DEEN
Back to homepage

Privacy.

This privacy policy explains the nature, scope and purpose of the processing of personal data (hereinafter "data") within our Zynkey online offering and the websites, functions and content connected with it. With regard to the terminology used, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

Suora GmbH
Ruhrstr. 70
58452 Witten, Germany

Email: info@suora.com
Managing Directors: Florian Sowade, Hans-Christian Otto
Imprint

Types of data processed

– Inventory data (e.g. names, addresses).
– Contact data (e.g. email, phone numbers).
– Content data (e.g. text entries, photographs, videos).
– Usage data (e.g. websites visited, interest in content, access times).
– Meta/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as "users").

Purpose of processing

– Provision of the online offering, its functions and content.
– Responding to contact requests and communicating with users.
– Security measures.
– Reach measurement/marketing.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal bases of our data processing. Unless the legal basis is stated in this privacy policy, the following applies: the legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR; the legal basis for processing to fulfil our services and carry out contractual measures as well as to respond to enquiries is Art. 6(1)(b) GDPR; the legal basis for processing to fulfil our legal obligations is Art. 6(1)(c) GDPR; and the legal basis for processing to safeguard our legitimate interests is Art. 6(1)(f) GDPR. Where the vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.

Terminology used

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more special characteristics.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data. The "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A "processor" is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Security measures

In accordance with Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access as well as the related access, input, disclosure, availability and separation of the data. We also take the protection of personal data into account in the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this is only done on the basis of legal permission, your consent, a legal obligation or our legitimate interests (e.g. when using agents, web hosts, etc.). Where we commission third parties to process data on the basis of a so-called "data processing agreement", this is done on the basis of Art. 28 GDPR.

Transfers to third countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or where this occurs in the context of using third-party services, this is only done to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests.

The former EU-US Privacy Shield was declared invalid by the European Court of Justice in July 2020 ("Schrems II"). We therefore base transfers to the USA on the EU-US Data Privacy Framework, in force since July 2023 (where the respective provider is certified), and additionally on Standard Contractual Clauses pursuant to Art. 46 GDPR, as well as any further appropriate safeguards within the meaning of Art. 44 et seq. GDPR.

Rights of data subjects

You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with Art. 15 GDPR. In accordance with Art. 16 GDPR, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

In accordance with Art. 17 GDPR, you have the right to request that relevant data be erased without delay, or alternatively, in accordance with Art. 18 GDPR, to request a restriction of the processing of the data. You have the right to request that the data concerning you which you have provided to us be received in accordance with Art. 20 GDPR and to request its transmission to other controllers. Furthermore, pursuant to Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of withdrawal

You have the right to withdraw consent granted in accordance with Art. 7(3) GDPR with effect for the future.

Right to object

You can object to the future processing of data concerning you at any time in accordance with Art. 21 GDPR. The objection may in particular be made against processing for direct marketing purposes.

Cookies and the right to object to direct marketing

"Cookies" are small files stored on users' computers. Different information can be stored within cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, or "session cookies", are cookies that are deleted after a user leaves an online offering and closes their browser. "Permanent" or "persistent" cookies remain stored even after the browser is closed.

On your first visit to this site, you are asked whether you agree to cookies being stored on your computer. You can change your selection at any time . If you do not want cookies to be stored on your computer, you can deactivate the corresponding option in your browser's system settings. Excluding cookies may limit the functionality of this online offering.

A general objection to the use of cookies used for online marketing purposes can be declared for a large number of services via the US site aboutads.info/choices or the EU site youronlinechoices.com.

Erasure of data

The data we process is erased or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this privacy policy, the data stored by us is erased as soon as it is no longer required for its intended purpose and there are no statutory retention obligations preventing erasure. Under German law, retention is required in particular for 10 years pursuant to Sec. 147(1) AO, Sec. 257(1) nos. 1 and 4, (4) HGB and for 6 years pursuant to Sec. 257(1) nos. 2 and 3, (4) HGB.

Agency services

We process our customers' data within the scope of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, server administration, data analysis/consulting services and training. In doing so, we process inventory data, contact data, content data, contract data, payment data and usage and meta data. The legal bases for processing are Art. 6(1)(b) GDPR (contractual services) and Art. 6(1)(f) GDPR (analysis, statistics, optimisation, security measures).

Administration, financial accounting, office organisation, contact management

We process data within the scope of administrative tasks as well as the organisation of our operations, financial accounting and compliance with legal obligations such as archiving. The legal bases for processing are Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. The processing affects customers, prospects, business partners and website visitors. In this context, we disclose or transmit data to the tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers.

Business analyses and market research

In order to operate our business economically and to identify market trends and the wishes of contractual partners and users, we analyse the data available to us on business transactions, contracts, enquiries, etc. In doing so, we process inventory data, communication data, contract data, payment data, usage data and meta data on the basis of Art. 6(1)(f) GDPR. The analyses serve to increase user-friendliness, optimise our offering and improve cost-effectiveness, and are not disclosed externally unless they are anonymous analyses with aggregated values.

