Privacy Policy

1. Data Controller

The controller responsible for the processing of personal data in accordance with the General Data Protection Regulation (GDPR) is:

Alec Winter Blumenau 89 22089 Hamburg Germany

Email: contact@helllo.me

As we employ fewer than 20 persons who are constantly engaged in automated processing of personal data, we are not required to appoint a Data Protection Officer under German law (§ 38 BDSG).

---

2. General Information on Data Processing

Scope of Processing

We generally process personal data of our users only to the extent necessary for providing a functional platform and our content and services. Processing is carried out exclusively in accordance with the applicable legal provisions (GDPR, BDSG, TDDDG).

Legal Bases

The processing of personal data is based on the following legal grounds:

• Art. 6 (1) (a) GDPR - Consent
• Art. 6 (1) (b) GDPR - Performance of a contract or pre-contractual measures
• Art. 6 (1) (c) GDPR - Legal obligation
• Art. 6 (1) (f) GDPR - Legitimate interest

---

3. Collection and Processing of Personal Data

a) Web Analytics & Hosting (Vercel)

When you access helllo.me, information is automatically collected by our hosting provider, Vercel. We use Vercel Web Analytics to statistically evaluate the use of the platform.

• Privacy-friendly: This tool operates entirely without cookies.
• Anonymization: IP addresses are not stored. Only a temporary, non-traceable hash value is generated for session separation.
• Data Categories: Requested URL, referrer, device type, browser type, approximate location (country/region).

Legal basis: Art. 6 (1) (f) GDPR (Legitimate interest in optimizing the platform).

b) Own Visitor Statistics for Business Cards

For registered users, we collect anonymized access statistics for their public business cards. This data is stored in our database (Supabase, location Stockholm).

• Data collected: Country (from Vercel header, no IP storage), device type (Desktop/Mobile/Tablet), browser type, timestamp of access.
• Purpose: Providing usage statistics for card owners.
• No profiling: No personal profiles of visitors are created.

Legal basis: Art. 6 (1) (f) GDPR (Legitimate interest of users in access statistics).

c) Strictly Necessary Cookies (Supabase Auth)

To provide the platform's functionality (specifically the login area), we use Supabase. Although data processing occurs server-side (SSR), it is technically necessary to store a session cookie in your browser.

• Purpose: Maintaining the login status.
• Storage duration: Until logout or session expiration.
• Necessity: The service cannot be provided securely without this cookie. Consent is therefore not required under applicable telecommunications laws (§ 25 (2) No. 2 TDDDG).

Legal basis: Art. 6 (1) (b) GDPR (Performance of contract).

d) Registration and Business Card Management

When you create an account, we process:

Direct Registration:

• Email address (required)

Google OAuth:

• Email address, name, profile picture URL (provided by Google)

Business card content (entered by user on the business card):

• Contact details (name, phone, email, website)
• Address data (street, house number, postal code, city, country)
• Personal information (date of birth, nationality, languages)
• Social media links (Instagram, LinkedIn, X, Facebook, YouTube, TikTok, GitHub, Discord, Telegram, Signal, WhatsApp)
• Profile picture and business card image
• Biography/description text

Important Notice Regarding Public Disclosure: All content you enter on your public business card (e.g., name.helllo.me) is publicly accessible worldwide and may be indexed by search engines. You decide which information to publish. Private business cards are only accessible with an access code.

Legal basis: Art. 6 (1) (b) GDPR (Performance of contract).

e) Image Storage

Uploaded images (profile pictures, business card images) are stored in Supabase Storage (location Stockholm, AWS).

• Processing: Images are compressed client-side (max. 1 MB, WebP format) before upload.
• Storage duration: Until deletion by user or account deletion.
• Access: Profile pictures via signed URLs (24h validity); business card images publicly accessible.

Legal basis: Art. 6 (1) (b) GDPR (Performance of contract).

f) Contact Form

When using our contact form, the following data is processed:

• Name (required)
• Message (required)
• Email address (optional, only if response requested)

Processing: The message is transmitted via a Discord webhook to our internal communication channel to process inquiries promptly. Discord Inc. is a US company.

Storage duration: Data is stored on Discord servers according to their privacy policy.

