Privacy Policy

This privacy policy is divided into two parts: Part A concerns the use of our website manscale.ai. Part B contains supplementary privacy information for the use of our customer portal at portal.manscale.de.

---

Part A: Website (manscale.ai)

1. Privacy at a glance

The following notes provide an overview of what happens to your personal data when you visit our website. Personal data means any information with which you can be personally identified. Further details on data protection can be found in the sections below.

Who is responsible for data collection on this website?

Data processing on this website is the responsibility of the website operator. You will find the relevant contact details in the section “Controller” further below in this privacy policy.

How do we collect your data?

Some of your data is collected when you actively provide it to us — for example, by entering information in a contact form or when booking an appointment. Other data is collected automatically by our technical systems when you visit the website. This is mainly technical information such as the browser used, the operating system, or the time of page access. This collection occurs automatically as soon as you access our website.

What do we use your data for?

Some of the collected data is used to provide our website without errors. Other data may be used to analyse your usage behaviour. Where contractual relationships are initiated or concluded via the website, the data transmitted is also processed for contract performance.

What rights do you have?

You have the right at any time to obtain free information about the origin, recipients, and purpose of your stored personal data. You may also request the rectification or erasure of this data. If you have given consent to data processing, you may revoke it at any time with effect for the future. Under certain conditions, you also have the right to restrict processing and the right to lodge a complaint with the competent supervisory authority.

2. Hosting and infrastructure

Our website is operated on servers of an external hosting provider. The personal data generated when visiting our website — in particular IP addresses, contact requests, meta and communication data, access data, and other information generated via the website — is stored on that provider’s servers.

Web hosting

Our website is hosted by DigitalOcean. The provider is DigitalOcean LLC, 101 6th Ave, New York, NY 10013, USA. The server we use is located in the Frankfurt am Main, Germany data centre (region FRA1). Data processing therefore takes place within the EU/EEA.

Hosting is carried out for the purpose of fulfilling contracts with our existing and prospective customers (Art. 6(1)(b) GDPR) and in the interest of secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR). Where consent has been requested, processing is carried out solely on the basis of Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG (Telecommunications Telemedia Data Protection Act). Consent may be revoked at any time.

Although DigitalOcean is a US company, your data is stored and processed on servers in Frankfurt am Main, Germany. In addition, we rely on the EU Commission’s Standard Contractual Clauses for our cooperation with DigitalOcean. DigitalOcean processes your data solely on our instructions and in compliance with the GDPR.

DNS services (AWS Route 53)

We use the Amazon Route 53 DNS service to resolve our domain. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg.

When you access our website, your DNS request is routed via Amazon Web Services servers. Your IP address may be transmitted to AWS in the process. Use is based on our legitimate interest in reliable and performant availability of our website (Art. 6(1)(f) GDPR).

Email delivery (Mailgun)

We use Mailgun to send transaction-related emails (e.g. appointment confirmations, contact form notifications). The provider is Sinch Email (Mailgun Technologies Inc.), 300 Central Ave #1100, St. Petersburg, FL 33701, USA.

Processing is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery). Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses.

Marketing emails (Brevo)

With your consent, we use Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany) to send lifecycle and marketing emails — for example onboarding tips, product updates, and trial reminders. We sync your email address and product usage attributes (such as onboarding progress and subscription status) to Brevo so automations can send relevant messages. You can unsubscribe at any time via the link in each email or by contacting us at support@manscale.de.

Processing is based on Art. 6(1)(a) GDPR (consent). Where applicable, data may also be processed on Art. 6(1)(f) GDPR (legitimate interest in informing existing customers about similar services). A data processing agreement with Brevo is in place. Transactional emails (e.g. login codes) are sent separately via Mailgun and are not part of Brevo marketing automations.

3. General information and mandatory disclosures

Data protection

Protecting your personal data is particularly important to us. We process your personal data confidentially and in accordance with applicable data protection law and this privacy policy.

When you visit this website, various personal data is collected. This privacy policy explains which data we collect, for what purpose, and on what legal basis processing takes place.