Hosting and email delivery

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services that we use to operate this online offering. In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR.

This website is hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Data may be transferred to the USA in this context. The transfer is based on the EU-US Data Privacy Framework and additionally on Standard Contractual Clauses pursuant to Art. 46 GDPR. Further information can be found in Vercel's privacy policy: vercel.com/legal/privacy-policy.

Collection of access data and log files

We or our hosting provider collect data on the basis of our legitimate interests within the meaning of Art. 6(1)(f) GDPR about every access to the server on which this service is located (so-called server log files). Access data includes the name of the website accessed, the file, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, the referrer URL, the IP address and the requesting provider. Log file information is stored for security reasons for a maximum of 7 days and then deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.

Cloudflare content delivery network

We use a so-called "content delivery network" (CDN) offered by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). A CDN is a service that helps to deliver the content of our online offering, in particular large media files such as graphics or scripts, more quickly using regionally distributed servers connected via the internet. Use is based on our legitimate interests pursuant to Art. 6(1)(f) GDPR. Where data is transferred to the USA, this transfer is based on the EU-US Data Privacy Framework and additionally on Standard Contractual Clauses pursuant to Art. 46 GDPR. Further information can be found in Cloudflare's privacy policy: cloudflare.com/privacypolicy.

Consent management with CookieHub

To obtain and manage consent for the use of cookies and similar technologies, we use the consent management platform CookieHub (CookieHub ehf., Bíldshöfði 20, 110 Reykjavík, Iceland). Iceland is part of the European Economic Area (EEA). CookieHub stores your consent decision so that we can take it into account on future visits and provide proof of it. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TTDSG, as well as our legitimate interest in the legally compliant management of consent pursuant to Art. 6(1)(f) GDPR. You can adjust your settings at any time .

Google Analytics

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; "Google"). Google Analytics is only loaded after your explicit consent via our consent management (CookieHub). The legal basis is therefore your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TTDSG. You can withdraw your consent at any time with effect for the future.

Google uses cookies. The information generated by the cookie about your use of this online offering is usually transmitted to and stored on a Google server. Where data is transferred to Google LLC in the USA, this transfer is based on the EU-US Data Privacy Framework and additionally on Standard Contractual Clauses pursuant to Art. 46 GDPR. We use Google Analytics only with IP anonymisation enabled, so that users' IP addresses are truncated beforehand within the EU or EEA.

You can prevent Google from collecting and processing the data generated by the cookie and relating to your use by downloading and installing the browser plugin available at tools.google.com/dlpage/gaoptout. Further information can be found in Google's privacy policy (policies.google.com/privacy) and in the ad settings (adssettings.google.com). Users' personal data is deleted or anonymised after 14 months.

Reach measurement with Umami

We use Umami, a privacy-friendly, cookieless web analytics tool that we host ourselves on our own server within the EU (umami.suora.cloud). Umami does not set cookies, does not create cross-site user profiles and does not transmit any data to third parties. The data collected (e.g. pages accessed, referrer, approximate origin, device type) is evaluated in aggregated form only. The legal basis is our legitimate interest in statistical reach measurement and the optimisation of our offering pursuant to Art. 6(1)(f) GDPR. Since no personal data is processed and no data leaves the EU, no consent is required for this.

Appointment scheduling and product demos

To arrange demo and consultation appointments, we link to an external appointment scheduling service (Fantastical, operated by Flexibits Inc., USA). If you follow the booking link and enter your data there (e.g. name, email address, appointment details), this data is processed by the provider to organise the appointment. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures). Data may be transferred to the USA; the transfer is based on the EU-US Data Privacy Framework and on Standard Contractual Clauses pursuant to Art. 46 GDPR. For details, please refer to Flexibits' privacy policy: flexibits.com/privacy.

Online presence on social media

We maintain an online presence within social networks and platforms in order to communicate with customers, prospects and users active there and to inform them about our services. Please note that data of users may be processed outside the European Union in this context. Where data is transferred to the USA, this is based on the EU-US Data Privacy Framework and additionally on Standard Contractual Clauses pursuant to Art. 46 GDPR. The processing of users' personal data is based on our legitimate interests pursuant to Art. 6(1)(f) GDPR; where users are asked for consent by the respective providers, the legal basis is Art. 6(1)(a), Art. 7 GDPR.

– Facebook (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland) – Privacy policy: facebook.com/about/privacy.
– Instagram (Meta Platforms Ireland Ltd.) – Privacy policy: privacycenter.instagram.com/policy.
– LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy policy: linkedin.com/legal/privacy-policy.
– GitHub (GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA) – Privacy policy: docs.github.com/privacy.

Last updated: June 2026