← Back to home

Privacy Policy

Last updated: July 5, 2026

This policy informs you under Art. 13 and 14 GDPR about the processing of personal data when visiting this website (sondercase.com) and when using the "Sondercase" platform. For our customers’ end-customer data we act as a processor (see the DPA). The German version prevails.

1. Controller

The controller under the GDPR is:
Hölzel, Iserhagen & Kirscht GbR
Prellerstr. 22, 01309 Dresden
Email: hello@sondercase.com

2. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), to withdraw consent with future effect (Art. 7(3)) and to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Our competent authority: Sächsische Datenschutz- und Transparenzbeauftragte (SDTB), Devrientstraße 5, 01067 Dresden.

3. When you visit this website

This website is hosted by Cloudflare, which acts as our processor. On access, Cloudflare processes technically necessary server-log data (including IP address, date/time, requested URL, referrer, browser/OS, language) to deliver the site and keep operations secure (Art. 6(1)(f) GDPR). This data is stored only as long as necessary for those purposes. Fonts are self-hosted; no data is sent to a font CDN (e.g. Google Fonts).

4. Audience measurement (cookieless)

For audience measurement we use Cloudflare Web Analytics. It is cookieless: no cookies are set, nothing is stored on your device, and no device- or person-level profiles are built. The legal basis is our legitimate interest in data-minimal audience measurement (Art. 6(1)(f) GDPR); no consent is required.

5. Marketing / Meta Pixel

For marketing and conversion measurement we use the Meta Pixel and the server-side Meta Conversions API from Meta Platforms Ireland Ltd. It stores/reads cookies (including _fbp, _fbc) on your device and transfers event data to Meta — when you interact with the demo, this may also include pseudonymised (hashed) identifiers such as email address or phone number. Storing/reading and transfer occur only after your consent via our cookie banner (§ 25(1) TDDDG); the processing relies on Art. 6(1)(a) GDPR. You can withdraw your consent at any time with future effect via the banner. Transfers to the US rely on the EU-US Data Privacy Framework or EU Standard Contractual Clauses.

6. Interactive demo

When you enter your store domain in the interactive demo, we process the domain, publicly available store data and your inputs to run the analysis and simulation (Art. 6(1)(b) GDPR — pre-contractual). Demo data is deleted once it is no longer needed for that purpose.

7. Account and use of the platform

If you create an account and use "Sondercase", we process account data (email address, authentication, plan and billing data) to perform the contract (Art. 6(1)(b) GDPR). To evidence granted consents we store which document version was accepted, when, and from which IP address (Art. 6(1)(c) and (f) GDPR). For operation, security and abuse prevention we also process usage data (log, diagnostic and security data).

The content data processed in the course of the service (connected email/messenger messages and shop data) and the other end-customer data of our customers are processed solely as a processor on the respective customer’s instructions (Art. 28 GDPR — see the DPA).

8. Recipients and processors

We use carefully selected service providers, including:

Website (hosting & audience measurement):

  • Cloudflare — hosting/CDN for this website and cookieless web analytics

Marketing:

  • Meta Platforms Ireland Ltd. — Meta Pixel (only with your consent)

The "Sondercase" platform (when you use an account):

  • Railway, Vercel — hosting (backend/frontend)
  • Supabase — database and authentication
  • Stripe — payment processing
  • OpenAI — AI processing
  • Meta Platforms Ireland Ltd. — messenger integration (WhatsApp/Instagram/Facebook, Graph API)
  • Google — email integration (Gmail OAuth, Pub/Sub notifications)
  • Qdrant; optionally Cohere — vector/knowledge-base search and reranking
  • Brevo — transactional and lifecycle email delivery
  • PostHog (EU hosting) — product analytics
  • Cloudflare Turnstile — bot protection

We provide a complete, current list of sub-processors on request or within the DPA.

9. Third-country transfers

Where data is processed outside the EEA (e.g. at OpenAI, Meta or Cohere), this is based on appropriate safeguards — in particular EU Standard Contractual Clauses or the EU-US Data Privacy Framework. Copies of the safeguards are available on request.

10. Retention

Personal data is deleted as soon as it is no longer required for the stated purposes and no statutory retention obligations apply. Consent records (including IP address) are retained for as long as they are needed as evidence and are then deleted or anonymised.

11. Security

We protect your data with appropriate technical and organisational measures (Art. 32 GDPR): transport encryption (TLS), encryption of sensitive data at rest, role-based access controls and tenant isolation, logging, rate limiting and bot protection, and regular backups.

12. Contact

Please direct privacy requests to hello@sondercase.com.