We point out that data transmission over the Internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not always technically possible.

Controller

The controller responsible for data processing on this website is:

Manscale GmbH
Donnerschweer Str. 210
26123 Oldenburg
Phone: +49 441 350 129 4211
Email: support@manscale.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

Storage period

Unless a different retention period is stated in this privacy policy, your personal data remains with us until the purpose of processing no longer applies. If you assert a legitimate request for erasure or revoke consent, your data will be deleted unless other legally permissible grounds for retention exist (e.g. tax or commercial law retention periods). In the latter case, deletion takes place after those grounds cease to apply.

Legal bases for processing

If you have consented to data processing, we process your data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR for special categories of data. Where consent relates to the storage of cookies or access to information on your end device (e.g. device fingerprinting), processing is additionally based on Section 25(1) of the German TTDSG. Consent may be revoked at any time.

If your data is required for contract performance or pre-contractual measures, we process it on the basis of Art. 6(1)(b) GDPR. Processing for compliance with legal obligations is based on Art. 6(1)(c) GDPR. Otherwise, processing may be based on our legitimate interests pursuant to Art. 6(1)(f) GDPR.

Note on transfers to third countries

We use services from providers based in the USA or other third countries. When these services are active, personal data may be transferred to countries where a level of data protection comparable to the EU is not guaranteed.

We point out that the USA is generally regarded as a safe third country under the EU-US Data Privacy Framework (DPF) where the respective recipient holds DPF certification. For recipients without certification, we rely on the EU Commission’s Standard Contractual Clauses or other appropriate safeguards.

Recipients of personal data

In the course of our business activities, we work with various external service providers. Personal data is disclosed to third parties only where necessary for contract performance, we are legally obliged to do so, a legitimate interest exists, or another legal basis permits disclosure. When engaging processors, we disclose data only on the basis of a valid data processing agreement.

Revocation of your consent

Many processing operations are possible only with your express consent. You may revoke consent already given at any time. The lawfulness of processing carried out until revocation remains unaffected. You may manage cookie-related consents through the cookie settings provided on this website.

Right to object (Art. 21 GDPR)

Where processing is based on Art. 6(1)(e) or (f) GDPR, you have the right at any time to object to the processing of your personal data for reasons arising from your particular situation; this also applies to profiling based on those provisions. We will then no longer process your data unless we demonstrate compelling legitimate grounds that override your interests, or processing serves the establishment, exercise, or defence of legal claims.

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing. In the event of an objection, your data will no longer be used for direct marketing.

Right to lodge a complaint with a supervisory authority

In the event of breaches of the GDPR, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Right to data portability

You have the right to receive data that we process automatically on the basis of your consent or for the performance of a contract in a commonly used, machine-readable format, and to have it transmitted to yourself or another controller.

Information, rectification, and erasure

Within the scope of applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of processing. Where applicable, you also have the right to rectification or erasure of this data.

Right to restriction of processing

Under certain circumstances, you may request restriction of the processing of your personal data. This applies in particular if you contest the accuracy of the data, processing is unlawful, we no longer need the data, or you have objected pursuant to Art. 21(1) GDPR. Restricted data may — apart from storage — be processed only with your consent or for the establishment, exercise, or defence of legal claims.

SSL/TLS encryption

For security reasons, this website uses SSL/TLS encryption for the transmission of confidential content such as enquiries or bookings. You can recognise an encrypted connection by the lock symbol in the browser bar and by the address bar changing from “http://” to “https://”. When encryption is active, data you transmit cannot be read by third parties.

Objection to unsolicited advertising

We hereby object to the use of contact data published within the scope of legal notice obligations for the transmission of advertising and information material not expressly requested. We expressly reserve the right to take legal action in the event of unsolicited advertising, such as spam emails.

4. Data collection on this website

Cookies

Our website uses cookies. Cookies are small data packets that do not harm your end device. They are stored either temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are deleted automatically after your visit. Persistent cookies remain stored until you delete them manually or your browser deletes them automatically.

Cookies may be set by us (first-party cookies) or by third-party companies (third-party cookies). Third-party cookies enable the integration of certain services from external providers.