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) or Art. 6 (1) (f) GDPR (Legitimate interest in responding to inquiries).

g) Security Measures (Rate Limiting)

To prevent abuse (e.g., brute-force attacks on private business cards), we use a rate-limiting system.

• Data collected: Anonymized hash value (from IP address and subdomain), timestamp.
• Storage duration: Maximum 60 minutes.
• No IP storage: The IP address is not stored in plain text.

Legal basis: Art. 6 (1) (f) GDPR (Legitimate interest in platform security).

h) Email Communication

For system-related emails (registration confirmation, password reset), we use the email service of Supabase or, if applicable, Brevo (Sendinblue, France).

• Data processed: Email address, time of dispatch.
• Purpose: Authentication and account security.

Legal basis: Art. 6 (1) (b) GDPR (Performance of contract).

i) Newsletter

Users may optionally subscribe to our newsletter in the account settings. The newsletter service is provided by Brevo (Sendinblue, France).

• Data processed: Email address only.
• Purpose: Sending information about new features, updates, and tips for using helllo.me.
• Subscription: Requires explicit opt-in via the settings page. A confirmation dialog is shown before subscribing.
• Unsubscription: Possible at any time via the settings page or through the unsubscribe link in each newsletter email.
• Storage duration: Until unsubscription or account deletion.

Legal basis: Art. 6 (1) (a) GDPR (Consent).

---

4. Data Disclosure and Processors

We utilize specialized service providers with whom Data Processing Agreements (DPA) have been concluded in accordance with Art. 28 GDPR:

International Data Transfer: Insofar as data is transferred to the USA, this is done on the basis of the EU-U.S. Data Privacy Framework (DPF) or EU Standard Contractual Clauses (SCCs). The adequacy of the level of data protection in the USA for certified companies was established by the EU Commission's adequacy decision of July 10, 2023.

---

5. Payment Processing (Merchant of Record)

For paid services, Creem acts as the Merchant of Record (MoR). Creem is your direct contractual partner for the purchase and is independently responsible under data protection law for payment processing (including taxes).

• Data processed: Payment information, billing address, email.
• Sub-processor: Creem uses Stripe for payment processing.
• Privacy information: Creem Privacy Policy, Stripe Privacy Policy.

Note: We do not store any payment data (credit card numbers, bank details) ourselves.

---

6. Storage Duration and Deletion

We store personal data only as long as necessary for the respective purposes or as required by statutory retention obligations:

When you delete your account, all associated data (business cards, images, statistics) will be deleted immediately and completely, unless statutory retention obligations apply.

---

7. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

Right of Access (Art. 15 GDPR)

You may request confirmation as to whether personal data is being processed and obtain information about such data.

Right to Rectification (Art. 16 GDPR)

You may request the immediate rectification of inaccurate data.

Right to Erasure (Art. 17 GDPR)

You may request the deletion of your data, unless statutory retention obligations apply. Account deletion is possible at any time in the settings.

Right to Restriction of Processing (Art. 18 GDPR)

You may request the restriction of processing under certain conditions.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format.

Right to Object (Art. 21 GDPR)

You may object at any time to the processing of your data based on Art. 6 (1) (f) GDPR (legitimate interest). We will then no longer process your data unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent (Art. 7 (3) GDPR)

You may withdraw any consent given at any time with effect for the future.

Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

The Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Str. 22, 7th floor 20459 Hamburg, Germany Phone: +49 40 428 54 - 4040 Email: mailbox@datenschutz.hamburg.de

---

8. Automated Decision-Making

Automated decision-making or profiling within the meaning of Art. 22 GDPR does not take place.

---

9. Data Security

We implement technical and organizational measures to protect your data against manipulation, loss, destruction, or unauthorized access. These include:

• Encrypted data transmission (TLS/SSL)
• Server-side data storage in EU data centers (Stockholm)
• Access restrictions through row-level security at the database level
• Regular security updates
• Client-side image compression before upload

Our security measures are continuously adapted to technological developments.

---

10. Updates to this Privacy Policy

This privacy policy is currently valid as of January 2026.

Due to the further development of our platform or changes in legal or regulatory requirements, adjustments to this privacy policy may become necessary. The current version is always available on our website.

---

11. Contact

If you have questions about the processing of your personal data or wish to exercise your data subject rights, please contact:

Email: contact@helllo.me