Privacy Policy

1. Data Controller

Responsible for data processing:

Orangize Digital
Owner: Naumche Joshevski
Brüderstraße 11
32547 Bad Oeynhausen, Germany
Email: hello@dversum.com
Phone: +49 (0) 15122031093

2. Types of Data Processed

The following data is processed when using the SaaS application:

Account Data

  • Name
  • Email address
  • Password (stored encrypted)

Organization Data

  • Company and customer data
  • Invoice data
  • Quote data
  • Client data
  • Supplier information
  • Tax information
  • Payment information
  • Time entries
  • Calendar data
  • Support tickets
  • Whiteboard content
  • Documents and files

Technical Data

  • IP address
  • Log files
  • Device information
  • Access data

Payment Data

  • Subscription information
  • Payment status
  • (Processed via Stripe)

AI Interactions

  • User-submitted content
  • AI-generated content

3. Purpose of Processing

Data is processed for:

  • Providing the SaaS application
  • Contract performance
  • Invoicing
  • Subscription management
  • Customer support
  • System and security monitoring
  • Improving functionality
  • AI-powered features

Legal basis:
Art. 6(1)(b) GDPR (contract performance)
Art. 6(1)(f) GDPR (legitimate interest in security and operations)

4. Hosting

The application is hosted by:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

Servers are located in Germany. A data processing agreement is in place with Hetzner.

Backups are provided through Hetzner's backup services.

5. Payment Processing

Payment processing is handled by:

Stripe Payments Europe Ltd.

Stripe processes payment data as an independent controller. Stripe's privacy policy applies. Stripe uses technically necessary cookies for fraud prevention, which are only loaded on payment pages.

6. AI Service Providers

The following providers are used for AI features:

  • OpenAI, Inc. (USA) — for the AI assistant and content generation
  • Anthropic, PBC (USA) — as an alternative AI provider (BYOK)

Data is transmitted solely for performing the AI function requested by the user. Only user-submitted content and the context required for processing are transmitted.

Data may be transferred to the USA. Transfers are based on Standard Contractual Clauses pursuant to Art. 46 GDPR.

Data protection measures: Communication with AI providers uses encrypted connections (TLS) exclusively. API keys are stored encrypted on the server (AES-256-GCM). For BYOK (Bring Your Own Key), user-provided keys are encrypted per user and only decrypted for the respective session. AI providers have no access to the database or other user data beyond the explicit request.

7. Google User Data (OAuth & Calendar)

Google OAuth may be used for login and calendar synchronization.

Google user data processed:

  • Google Account ID and profile information (name, email)
  • OAuth access tokens and refresh tokens
  • Calendar events (title, date, time, description, attendees, location)
  • Google Meet links (when created through the application)

Google data is only accessed after the user's explicit consent through the Google authorization process.

Sharing and transfer of Google user data:

Google user data is not sold, rented, or shared for advertising purposes. Data is processed exclusively for the purpose requested by the user (calendar synchronization). Data is only shared in the following cases:

  • Hosting provider (Hetzner): Calendar data is stored on servers in Germany. A data processing agreement is in place with Hetzner.
  • AI assistant (only on explicit user request): When the user actively asks the AI assistant about calendar entries, relevant context may be transmitted to the configured AI provider (OpenAI or Anthropic). This only occurs upon the user's explicit instruction.

Protection of Google user data:

  • OAuth tokens are stored encrypted on the server (AES-256-GCM)
  • All communication uses TLS-encrypted connections
  • Access to calendar data is restricted to the respective user through role-based permissions
  • Users can disconnect their Google account at any time in the settings, which deletes all stored tokens and synchronized calendar data
  • Multi-tenant architecture ensures strict separation of data between organizations

The use of Google user data complies with the Google API Services User Data Policy, including the Limited Use Requirements.