Technically necessary cookies are stored on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in storing these cookies for technically error-free and optimised provision of our services. Where consent to the storage of cookies has been requested, processing is based on that consent (Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG); consent may be revoked at any time.

You can configure your browser to inform you when cookies are set, to allow cookies only in individual cases, or to reject them generally. Disabling cookies may limit the functionality of this website.

You can view, adjust, or revoke your cookie preferences at any time through the cookie settings on this website.

Server log files

The hosting provider of our website automatically collects and stores information in so-called server log files that your browser transmits on each page request. The following data is collected:

• Browser type and version
• Operating system used
• Referrer URL (previously visited page)
• Hostname of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources. Collection is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the technically error-free presentation and optimisation of our website.

Contact form

If you send us an enquiry via the contact form, your details including the contact data you enter will be stored for the purpose of processing the enquiry and in case of follow-up questions. This data will not be passed on without your consent.

Processing is based on Art. 6(1)(b) GDPR where your enquiry relates to contract performance or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in effective handling of incoming enquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) where requested.

Data entered in the contact form remains with us until you request deletion, revoke consent, or the purpose of storage no longer applies. Mandatory statutory provisions — in particular retention periods — remain unaffected.

Enquiries by email or telephone

If you contact us by email or telephone, your enquiry including all resulting personal data (name, enquiry, and where applicable telephone number) will be stored by us for the purpose of handling the enquiry. Disclosure will not take place without your consent.

Processing is based on Art. 6(1)(b) GDPR for contract-related enquiries or on our legitimate interest in effective handling (Art. 6(1)(f) GDPR). The data remains with us until you request deletion or the purpose of storage no longer applies. Statutory retention periods remain unaffected.

5. Analytics tools and advertising

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that allows us to integrate tracking and statistics tools and other technologies on our website. The Tag Manager itself does not create user profiles, store cookies, or perform independent analysis. It serves solely to manage and deploy the services integrated through it.

Google Analytics 4

This website uses Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to analyse your usage behaviour on our website.

Information generated by the cookie about your use of this website is generally transmitted to a Google server in the USA and stored there. We use IP anonymisation so that your IP address is truncated within the EU before transmission.

Use is based on your consent (Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG). Consent may be revoked at any time. Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Google holds certification under the EU-US Data Privacy Framework (DPF).

Google Ads conversion tracking

We use Google Ads conversion tracking. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads conversion tracking allows us to determine whether a user performed certain actions on our website after clicking on a Google ad.

Use is based on your consent (Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG). Consent may be revoked at any time. Google holds DPF certification.

Meta Pixel (Facebook Pixel)

Meta Pixel is integrated on our website. The provider is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Meta Pixel allows us to measure the effectiveness of advertising on Facebook and Instagram and to track user behaviour after clicking on an ad.

Data collected by the pixel may also be transferred to the USA by Meta. Use is based on your consent (Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG). Consent may be revoked at any time. Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Meta holds DPF certification.

Microsoft Clarity

This website uses Microsoft Clarity, a web analytics service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Clarity records usage behaviour in the form of heatmaps and anonymised session recordings to give us insights into how visitors interact with our website.

Use is based on your consent (Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG). Consent may be revoked at any time. Microsoft holds DPF certification.

LinkedIn Insight Tag

The LinkedIn Insight Tag is integrated on our website. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The Insight Tag allows us to measure the effectiveness of LinkedIn advertising campaigns and obtain information about website visitors who reach our site via LinkedIn.

Use is based on your consent (Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG). Consent may be revoked at any time. Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses.

6. Plugins and tools

Google Fonts (local hosting)

This website uses Google Fonts for uniform display of typefaces. The fonts are installed locally on our server. No connection to Google servers is established, and no data is transmitted to Google in this context.

Google Maps

On certain subpages we use the Google Maps map service. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. To display the map, it is necessary to store your IP address and transmit it to a Google server in the USA.

Use of Google Maps is in the interest of an appealing presentation of our online offering and easy location of our premises (Art. 6(1)(f) GDPR). Where consent has been requested, processing is based on Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG. Consent may be revoked at any time. Google holds DPF certification.

