Privacy Policy

This translation is provided for convenience only. The legally binding version is the German original.

1. General information

The protection of your personal data is important to us. We process your data confidentially and in accordance with applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).

This privacy policy explains which data we collect, how we use it, and what rights you have.

2. Controller

The controller within the meaning of the GDPR is:

Tradimo Germany GmbH
Fuhlsbüttler Straße 29
22305 Hamburg
Germany

Email: support@tradimo.com

Managing Director: Daniel Fonseca

3. Hosting

Our website is currently hosted by Hetzner Online GmbH, Germany. In the future, hosting may be provided by Amazon Web Services (AWS) in an EU region.

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in secure and efficient provision of our website) and on data processing agreements pursuant to Art. 28 GDPR.

4. CDN and DNS (Cloudflare)

We use Cloudflare, Inc., USA, as a Content Delivery Network (CDN) and DNS service.

Cloudflare processes IP addresses, connection data, and security-relevant data for attack prevention.

Usage is based on Art. 6(1)(f) GDPR (legitimate interest in security, performance, and stability).

Data transfer to the USA may occur based on Standard Contractual Clauses pursuant to Art. 46 GDPR and, where applicable, the EU-U.S. Data Privacy Framework.

5. Cookies and consent management

Our website uses cookies and comparable technologies.

We distinguish the following categories:

Necessary cookies
Required for website operation, particularly sessions and security functions.
Legal basis: Art. 6(1)(f) GDPR.

Functional cookies
Used to store settings such as language or theme.
Legal basis: Art. 6(1)(a) GDPR (consent).

Analytics cookies
Used for analyzing user behavior (e.g., via PostHog).
Legal basis: Art. 6(1)(a) GDPR (consent).

Non-necessary cookies are only set with your explicit consent. You can revoke consent at any time via the cookie banner.

6. Analytics and tracking (PostHog)

We use PostHog, a self-hosted open-source analytics platform.

PostHog processes usage data (page views, clicks, time on page), session recordings, heatmaps, and pseudonymized user profiles.

Data processing takes place on our own servers within the European Union.

Legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

7. Video embeds (Vimeo)

Our website may embed videos from Vimeo, Inc., USA.

Videos are only loaded when you actively start them.

When playing, IP address, usage data, and device information may be transmitted to Vimeo.

Legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

8. Authentication (Keycloak)

We use a self-hosted authentication solution (Keycloak) for user management.

This processes name, email address, password hash, and login histories.

Legal basis is Art. 6(1)(b) GDPR (performance of contract).

9. Database (PostgreSQL)

We use a self-hosted PostgreSQL database to store user data.

Stored data includes user profiles, course progress, order history, and preferences.

Legal basis is Art. 6(1)(b) GDPR.

10. Sessions and cache (Redis)

We use Redis (self-hosted) for session management and temporary data.

Processed data includes session tokens and temporary data.

Legal basis is Art. 6(1)(f) GDPR.

11. File storage (MinIO / S3)

We use an S3-compatible solution (MinIO, self-hosted) and prospectively AWS S3 (EU) for file storage.

Stored data includes uploads, media, and course materials.

Legal basis is Art. 6(1)(b) GDPR.

12. Payment processing (Stripe)

We use Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, for payment processing.

During payment processing, name, email address, billing address, payment data, and transaction data are processed.

Processing is carried out for the purpose of payment execution and contract performance pursuant to Art. 6(1)(b) GDPR.

Stripe may transfer data to its parent company Stripe, Inc., USA, based on Standard Contractual Clauses pursuant to Art. 46 GDPR and, where applicable, the EU-U.S. Data Privacy Framework.

13. Email delivery

We use external service providers for sending emails (e.g., transactional emails or newsletters).

Email address, name, and communication content are processed.

Legal basis is Art. 6(1)(b) GDPR (transactional emails) or Art. 6(1)(a) GDPR (newsletter).

14. Fonts

We use locally hosted fonts. No connection to external servers is made.

15. Data transfer to third countries

Transfer of personal data to third countries (e.g., USA) only occurs if an adequacy decision exists or appropriate safeguards (e.g., Standard Contractual Clauses) are in place.

This applies in particular to Cloudflare, Vimeo, and Stripe.

16. Storage duration

We store personal data only as long as necessary for the respective purposes:

Contract data: Duration of the contract and statutory retention periods
Usage data: Until revocation or deletion
Log data: Short-term to ensure operation

17. Your rights

You have the right to access, rectification, deletion, restriction of processing, data portability, and objection to processing.

You also have the right to lodge a complaint with a data protection supervisory authority.

Competent supervisory authority:
The Hamburg Commissioner for Data Protection and Freedom of Information

18. Data processors

We use the following data processors:

  • Hetzner Online GmbH (Hosting)
  • Amazon Web Services (Hosting and storage)
  • Cloudflare Inc. (CDN and DNS)
  • Vimeo Inc. (Video hosting)
  • Stripe Payments Europe Ltd. (Payment processing)
  • Email service provider (Delivery)

Data processing agreements pursuant to Art. 28 GDPR are in place with all service providers.

19. Automated decision-making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.