8. Telegram Integration

When using the optional Telegram integration, the following data is processed:

  • Telegram ID and username
  • Chat content within AI interactions

Telegram is a third-party provider (Telegram FZ-LLC, Dubai). Their privacy policy applies. The connection can be disconnected at any time in the settings.

9. Email Delivery (Resend)

For sending transactional emails (invoices, quotes, payment reminders, notifications, password resets) and receiving inbound emails (receipt forwarding, support inbox), we use:

Resend, Inc.
2261 Market Street #5039
San Francisco, CA 94114, USA
resend.com/legal/privacy-policy

Data processed: email addresses (sender and recipient), subject, message content, attachments, send date, delivery status.

Purpose: sending and receiving emails as part of contract performance.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

Data is transferred to the USA. The transfer is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR and Resend's certification under the EU-US Data Privacy Framework. A data processing agreement is in place with Resend.

10. Web Fonts (Google Fonts)

On select marketing pages, the font "Caveat" is loaded from Google Fonts, operated by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). When the font is loaded, a connection to Google's servers is established, and the user's IP address may be transmitted to Google.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a consistent brand presentation).

A transfer to the USA cannot be excluded. Google is certified under the EU-US Data Privacy Framework. More information: policies.google.com/privacy.

11. Cookies and Tracking Technologies

We use cookies and comparable storage technologies (e.g. localStorage). These are grouped into three categories: strictly necessary, statistics, and marketing.

Statistics and marketing technologies are loaded only after your explicit consent via the cookie banner (§ 25(1) TDDDG, Art. 6(1)(a) GDPR). You may withdraw your consent at any time using the "Change cookie settings" link in the footer. Strictly necessary cookies are exempt from the consent requirement under § 25(2)(2) TDDDG.

11.1 Strictly necessary cookies

Issuer: Orangize Digital (controller of this website)

Purpose: providing the functions requested by the user (login, language, theme, cookie decision, payment processing).

Legal basis: § 25(2)(2) TDDDG; Art. 6(1)(b) and (f) GDPR.

NameTypeLifetimePurpose
auth_tokenCookie7 daysAuthentication (JWT)
consent_v1Cookie12 monthsStores the cookie consent choice
i18n_localeCookie12 monthsLanguage preference
theme-preferencelocalStorageindefiniteSelected theme (Light/Dark/System)
sidebar-nav-preferenceslocalStorageindefiniteSidebar configuration
Stripe cookiesCookieup to 12 monthsFraud prevention for payments (payment pages only)

11.2 Statistics — Umami (consent only)

Issuer: Orangize Digital (self-hosted instance of Umami, operated at stat.dversum.com on servers of Hetzner Online GmbH in Germany)

Description: Umami is a privacy-friendly, self-hosted web analytics solution. No data is transferred to third parties; all measurement happens on our own servers.

Data collected: visited pages, time on page, click path, referrer URL, browser type, browser language, screen resolution, device type, approximate location (country); IP addresses are not stored.

Purpose: reach measurement and optimization of the website.

Legal basis: § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR (consent).

Third-country transfer: none. Data is stored exclusively in Germany.

NameLifetimeDescription
umami.sessionSessionSession ID for recognizing repeated page views within a session. No cross-site tracking.

11.3 Marketing — Meta Pixel (consent only)

Issuer: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (parent: Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA)

Description: The Meta Pixel (Facebook Pixel) is a tracking tool for conversion measurement and remarketing on Facebook and Instagram. With your consent, the pixel is loaded when you visit our website and logs page views and defined events (e.g. registration page view, completed registration).

Data collected: IP address, browser and device information, referrer URL, visited pages, triggered events, Facebook user ID (if logged into Facebook), hashed contact data for conversion attribution.

Purpose: conversion measurement for ads, creation of Custom Audiences and Lookalike Audiences, retargeting.

Legal basis: § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR (consent).