Google reCAPTCHA

We use Google reCAPTCHA on this website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. reCAPTCHA checks whether entries on our website (e.g. in contact forms) are made by a human or an automated programme.

For this purpose, reCAPTCHA analyses the behaviour of website visitors based on various characteristics. Analysis begins automatically when you enter the website and evaluates, among other things, IP address, time spent, and mouse movements. The data collected is forwarded to Google.

Storage and analysis of the data is based on Art. 6(1)(f) GDPR. We have a legitimate interest in protecting our website from abusive automated use and spam. Where consent has been requested, processing is based on Art. 6(1)(a) GDPR and Section 25(1) of the German TTDSG. Consent may be revoked at any time. Google holds DPF certification.

Part B: Customer portal (portal.manscale.de)

The following privacy information applies in addition to Part A to the use of our customer portal at portal.manscale.de (hereinafter the “Portal”). The Portal is a B2B SaaS platform for project management, CRM, lead management, service booking, and other business functions.

1. Controller and privacy enquiries

The controller responsible for data processing in connection with the Portal is:

Manscale GmbH
Donnerschweer Str. 210
26123 Oldenburg
Phone: +49 441 350 129 4211
Email: support@manscale.de

For questions about data protection in connection with the Portal, please contact: support@manscale.de

Where customers use the Portal to process data of their own employees, business partners, or other third parties, they are themselves controllers within the meaning of the GDPR. In that case, Manscale GmbH acts as a processor (see Section 10).

2. Personal data collected

Depending on the functions used, the following categories of personal data are processed in connection with use of the Portal:

a) Registration and profile data

• Name, email address, password (hashed using bcrypt)
• Telephone number (landline, mobile), WhatsApp number
• Date of birth
• Profile photo
• Google account ID (when signing in via Google OAuth)
• Company information (company name, industry, address where applicable)

b) Payment data

• Stripe customer ID and payment methods (processing takes place directly with Stripe)
• SEPA mandate acceptance (timestamp of mandate grant)
• Invoice data (via sevDesk integration)

c) Communication data

• Project messages and chat histories
• WhatsApp messages and conversations
• Email messages (via shared inboxes)
• Email signatures

d) Project data

• Project information (name, description, status, progress)
• Tasks and assignments to users
• Credentials for third-party systems (stored encrypted)
• Uploaded files and documents
• Contracts and contract documents

e) Lead data

• Lead contact details (name, email, telephone, website)
• Lead source and qualification status
• IP address and user agent (when captured via web forms/webhooks)
• Notes and activity logs

Note: Lead data is generally data relating to business contacts of Portal users. The respective Portal user as controller is responsible for collecting and processing it in compliance with data protection law.

f) Appointment and booking data

• Guest information (name, email, company, telephone number)
• Appointment details (date, time, type of appointment)
• Google meeting links
• Transcripts and summaries (via Google AI / Gemini)

g) Technical data

• IP address
• User agent / browser information
• Session data (session identifier, login time, last activity)
• User time zone

h) Usage data and analytics

• Activity logs (logins, actions in the Portal)
• Website statistics (via WP Statistics integration, self-hosted)
• Email tracking data (opens, clicks in email sequences)

i) Form submissions

• Dynamic form data (custom fields, stored in JSON format)
• File uploads from forms

j) Course data

• Course enrolments and participant data
• Learning progress (completed lessons, modules)

3. Legal bases for processing

Personal data in connection with the Portal is processed on the following legal bases:

Art. 6(1)(b) GDPR — Contract performance:
Registration and account creation, project management, communication via the Portal, payment processing, service booking, appointment scheduling, invoicing.

Art. 6(1)(a) GDPR — Consent:
WhatsApp messages and notifications, email marketing and sequences, push notifications (OneSignal), use of AI functions (OpenAI, Google AI) to process user content.

Art. 6(1)(f) GDPR — Legitimate interest:
Security logging and access logging, error analysis and system monitoring, fraud prevention, technically necessary cookies and session management.

