Privacy Policy

Data controller within the meaning of Art. 4(7) GDPR:
nous ventures GmbH
Im Horben 38
71560 Sulzbach an der Murr
Germany
Email: kontakt@afterbon.de

Data protection officer (if appointed/required):
nous ventures GmbH

We process personal data in particular for the following purposes:

1) Provision of the platform and its functions (login, roles/access, portal functions, technical administration)
Legal basis: Art. 6(1)(b) GDPR (contract/contractual measures), supplemented by Art. 6(1)(f) GDPR (IT security, abuse prevention)

2) Technically necessary event processing for scan/funnel use (e.g. SCAN/VIEW/OUT for delivery and measurement of the function chain, security and bot detection)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operation, security, abuse prevention, error analysis), where applicable Art. 6(1)(b) GDPR insofar as processing is necessary for the provision of requested functions

3) Communication and support (enquiries, contractual communication)
Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR

4) Email opt-in for end customers (double opt-in) (if offered and chosen by you)
Legal basis: Art. 6(1)(a) GDPR (consent); withdrawal possible at any time (see section 10)

5) Evidence and security purposes (audit log)
Legal basis: Art. 6(1)(f) GDPR (traceability, integrity, IT security); where applicable Art. 6(1)(c) GDPR (legal obligations), if relevant

3.1 Scan/event data (tracking/events)
When using the customer frontend or scan functions, the following data may be processed:

• IP address: No plain-text IP is stored. Instead, only a hash (SHA-256) is processed/stored as ip_hash.
• User-Agent: Stored in events.user_agent (truncated) with automatic deletion after 30 days (set to NULL by background process).
• Scan token: UUID events.scan_token (technically required for assignment within the funnel)
• Bot flag: events.is_bot (security/quality purposes; no individual personal evaluation intended)
• Timestamp: events.created_at

Purposes: technical provision, stability, error analysis, abuse and bot detection, statistical evaluation.
Legal basis: Art. 6(1)(f) GDPR.

3.2 Admin/Advertiser/Retailer accounts (portal users)
For portal access we typically process: email address (users_admin.email), password only as hash (Argon2) (users_admin.password_hash) – no plain-text storage, role and affiliations (e.g. users_admin.role, retailer_id, advertiser_id) for access control, password reset data (e.g. password_reset_token, password_reset_expires_at).
Purposes: authentication, permission management, portal operation, support, security.
Legal basis: Art. 6(1)(b) GDPR, supplemented by Art. 6(1)(f) GDPR.

3.3 End customers (opt-in only)
Where voluntary registration/consent is provided in the customer frontend: email address (users_customer.email) only after consent (double opt-in), opt-in status and tokens (double_opt_in, opt_in_token, opt_in_expires_at) for evidence and processing.
Purposes: sending the information/communication you have requested.
Legal basis: Art. 6(1)(a) GDPR.

3.4 Audit log, system and security data
Audit log (change records: who/when/what) for traceability and security; no plain-text passwords. Redis/cache (e.g. campaign cache, rate limits): short-lived technical storage. Logs: no storage of IP/PII in application logs under current technical specification (technical identifiers/hashes).
Legal basis: Art. 6(1)(f) GDPR (security, stability).

We use technically necessary cookies in particular for:
• Session/login functions (portal)
• Security (e.g. protection against abuse)

Optional cookies/technologies (e.g. convenience/analytics) are used – if deployed – only with consent.

Legal bases:
• Necessary: Art. 6(1)(f) GDPR (operation/security) or Art. 6(1)(b) GDPR
• Optional: Art. 6(1)(a) GDPR (consent)

Personal data may be transferred where necessary to:

• Hosting/infrastructure providers (server operation, database operation)
• Email service providers (only if email communication/opt-in sending is used)
• IT/support service providers (maintenance, troubleshooting)
• Internal recipients (employees/contractors) according to role and permission concept

Where providers act as processors, processing is based on a data processing agreement in accordance with Art. 28 GDPR.

Where providers outside the EU/EEA are used or access from third countries cannot be ruled out, transfer will only take place if the requirements of Art. 44 et seq. GDPR are met (e.g. adequacy decision or EU standard contractual clauses and, where applicable, additional safeguards).

Note: Specific providers, countries and guarantees should be added here according to the actual setup.

We retain personal data only for as long as necessary for the stated purposes or statutory retention obligations apply.

Specifically (current technical state):
• User-Agent in events: automatic deletion after 30 days (set to NULL).
• Scan/event data (other fields): according to internal deletion concept or as long as required for operation/security/evidence
• Portal user accounts: for the duration of the contractual relationship or until account deletion; thereafter deletion/anonymisation unless obligations require otherwise
• Opt-in data: until withdrawal of consent or as long as sending takes place; evidence of consent may be retained longer where necessary to demonstrate compliance (Art. 6(1)(f) GDPR)

• For portal use, certain data (in particular login email and authentication data) are required; use is not possible without them.
• For opt-in functions, providing your email is voluntary; without consent/provision, no opt-in sending will take place.

No automated decision-making within the meaning of Art. 22 GDPR takes place. Technical bot classification (is_bot) serves security and quality purposes and is not aimed at a legal effect or similarly significant impact.

You have the following rights under the GDPR:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on legitimate interests (Art. 21 GDPR)
• Withdrawal of consent at any time with effect for the future (Art. 7(3) GDPR)

To exercise your rights, please contact: kontakt@afterbon.de

Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the member state of your habitual residence, place of work or place of the alleged infringement.

We implement appropriate technical and organisational measures to secure your data (e.g. role-based access control, logging of security-relevant changes, secure password storage using Argon2, protection against abuse/rate limiting).

We may update this privacy policy when the legal framework, services or data processing change. The current version will be made available within the platform.