Privacy Policy
This is a convenience translation. Only the German version is legally binding.
Last updated: July 2026
1. Controller
Saman Razavi
Softwarehouse Cologne
Ubierring 19, 50678 Köln, Germany
Email: info@baudir.app
2. General Information on Data Processing
As a rule, we process personal data only to the extent necessary to provide a functional platform together with our content and services. Processing is carried out on the basis of consent (Art. 6 (1) (a) GDPR) or another legal basis, such as Art. 6 (1) (b) GDPR (performance of a contract) or Art. 6 (1) (f) GDPR (legitimate interest). All data is stored exclusively on servers within the EU (Hetzner, Germany).
3. Server Log Files
When the platform is accessed, information is automatically stored in server log files: browser type/version, operating system, referrer URL, hostname, time of the request, and IP address. This data is stored for security reasons (Art. 6 (1) (f) GDPR) and anonymized after no more than 7 days.
4. Registration & Customer Account
To use the service as the operator of an app, we collect your name, email address, organization name, and password (stored encrypted), as well as the category you select. The legal basis is the performance of a contract (Art. 6 (1) (b) GDPR). This data is stored for the duration of the contractual relationship.
5. Processing on Behalf of Our Customers (Customer Content)
Operators of an app may process personal data of their own end users via BauDir (e.g. push subscriptions). In this respect, we act as a processor; a data processing agreement (DPA) pursuant to Art. 28 GDPR is provided. Push tokens are stored separately per tenant — there is no cross-tenant access.
6. Web Push Notifications
End users can enable push notifications. For this purpose, a technical push endpoint of the browser is stored with your explicit consent (Art. 6 (1) (a) GDPR). Delivery takes place via the open Web Push standard (VAPID) — without any transfer to Apple or Google beyond the technical delivery itself. The stored push endpoint is deleted as soon as you unsubscribe from notifications, withdraw your consent, or the endpoint becomes permanently invalid. Consent can be withdrawn at any time via your browser settings.
7. Anonymous Reach Measurement (Statistics)
To improve the apps, and at the request of the respective app operator, we collect fully anonymous, aggregated usage statistics. We record only two aggregated daily counters per app:
- the number of page views per day, and
- the number of clicks on push notifications sent, per day.
In doing so, no personal data is processed: no cookies or other information are stored on or read from your device, no IP address is stored, no identifiers, device fingerprints, or profiles are created, and individual visits are not linked across pages or across sessions. Technically, a server-side aggregate counter is simply incremented by 1 when a page is accessed — at no point is it possible to draw any conclusion about a specific person.
Since no personal data within the meaning of Art. 4 (1) GDPR is processed and no information already stored on your device is accessed, neither consent nor a cookie banner is required for this (Section 25 (2) TDDDG (German Telecommunications Digital Services Data Protection Act); under Recital 26, the GDPR does not apply to anonymous data). Your browser’s “Do Not Track” setting is respected; if it is active, no counting takes place.
8. Payment Processing (Stripe)
For processing paid subscriptions, we use Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland). When a contract is concluded, the data required for payment — in particular name, email and billing address, payment method, as well as subscription and invoice data — is transmitted directly to Stripe and processed there. The legal basis is Art. 6 (1) (b) GDPR (performance of a contract). Complete payment details (e.g. card numbers) are stored exclusively by Stripe and not by us.
Stripe may also transfer data to its parent company, Stripe, Inc. in the USA. Stripe is certified under the EU-US Data Privacy Framework; in addition, EU standard contractual clauses are in place. A data processing agreement pursuant to Art. 28 GDPR exists with Stripe. Further information: stripe.com/privacy.
We retain invoice and payment data beyond the end of the contract to the extent that we are legally required to do so (retention obligations under commercial and tax law, in particular Section 257 HGB (German Commercial Code) and Section 147 AO (German Fiscal Code), generally 6 or 10 years). The legal basis for this is Art. 6 (1) (c) GDPR.
9. External Services
Hosting (Hetzner): Our platform is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, in data centers in Germany. Hetzner processes all data arising via the platform on our behalf (e.g. when a page is accessed, when content is stored). The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in secure, high-performance operation); a data processing agreement pursuant to Art. 28 GDPR is in place. No data is transferred to a third country.
Email Delivery (Brevo): We send system and transactional emails (e.g. registration and confirmation codes, password resets, subscription notifications) via the service Brevo (Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France). In doing so, the email address and message content are processed. The legal basis is Art. 6 (1) (b) and (f) GDPR; a data processing agreement pursuant to Art. 28 GDPR is in place. Processing takes place on EU servers.