Art. 6(1)(c) GDPR — Legal obligation:
Retention of invoices and accounting records (statutory retention obligations), fulfilment of statutory information obligations.

4. Recipients and third-party providers (data disclosure)

To provide Portal functions, we use the following third-party providers to whom personal data may be disclosed:

a) Vonage / Nexmo (Netherlands/UK)

Purpose: WhatsApp messaging, SMS delivery, telephone number verification.
Data transmitted: Telephone numbers, message content, verification codes.
Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) GDPR (consent for WhatsApp contact).

b) Stripe, Inc. (USA)

Purpose: Payment processing (credit card, SEPA direct debit).
Data transmitted: Payment information, billing address, transaction IDs, customer IDs.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Third-country transfer: EU-US Data Privacy Framework (DPF). Stripe holds DPF certification.

c) Amazon Web Services / AWS S3 (USA/EU)

Purpose: Storage of uploaded files and documents.
Data transmitted: All files and documents uploaded via the Portal.
Storage region: EU (eu-central-1 / Frankfurt).
Third-country transfer: Standard Contractual Clauses (SCCs) / EU-US Data Privacy Framework.

d) Google LLC (USA)

Purpose: OAuth authentication (login), Google Calendar integration, Google Drive integration, Google AI (Gemini) for transcripts and summaries.
Data transmitted: Authentication tokens, calendar entries, meeting links, transcript content.
Third-country transfer: EU-US Data Privacy Framework (DPF). Google holds DPF certification.

e) Mailgun Technologies, Inc. (USA)

Purpose: Transactional email delivery (e.g. login codes, account notifications).
Data transmitted: Email addresses and email content required to deliver the message.
Third-country transfer: EU Commission Standard Contractual Clauses (SCCs).

e2) Sendinblue GmbH / Brevo (Germany)

Purpose: Marketing and lifecycle email automations (onboarding, trial, and product education) where you have given consent.
Data transmitted: Email address, name, onboarding and subscription attributes, engagement data (opens, clicks) for marketing emails sent via Brevo.
Third-country transfer: Processing primarily within the EU/EEA (Germany).

f) sevDesk GmbH (Germany)

Purpose: Accounting and bookkeeping.
Data transmitted: Contact details, billing address, invoice information, payment status.
Third-country transfer: None. Processing within the EU/EEA.

g) OpenAI, Inc. (USA)

Purpose: AI-supported functions, chatbot, automated content generation.
Data transmitted: Message content and input text provided by the user for AI processing.
Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (contract performance where the AI function is part of the booked service package).
Third-country transfer: EU-US Data Privacy Framework / Standard Contractual Clauses.

h) OneSignal, Inc. (USA)

Purpose: Push notifications (mobile app and browser).
Data transmitted: Device tokens, notification content, user IDs.
Third-country transfer: EU-US Data Privacy Framework / Standard Contractual Clauses.

i) Replicate, Inc. (USA)

Purpose: AI-based image generation.
Data transmitted: Input text (prompts) for image generation.
Third-country transfer: Standard Contractual Clauses (SCCs).

j) Meta Platforms Ireland Limited (USA/Ireland)

Purpose: Social media integration (publishing content).
Data transmitted: Published content, authentication tokens where applicable.
Third-country transfer: EU-US Data Privacy Framework (DPF).

k) Slack Technologies, LLC (USA)

Purpose: Internal notifications to the Manscale team.
Data transmitted: Notification content (no personal customer data where avoidable).

l) Pusher Ltd. (UK)

Purpose: Real-time WebSocket communication for live updates in the Portal.
Data transmitted: Broadcast events, notification data, user IDs for channel assignment.

5. Cookies and tracking in the Portal

a) Technically necessary cookies

The Portal uses only technically necessary cookies:

• Laravel session cookie: Required for authentication and session management. Deleted when the browser is closed or after the session expires.
• XSRF-TOKEN: Protection against cross-site request forgery (CSRF) attacks. Renewed on each page request.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the functionality and security of the Portal). No consent is required for these cookies.

b) Email tracking

In connection with the Portal’s email marketing functions, tracking pixels may be used to record email opens (via Mailgun) and click tracking on email links.

