the functionality of the platform or explicitly consented to.
Reach measurement, online marketing and technology partners:
In this section we inform you about the services we use for online marketing and reach measurement. They are used on the basis of Article 6 paragraph 1 letter f of the GDPR and our interest in increasing user-friendliness, optimizing our offering and increasing profitability. In all cases, usage and metadata are processed. Further explanations of the functions and protective measures can be found at the end of this data protection declaration in the definitions of terms. The data is deleted in accordance with the data protection declarations of the technology partners, unless otherwise stated.
V
Further information on processing procedures, procedures and services
Google Tag Manager
Google Tag Manager is a solution that allows us to manage website tags via an interface (e.g. integrating Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of users. Information on the processing of personal data of users can be found in the following information on Google services.
Terms of Use: https://www.google.com/intl/de/tagmanager/usepolicy.html
Google Analytics
We use Google Analytics to measure reach and create target groups.
Data processed: Usage data, metadata, customer ID with us (Google only receives the customer ID as pseudonymous data without the associated inventory data such as the customer's name, address or email). Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/. Processing in third countries: No. Deletion of data: 14 months.
Google AdWords
We use Google AdWords to place ads in the Google advertising network and to show them to users who are likely to be interested in the ads (so-called "conversion"). We also measure the success of the ads. However, the success measurement is limited to the anonymous total number of users who clicked on our ad and were redirected to a page that has a measurement point set by us (so-called "conversion tracking tag"). We do not receive any information that can be used to identify users.
External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Consent (Article 6 Paragraph 1 Sentence 1 Letter a GDPR). Website:https://marketingplatform.google.com. Privacy policy:https://policies.google.com/privacy. Further information: Types of processing and data processed:https://privacy.google.com/businesses/adsservices. Data processing conditions between controllers and standard contractual clauses for third country transfers of data:https://business.safety.google/adscontrollerterms.
Google DoubleClick
We use Google AdWords to measure the success of our ads placed on Google.
Data processed: Usage data, metadata, customer ID with us (Google only receives the customer ID as pseudonymous data without the associated inventory data such as the customer's name, address or email). Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, conversion measurement, interest-based marketing, profiling. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:https://www.google.com/policies/privacy/. Processing in third countries: No. Deletion of data: 14 months.
Google Optimize
Our website uses the web analysis and optimization service "Google Optimize" to increase the attractiveness, content and functionality of our website by displaying new functions and content to a percentage of our users and statistically evaluating changes in usage.
Google Optimize is a service that falls under Google Analytics (see Google Analytics section). Using cookies, Google Optimize enables the optimization and analysis of how users use our website. The information on the use of our website generated through these cookies is usually transferred to a Google server in the USA and stored there. We use Google Optimize with activated IP anonymization, which means that your IP address is shortened by Google within the member states of the European Union or in other contracting states to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate the use of our website, compile reports on optimization tests and related website activity, and provide us with other services related to website and Internet usage.
Type, scope, functionality of processing: Permanent cookies, third-party cookies, tracking, interest-based marketing, profiling, custom audiences, remarketing. Special protective measures: Pseudonymization, IP masking, conclusion of a contract processing agreement, opt-out. Opt-out:https://tools.google.com/dlpage/gaoptout?hl=de (browser add-on for Google Analytics),https://adssettings.google.com/ (advertisement settings). External disclosure: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy:https://www.google.com/policies/privacy/. Processing in third countries: No. Data deletion: 14 months.
Facebook ads:
We place ads on the Facebook platform and evaluate the success of the ads. The processing serves the purpose of targeted advertising and target group formation. Event data of users of the Facebook platform is processed, including behavioral and interest information.
External disclosure: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Consent (Art. 6 Para. 1 Clause 1 lit. a GDPR). Website:https://www.facebook.com; Privacy Policy:https://www.facebook.com/about/privacy; Opt-out option: Please refer to the data protection settings for profiles and advertising on the Facebook platform as well as to the contact options provided in Facebook's privacy policy for exercising information and other data subject rights; Further information: We have entered into an agreement with Meta Platforms Ireland Limited regarding joint responsibility with Facebook or Meta ("Add for Controllers",https://www.facebook.com/legal/controller_addendum). Joint responsibility only applies to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transmission of the data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
Facebook pixel:
We use the Facebook pixel to only show advertisements to those Facebook users who have shown interest in our online offering or who have certain characteristics (e.g. interest in certain topics or services that can be seen from the websites visited) that we transmit to Facebook (so-called "custom audiences"). The Facebook pixel also enables us to record the effectiveness of Facebook advertisements statistically and for market research purposes by checking whether users were redirected to our website after clicking on a Facebook advertisement (so-called "conversion measurement").
Data processed:
Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (data that indicates the location of an end user's device). Purposes of processing: Tracking (e.g. interest/behavior-related profiling, use of cookies), remarketing, evaluation of website activities, interest- and behavior-based marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (e.g. access statistics, recognition of returning visitors), target group formation (determination of target groups relevant for marketing purposes or provision of other content), cross-device tracking (processing of user data across multiple devices for marketing purposes). Special protective measures: IP masking (pseudonymization of the IP address), encrypted communication between Facebook and our online offering. Legal basis: Consent (Art. 6 Para. 1 Clause 1 lit. a. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 lit. f. GDPR). Opt-out: We refer to the data protection information of the respective providers and the objection options specified there (so-called "opt-out"). If no explicit opt-out option is specified, you can deactivate cookies in the settings of your browser. However, this may limit the functions of our online offering. We therefore also recommend the following opt-out options:https://www.facebook.com/settings?tab=ads,https://www.youronlinechoices.com/uk/yourad-choices/ (EU),https://www.aboutads.info/choices/ (USA). External disclosure: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA. Privacy Policy:https://www.facebook.com/about/privacy/. Data deletion: The data will be deleted by Facebook as part of the termination.
