Privacy Policy

Last updated: April 21, 2026

1. Introduction

We take the protection of your data seriously. This privacy policy explains which personal data we process, for which purposes, and on what legal basis.

2. Data Controller — Company Details

  • Pacco Planning UG (limited liability)
  • Günterstalstraße 35
  • 79102 Freiburg im Breisgau, Germany
  • HRB 733943, Amtsgericht Freiburg
  • Managing Directors: Nils Brabänder, Bastian Nill
  • Email: info@pacco-planning.de

3. Data Protection Contact

Email: info@pacco-planning.de

Data Protection Officer: not appointed (not required under Art. 37 GDPR).

4. Categories of Personal Data

  • Master data (e.g. name, company)
  • Contact data (e.g. email, phone, address)
  • Usage data (e.g. pages visited, access times)
  • Content data (e.g. recipes, events, documents)
  • Payment data (e.g. billing address, payment history)

5. Purposes and Legal Bases

We process personal data on the following legal bases:

  • Contract performance — Art. 6(1)(b) GDPR
  • Legitimate interests — Art. 6(1)(f) GDPR
  • Consent — Art. 6(1)(a) GDPR
  • Legal obligation — Art. 6(1)(c) GDPR

6. Hosting and Server Logs

Our services are hosted on Google Cloud Platform in the europe-west3 region (Frankfurt am Main, Germany). Contract partner is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Services used: Cloud Run (compute), Cloud SQL for PostgreSQL (database), Cloud Storage (files), and Cloud CDN/Cloud Armor (delivery and protection). When accessing our services, the following data is automatically stored in server log files:

  • IP address
  • Date and time of the request
  • URL accessed
  • Browser and operating system
  • Data volume transferred

Legal basis: Art. 6(1)(f) GDPR. Log files are automatically deleted after 30 days.

7. Fonts (Self-Hosting)

We embed fonts (Inter, Cormorant Garamond, Roboto Mono) locally from our own server. No data is transferred to Google servers. Technically this is implemented via next/font, which copies the fonts to our server at build time and serves them from there (self-hosting). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in consistent typography without third-country transfers).

8. Cookies

This website uses strictly necessary cookies only (e.g. language preference, login session in the app area, CSRF protection). We set no analytics, marketing, or tracking cookies. Consent under §25(1) TTDSG is therefore not required; storage is based on §25(2)(2) TTDSG (strictly necessary). Legal basis for subsequent processing: Art. 6(1)(f) GDPR.

If we introduce web analytics or conversion measurement in the future, we will ask for your consent in advance (consent banner) and update this policy accordingly.

9. Authentication (Firebase Identity Platform)

We use Firebase Identity Platform, a service of Google Ireland Limited, for authentication. Processing takes place in the europe-west3 region (Frankfurt). Data processed: email address, hashed password, sign-in timestamps, sign-in IP address. Legal basis: Art. 6(1)(b) GDPR (contract performance).

10. Payment Processing (Stripe)

For payments we use Stripe (Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland). Stripe processes payment data directly; we do not store credit card numbers. Legal basis: Art. 6(1)(b) GDPR.

11. Processors

We work with the following processors. A current list including contract partner, purpose, region, and DPA status is maintained in our sub-processor list; a copy is available on request at datenschutz@pacco-planning.de. B2B controller customers can request our Art. 28 GDPR Data Processing Agreement template at the same address.

  • Google Ireland Limited — hosting and database (Cloud Run, Cloud SQL, Cloud Storage, Cloud CDN/Armor), authentication (Firebase), AI features (Vertex AI). Region: europe-west3 (Frankfurt). Art. 28 GDPR DPA in place.
  • Stripe Payments Europe, Ltd., Dublin, Ireland — payment processing. DPA in place; PCI-DSS Level 1 certified.
  • Cloudflare Germany GmbH, Munich, Germany — DNS resolution for our domains.

12. International Data Transfers

Insofar as data is transferred to the USA, this takes place on the basis of the EU-US Data Privacy Framework or on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

13. Retention Periods

  • Contract data: 10 years (commercial and tax retention obligations)
  • Invoice data: 10 years per § 147 AO
  • Server log files: 30 days

14. Security

We apply the following technical and organizational measures:

  • TLS/SSL encryption for all data in transit
  • Encrypted data storage
  • Regular security updates
  • Access controls and permission management
  • Regular data backups

15. Your Rights

You have the following rights regarding your personal data:

  • Access — Art. 15 GDPR
  • Rectification — Art. 16 GDPR
  • Erasure — Art. 17 GDPR
  • Restriction of processing — Art. 18 GDPR
  • Data portability — Art. 20 GDPR
  • Objection — Art. 21 GDPR
  • Withdrawal of consent — Art. 7(3) GDPR

16. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. Competent authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Lautenschlagerstraße 20
70173 Stuttgart, Germany
Phone: +49 711 615541-0
Email: poststelle@lfdi.bwl.de

17. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

18. Children

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children.

19. Changes

We reserve the right to update this privacy policy to adapt it to changes in law or services.

20. Contact

Email: info@pacco-planning.de