Third-country transfer: Data is transferred to the USA. The transfer is safeguarded by Standard Contractual Clauses pursuant to Art. 46 GDPR and Meta's certification under the EU-US Data Privacy Framework. Following the Schrems II ruling, access by US authorities cannot be entirely excluded.

Joint controllership: For data collection through the pixel and transfer to Meta, we and Meta are joint controllers within the meaning of Art. 26 GDPR. The agreement is available at facebook.com/legal/controller_addendum.

Meta's privacy policy: facebook.com/privacy/policy

NameLifetimeDescription
_fbp90 daysIdentifies the browser for conversion measurement and ad delivery.
_fbc90 daysStores the last click source (Facebook click ID) for conversion attribution.
fr90 daysSet by Meta when you are logged into Facebook, for ad delivery.

12. Lead Tracking and Conversion Measurement

On this website we use a server-side tracking service to capture contact enquiries and attribute them to advertising campaigns. The service is operated by dVersum. Processing takes place on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in measuring the effectiveness of our advertising.

What data is collected?

  • A random visitor ID (stored as a server-side cookie "_tid")
  • Pages visited and timestamps of page views
  • Click IDs from advertising campaigns: GCLID, GBraid and WBraid from Google Ads, FBCLID from Meta
  • UTM parameters for campaign attribution (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
  • When a form is submitted: the contact data entered
  • Technical connection data: IP address (for spam and bot detection) and user agent (for device classification: mobile, tablet or desktop)

Interaction tracking

In addition, certain interactions are recorded where relevant for campaign optimisation:

  • Scroll depth within a page
  • Time spent on a page

No form-field input and no biometric data is collected.

Purpose of processing

The data is used exclusively to attribute contact enquiries to the relevant advertising campaigns (offline conversion tracking) and to optimise advertising campaigns. No profiling, no cross-site tracking and no transfer to third parties for advertising purposes takes place.

Transmission to advertising platforms

Conversion data from form submissions and from configured interaction events is, after review, transmitted server-side to Google Ads and Meta. Only the identifiers and values described under "What data is collected" are transferred. For transmission to Meta, contact data such as email address and phone number is hashed using SHA-256 before sending; this information never leaves our servers in plain text.

Retention period

The visitor ID and the associated tracking data are automatically deleted after 90 days. Processing takes place on servers within the European Union (location: Germany).

Data processing agreement

A data processing agreement pursuant to Art. 28 GDPR is in place with the technical service provider operating the tracking service.

Your rights

You may object to this processing at any time by deleting the "_tid" cookie in your browser or by contacting us using the contact details listed in the legal notice. You have the right to information, rectification, erasure and restriction of processing as well as the right to lodge a complaint with the competent supervisory authority.

Tracking domain

stat.dversum.com

13. Data Retention

Personal data is retained:

  • as long as the user account exists
  • until termination of the contract
  • in accordance with legal retention obligations (e.g., tax retention periods: up to 10 years)

After account deletion, personal data is deleted unless legal retention obligations apply.

14. Data Security

The following technical and organizational measures are in place to protect personal data:

  • TLS encryption for all communications
  • Encrypted storage of sensitive data (AES-256-GCM)
  • Hosting in German data centers (Hetzner)
  • Role-based access controls
  • Multi-tenant data separation per organization
  • Regular backups
  • Two-factor authentication (TOTP) as optional account security
  • Passwords stored exclusively as bcrypt hashes

15. No Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place. In particular, the AI features of the application (AI assistant, content generation, proactive insights) provide suggestions and assistance; all legally or economically significant decisions (e.g. sending invoices or reminders, signing contracts) are triggered exclusively by the user.

16. Data Subject Rights

Users have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

To exercise these rights, please contact: hello@dversum.com

You also have the right to lodge a complaint with the competent supervisory authority:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4, 40213 Düsseldorf, Germany
www.ldi.nrw.de

17. Last Updated

As of: June 2026

This privacy policy is updated as needed to reflect changes in data processing or legal requirements.