Bing Universal Event Tracking (UET):
Our website uses Bing Ads technologies to collect and store data from which usage profiles are created using pseudonyms. A Bing UET tag is integrated into our website. This tag is a code that, in conjunction with the cookie, stores certain non-personal data about the use of the website.
Data processed: time spent on the website, areas of the website accessed and the advert through which users reached the website. No information about identity is collected.
Conversion - Conversion or conversion measurement is a method of measuring the effectiveness of marketing efforts. It typically involves storing a cookie on users' devices when they visit websites that carry out marketing efforts. This cookie is then retrieved again when users visit the target website, for example to determine whether the ads placed on other websites were successful.
Cookies - "Cookies" are small files that are stored on users' computers. A cookie can store various information. A cookie is mainly used to store information about a user (or the device on which the cookie is stored) during or after visiting an online service. Temporary cookies, also called "session cookies" or "transient cookies", are deleted after a user leaves an online service and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online shop or the login status in a community. "Permanent" or "persistent" cookies, on the other hand, remain stored even after the browser is closed. For example, they can store the login status in a community when users visit it again after several days. Such cookies can also store the interests of users, which are used for range measurement or marketing purposes (e.g. remarketing). "Third-party cookies" are cookies from providers other than the controller who operates the online service. If only cookies from the responsible party are used, these are called "first-party cookies".
Demographic data – Demographic data is general information about groups of people or individuals, such as age, gender, place of residence and social characteristics such as occupation, marital status or income. Demographic data is used in the context of reach measurement and in online marketing to determine target groups or for business analyses.
Third party – A “third party” means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor or persons authorised to process personal data under the direct responsibility of the controller or processor.
Third country – “Third countries” are countries in which the General Data Protection Regulation (GDPR) does not directly apply. These are generally countries that belong neither to the European Union (EU) nor to the European Economic Area (EEA).
Consent – “Consent” of the data subject occurs when the data subject freely gives his or her informed and unambiguous indication of his or her agreement to the processing of his or her personal data, by a statement or by a clear affirmative action.
Embedding – Embedding involves integrating third-party content or software functions into your own online presence and displaying or executing them there. No copy of the content is created, but it is retrieved from the original server (e.g. videos, images, posts on social networks, rating widgets). When embedding, it is technically necessary for the content provider to record the user's IP address in order to display the embedded content in the user's browser. The content provider can also store cookies on the user's devices.
Advanced Matching - "Advanced Matching" is a Facebook pixel option that sends user inventory data such as phone numbers, email addresses, or Facebook IDs to Facebook in encrypted form to create audiences for Facebook ads and use them exclusively for that purpose.
IP address - The IP address (Internet Protocol address) is a string of numbers that can be used to identify devices connected to the Internet. When a user visits a website on a server, they tell the server their IP address. The server then knows to send the data packets containing the website's content to that IP address.
IP masking – "IP masking" is a method in which the last two numbers of an IP address are deleted in order to prevent the IP address from being clearly assigned to a specific person. IP masking is used to pseudonymize processing procedures, especially in online marketing.
Interest-based marketing or interest and behavioral advertising - Interest and behavioral advertising refers to the use of profiling to determine users' potential interest in advertisements (also known as "online behavioral advertising", or OBA for short). This process typically uses cookies and web beacons.
Opt-In – The term "opt-in" means registration. With double opt-in (DOI), a registration (e.g. by entering an email address in an online form field) is confirmed by sending a confirmation email to the owner of the email address.
Opt-Out – The term "opt-out" means unsubscribing and can, for example, represent an objection (e.g. against tracking) or a cancellation (e.g. for newsletter subscriptions).
Personal data/personal reference – “Personal data” means all information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if he or she can be identified, directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics that express his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Plugins/Social Plugins – "Plugins" (or "social plugins" in the case of social functions) are external software functions that are integrated into the online offering. They can, for example, provide interaction elements (e.g. "Like" button) or content (e.g. external comment functions or posts in social networks).
Profiling - "Profiling" refers to any form of automated processing of personal data where these data are used to analyse, evaluate or predict certain personal aspects relating to a natural person. This may include information such as age, gender, location data, interactions with websites and their content, shopping behaviour or social interactions with other people. Cookies and web beacons are often used for profiling purposes.
Pseudonymisation/pseudonyms – Pseudonymisation refers to the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately. This allows data to be processed pseudonymously, for example by storing a precise profile of the user's interests in a cookie, but without the user's name. However, if personal data such as the name or IP address is stored, the processing is no longer pseudonymous.
Reach measurement – Reach measurement is used to evaluate the flow of visitors to an online offering and can include information about behavior, interests or demographic characteristics such as age or gender. Using reach analysis, website operators can, for example, identify what type of people visit their website at what time and what content they are interested in. This enables them to better adapt the content of their website to the needs of their visitors. Cookies and web beacons are often used for reach analysis.
Session cookies – See “Cookies”.
Tracking – Tracking refers to the tracking of user behavior across multiple online offerings, e.g. for remarketing purposes. Behavioral and interest information collected in connection with the online offerings used is stored in cookies or on servers of marketing service providers (e.g. Google or Facebook).
Controller – The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, decides on the purposes and means of processing personal data.
Processing – "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This term is very broad and covers virtually any handling of data.