Data collected: Time of opening, IP address, time and destination of link clicks.
Legal basis: Art. 6(1)(a) GDPR (consent) for recipients who have agreed to email marketing, or Art. 6(1)(f) GDPR (legitimate interest) for existing B2B business relationships in accordance with Section 7(3) of the German UWG (Unfair Competition Act).

c) Website analytics (WP Statistics)

The Portal uses the WP Statistics integration to evaluate website statistics. WP Statistics is self-hosted and does not set third-party cookies.

Data collected: Page views, browser type, search engine referrals.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in optimising the offering).

6. Transfers to third countries

In connection with use of the Portal, personal data may be transferred to the following providers in third countries (in particular the USA and UK):

• Stripe, Inc. (USA) — DPF-certified
• Amazon Web Services (USA/EU) — Standard Contractual Clauses / DPF
• Google LLC (USA) — DPF-certified
• Mailgun Technologies, Inc. (USA) — Standard Contractual Clauses
• Sendinblue GmbH / Brevo (Germany) — EU/EEA processing
• OpenAI, Inc. (USA) — DPF / Standard Contractual Clauses
• OneSignal, Inc. (USA) — DPF / Standard Contractual Clauses
• Replicate, Inc. (USA) — Standard Contractual Clauses
• Meta Platforms (USA/Ireland) — DPF-certified
• Vonage / Nexmo (Netherlands/UK)
• Pusher Ltd. (UK)
• Slack Technologies, LLC (USA)

Transfers to the USA are based on the EU-US Data Privacy Framework (DPF) where the recipient holds DPF certification. Otherwise, we rely on the EU Commission’s Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

Additional technical safeguards are implemented, in particular encryption of personal data in transit (TLS/HTTPS) and at rest.

7. Retention and deletion

The retention period for personal data in the Portal depends on the respective processing purpose:

• Profile and account data: Until deletion of the user account by the user or after termination of the contractual relationship (plus a 30-day export period pursuant to Terms and Conditions Part C § 10).
• Project data: Until completion of the project and expiry of the agreed retention period.
• Invoice and accounting data: 10 years after the end of the calendar year in which the invoice was issued (Section 147 AO, Section 257 HGB — German tax and commercial code).
• Communication data: Until deletion by the user or until completion of the associated project.
• Activity and log data: 12 months after creation.
• Lead data: Until deletion by the respective Portal user (controller).
• Session data: Automatically after expiry of the session or configured session duration.

Statutory retention obligations remain unaffected by the above deletion periods. Where statutory retention periods prevent deletion, the relevant data is blocked and deleted after the period expires.

8. Data subject rights

In connection with the processing of your personal data in the Portal, you have the following rights:

Right of access (Art. 15 GDPR):
You have the right to obtain information about the data stored concerning you and a copy of that data.

Right to rectification (Art. 16 GDPR):
You may have inaccurate data rectified. In the Portal, you can change your profile data yourself via profile settings.

Right to erasure (Art. 17 GDPR):
You may request erasure of your data unless statutory retention obligations prevent this. You can initiate deletion of your account via profile settings in the Portal or by contacting support@manscale.de.

Right to restriction of processing (Art. 18 GDPR):
Under certain conditions, you may request restriction of the processing of your data.

Right to data portability (Art. 20 GDPR):
You have the right to receive data concerning you in a structured, commonly used, and machine-readable format. The Portal provides export functions for this purpose.

Right to object (Art. 21 GDPR):
Where processing is based on legitimate interests (Art. 6(1)(f) GDPR), you may object at any time for reasons arising from your particular situation.

Right to withdraw consent:
Consents given (e.g. for WhatsApp messages, email marketing, push notifications) may be withdrawn at any time with effect for the future. The lawfulness of processing until withdrawal remains unaffected.

Right to lodge a complaint with a supervisory authority:
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is the State Commissioner for Data Protection of Lower Saxony (Landesbeauftragte für den Datenschutz Niedersachsen), Prinzenstraße 5, 30159 Hannover.

