Privacy Policy
Last updated: February 23, 2026
1. Controller and Contact Information
Controller pursuant to Art. 4(7) GDPR:
Arantic Digital - Philip Bellm
Johann-G.-Gutenberg-Str. 7, 82140 Olching, Germany
Email: [email protected]
2. Overview of Data Processing
2.1 Scope and Purpose
This Privacy Policy explains how we collect, process, and protect your personal data when using the BugPin platform in accordance with:
- EU General Data Protection Regulation (GDPR)
- German Federal Data Protection Act (BDSG)
- German Telecommunications Digital Services Data Protection Act (TDDDG)
2.2 Categories of Data Subjects
- Registered users and account holders
- Website visitors
- Business contacts and customers
3. Legal Bases for Processing (Art. 6 GDPR)
We process your personal data based on the following legal grounds:
| Purpose | Legal Basis | Reference |
|---|---|---|
| Contract performance (providing services) | Art. 6(1)(b) GDPR | Necessary for contract |
| Account management | Art. 6(1)(b) GDPR | Necessary for contract |
| Payment processing | Art. 6(1)(b) GDPR | Necessary for contract |
| Technical operation of website | Art. 6(1)(f) GDPR | Legitimate interest |
| Security and fraud prevention | Art. 6(1)(f) GDPR | Legitimate interest |
| Legal compliance | Art. 6(1)(c) GDPR | Legal obligation |
| Marketing (with consent) | Art. 6(1)(a) GDPR | Consent |
| Analytics (with consent) | Art. 6(1)(a) GDPR | Consent |
4. Personal Data We Collect
4.1 Data You Provide Directly
- Account data: Name, email address, password (hashed)
- Company information: Company name, business address, VAT ID
- Payment data: Billing address, payment method details (processed by Paddle)
- Communication data: Support inquiries, feedback
4.2 Data Collected Automatically
Server log files (Art. 6(1)(f) GDPR):
- IP address (anonymized)
- Browser type and version
- Operating system
- Referrer URL
- Date and time of access
- Pages visited
Purpose: Technical operation, security, error analysis
4.3 User-Generated Content
- Bug reports, screenshots, annotations, comments
- Legal basis: Art. 6(1)(b) GDPR (contract performance)
5. Cookies and Tracking Technologies (§ 25 TDDDG)
5.1 Strictly Necessary Cookies
These cookies are essential for website functionality and do not require consent:
- Session management
- Security tokens
- Load balancing
5.2 Google Analytics (Consent Required)
We use Google Analytics, a web analytics service provided by:
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Purpose: Analysis of website usage to improve our services.
Legal basis: Art. 6(1)(a) GDPR (consent) and § 25 TDDDG. Google Analytics is only activated after you provide explicit consent via our cookie banner.
Data processed:
- IP address (anonymized via IP masking)
- Pages visited, time spent, bounce rate
- Browser type, operating system, screen resolution
- Referrer URL
- Approximate geographic location (city level)
Data transfer to the US: Google LLC is certified under the EU-US Data Privacy Framework (Art. 45 GDPR). Additionally, Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place.
Retention period: 14 months.
Opt-out: You can prevent data collection by Google Analytics by:
- Declining or withdrawing cookie consent (use the button below)
- Installing the Google Analytics Opt-out Browser Add-on
- Configuring your browser to block cookies
Google's privacy policy: https://policies.google.com/privacy
5.3 Other Optional Cookies
- Functionality cookies for user preferences
Your Rights: You can withdraw cookie consent at any time. You can also configure your browser to block cookies.
6. Data Recipients and Third-Party Processors
We share your data with the following categories of recipients:
6.1 Payment Processing
- Paddle.com (Merchant of Record)
- Purpose: Payment processing, invoicing, tax compliance
- Data shared: Name, email, billing address, payment details
- Legal basis: Art. 6(1)(b) GDPR
- Privacy Policy: https://www.paddle.com/legal/privacy
6.2 Email Services
- Resend, Inc. (San Francisco, CA, USA)
- Purpose: Transactional and service emails (account verification, notifications, password resets)
- Data shared: Email address, name
- Legal basis: Art. 6(1)(b) GDPR
- Data transfer safeguard: EU-US Data Privacy Framework / Standard Contractual Clauses (Art. 46(2)(c) GDPR)
- Privacy Policy: https://resend.com/legal/privacy-policy
6.3 Hosting and Infrastructure
- Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA)
- Purpose: Website hosting, CDN, DNS, DDoS protection
- Data processed: IP address, HTTP request data, access logs
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and reliable website operation)
- Data transfer safeguard: EU-US Data Privacy Framework / Standard Contractual Clauses (Art. 46(2)(c) GDPR)
- Data Processing Agreement: In place per Art. 28 GDPR
- Privacy Policy: https://www.cloudflare.com/privacypolicy/
7. International Data Transfers
7.1 Transfers to Third Countries
When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards:
- EU-US Data Privacy Framework: For US-based processors certified under the framework
- Standard Contractual Clauses (SCCs): Art. 46(2)(c) GDPR
- Adequacy Decisions: Art. 45 GDPR
7.2 Your Rights Regarding Transfers
You may request information about the specific safeguards applied to international transfers of your data.
8. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account data | Duration of contract + 3 years | § 195 BGB (limitation period) |
| Invoices/Payment records | 10 years | § 147 AO (tax retention) |
| Server logs | 30 days | Art. 6(1)(f) GDPR |
| Support correspondence | 3 years after resolution | Art. 6(1)(f) GDPR |
| Analytics data (Google Analytics) | 14 months | Art. 6(1)(a) GDPR |
| Consent records | Until withdrawal + 3 years | Art. 7(1) GDPR |
9. Your Rights (Art. 15-22 GDPR)
You have the following rights regarding your personal data:
9.1 Right of Access (Art. 15 GDPR)
You may request confirmation of whether we process your data and obtain a copy of that data.
9.2 Right to Rectification (Art. 16 GDPR)
You may request correction of inaccurate data or completion of incomplete data.
9.3 Right to Erasure (Art. 17 GDPR)
You may request deletion of your data when:
- Data is no longer necessary for the original purpose
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- Data was processed unlawfully
Exceptions: We may retain data where required by law (e.g., tax records).
9.4 Right to Restriction of Processing (Art. 18 GDPR)
You may request restriction of processing under certain circumstances.
9.5 Right to Data Portability (Art. 20 GDPR)
You may request your data in a structured, commonly used, machine-readable format.
9.6 Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
9.7 Right to Withdraw Consent (Art. 7(3) GDPR)
You may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
9.8 How to Exercise Your Rights
Contact us at: [email protected] or via our contact form.
We will respond within one month (extendable by two months for complex requests per Art. 12(3) GDPR).
10. Right to Lodge a Complaint (Art. 77 GDPR)
You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
https://www.lda.bayern.de
You may also contact the supervisory authority in your place of residence or work.
11. Automated Decision-Making (Art. 22 GDPR)
We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.
12. Data Security (Art. 32 GDPR)
We implement appropriate technical and organizational measures including:
- Encryption in transit (TLS/SSL) and at rest
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
- Incident response procedures
13. Children's Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically. Material changes will be communicated via:
- Email notification to registered users
- Prominent notice on our website
The "Last updated" date at the top indicates the most recent revision.
15. Contact Us
For questions about this Privacy Policy or to exercise your data protection rights:
Email: [email protected]
Or contact us via our contact form.
This Privacy Policy is provided in English. For users in Germany, all statutory rights under GDPR and BDSG remain fully applicable.