Fonts (Inter, Sora) are served exclusively from our own server. No connection is established to Google Fonts and your IP address is not transmitted to Google.
Spam protection without third parties (ALTCHA): To protect our registration, contact, and cancellation forms from abuse by automated programs, we use the open-source ALTCHA mechanism - self-hosted on our own servers within the EU. Your browser solves a small computational task (proof of work) in the background; no cookies are set, no device profiles are created, and no data is transmitted to any third party. Even our anti-bot and spam protection is open source and works without any data outflow. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in protecting our platform from spam and abuse); there is no access to information on your terminal equipment beyond what is technically necessary (Section 25 (2) no. 2 TDDDG).
10. Advertising & Performance Measurement (Google Ads)
To promote our offering, we run advertisements via Google Ads (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When you click on one of our ads, Google appends a click parameter (a so-called “gclid”) to the destination address. We read this parameter exclusively on our own server from the address called up (via the technically necessary session) and store it together with the campaign/keyword information in our database, in order to be able to attribute a subsequent contract conclusion to the respective ad.
In doing so, we do not use any advertising cookie, Google tag, Google Analytics, or tracking pixel. No access to your device for advertising purposes takes place, and no cross-device or cross-user profiles are created. If you later conclude a paid subscription, we transmit to Google exclusively this so-called offline conversion — i.e. the gclid, the order value, and the time — so that Google can tell us which ads were successful. Personal data such as your name or email address is not transmitted to Google in this process.
The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in economical, measurable promotion of our offering) and, with regard to the pre-contractual attribution, Art. 6 (1) (b) GDPR. Since we use exclusively technically necessary session data, no consent under Section 25 TDDDG is required for this. The recipient of the offline conversion is Google (Google Ireland Limited; where applicable Google LLC, USA). Google is certified under the EU-US Data Privacy Framework; in addition, EU standard contractual clauses are in place. We delete the click identifier (gclid) as soon as it is no longer required for conversion measurement, at the latest 14 months after the click; the anonymous campaign/keyword counters remain without any personal reference. You can object to this processing at any time under Art. 21 GDPR — by email to the address stated above or, if you have an account with us, directly under “Legal” in your account; your click will then immediately be excluded from conversion measurement and the click identifier deleted. Further information: policies.google.com/privacy.
11. Cookies and Comparable Technologies
We use exclusively technically necessary cookies or comparable storage and access operations on your device (e.g. session and security tokens, including in the browser’s local storage, for example for login and CSRF protection). These are strictly necessary for the service you have requested; consent is not required for this under Section 25 (2) no. 2 TDDDG. No cookies or other information are set or read for advertising or tracking purposes. No cookies are used for our anonymous reach measurement (Section 7) or for advertising conversion measurement (Section 10) either.
12. Contact and Inquiry Form
If you write to us via our contact/inquiry form on the website, we process the data you provide (name — if provided —, email address, and message text) as well as, technically, your IP address and your browser identifier (user agent), in order to process your inquiry and to prevent abuse. The legal basis is Art. 6 (1) (b) GDPR (responding to pre-contractual inquiries) and Art. 6 (1) (f) GDPR (legitimate interest in responding and in protection against abuse). For the technical delivery of the message we use Brevo (see Section 9). We store the inquiry only for as long as is necessary to process it.
13. Prevention of Trial-Period Abuse
To prevent repeated use of the free trial period via ever-new accounts, we store the email address (and, where applicable, the organization name) used during registration even after the account has been deleted, in an internal blocklist. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in preventing abuse). Storage ends automatically after three months; in the event of confirmed abuse, a permanent block may be applied.
14. Protection of Minors
Our platform is aimed at operators of apps (businesses, associations, institutions) and not at children. To the extent that an operator processes personal data of minors via its app (e.g. in daycare or association apps), the operator is the controller responsible under data protection law and must itself ensure the conditions for valid consent are met — for children under the age of 16, generally through the holder of parental responsibility (Art. 8 GDPR). We process such data exclusively as a processor on behalf of the operator (see Section 5).
15. Your Rights
You have the right at any time to:
- access to your stored data (Art. 15 GDPR)
- rectification of inaccurate data (Art. 16 GDPR)
- erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- object to processing (Art. 21 GDPR)
- withdraw consent you have given, with effect for the future
- lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, an email to the address stated above is sufficient.
16. Necessity of Providing Data
Providing the data required for registration and contract processing (in particular name, email address, and, where applicable, payment and billing data) is necessary for the establishment and performance of the contract. Without this data, we cannot conclude the contract and cannot provide the service (Art. 13 (2) (e) GDPR).