To exercise your rights, please contact: support@manscale.de

9. Data security (Art. 32 GDPR)

To protect your personal data in the Portal, we implement the following technical and organisational measures:

• Transport encryption: All data transmissions between your browser and the Portal are encrypted via HTTPS/TLS.
• Password hashing: Passwords are hashed using bcrypt and are never stored in plain text.
• Encrypted credential storage: Project-related credentials are stored encrypted in the Portal.
• CSRF protection: Cross-site request forgery protection through token-based validation (XSRF-TOKEN).
• Two-factor authentication (2FA): Optional TOTP-based two-factor authentication for enhanced account security.
• Session management: Session management with logging of IP addresses and browser information to detect unauthorised access.
• Role-based access control: Multi-level permission system with differentiated access rights per user role.
• API token authentication: Secure API access via Laravel Sanctum with token-based authentication.
• Signed URLs: Invitation links are provided via cryptographically signed URLs with limited validity.
• Webhook signature verification: Incoming webhooks (e.g. Stripe) are verified for authenticity using cryptographic signatures.

10. Data processing on behalf of customers

Where Portal users use the Portal to process personal data of their own employees, business contacts, or other third parties, Manscale GmbH acts as a processor within the meaning of Art. 28 GDPR. The Portal user remains responsible as controller for the lawfulness of processing in that case.

A separate data processing agreement (DPA) pursuant to Art. 28(3) GDPR is concluded between Manscale GmbH and the Portal user to govern this relationship. The DPA can be requested at support@manscale.de.

Manscale GmbH uses the third-party providers listed in Section 4 as sub-processors to deliver Portal services. Portal users are informed in good time of changes to sub-processors.

11. Special notes

a) WhatsApp integration

The Portal offers WhatsApp integration via the Vonage/WhatsApp Business API. The following applies:

• Before first contact via WhatsApp, the recipient’s consent is obtained.
• WhatsApp telephone number verification is voluntary and serves identity confirmation.
• Message content is stored on our servers for display in the Portal.
• Data is transmitted to Vonage (based in the Netherlands/UK) for delivery. Vonage forwards messages to Meta’s WhatsApp infrastructure (USA).

Legal basis: Art. 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.

b) AI functions (OpenAI, Google AI)

The Portal uses AI services from OpenAI and Google AI (Gemini) for functions such as chatbot responses, automated content generation, and meeting transcripts. The following applies:

• Content entered by the user or selected for AI processing is transmitted to the respective provider’s servers (USA).
• Use of AI functions is voluntary. The user decides which content to submit for AI processing.
• We point out that AI-generated content is based on automated procedures and does not constitute individual human assessment.

Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (contract performance) where the AI function is part of the booked service package.

c) Email marketing and sequences

The Portal enables the sending of email sequences and marketing emails. The following applies:

• Sending marketing emails requires the recipient’s prior consent (Art. 6(1)(a) GDPR, Section 7(2) UWG), unless the conditions for the existing-customer exception under Section 7(3) UWG are met.
• Every marketing email contains an unsubscribe link through which the recipient can stop further receipt at any time.
• Email opens and link clicks may be recorded via tracking pixels and redirect URLs (see Section 5b).

Portal users who use the email marketing function are themselves responsible as controllers for obtaining the required consents.

d) Public calendars and appointment booking

The Portal enables the creation of public appointment booking pages. The following guest data is collected:

• Name, email address, company, telephone number
• Selected appointment (date, time, type of appointment)
• Further custom fields where applicable

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in appointment organisation).

Booking pages are publicly accessible. The Portal user as controller is responsible for informing visitors about data processing on their booking page.

e) Lead webhooks and external data capture

The Portal enables capture of lead data via webhooks triggered by external systems (e.g. contact forms, landing pages). In addition to the contact data transmitted, the sender’s IP address and user agent are recorded and stored.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in capturing business contacts) or Art. 6(1)(b) GDPR (contract performance).

The Portal user who configures the webhook integration is responsible as controller for compliant integration, including providing a privacy notice on the source page.