Privacy policy

This privacy policy explains which categories of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. It applies to all processing of personal data we carry out—both in providing our services and in particular on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as the "online offer").

The terms used are not gender-specific.

CustCom UG,
Sandstr. 17
49080, Osnabrück, Deutschland

Email: support@custcom.io

The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects.

Relevant legal bases under the GDPR: Below is an overview of GDPR legal bases on which we process personal data. Please note that national data protection rules in your or our country of residence may also apply. If more specific legal bases apply in individual cases, we will inform you in this privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has consented to the processing of personal data concerning them for one or more specific purposes.
• Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the data subject's request prior to entering into a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection rules in Germany: In addition to the GDPR, national rules apply in Germany, in particular the Federal Data Protection Act (BDSG). The BDSG contains special provisions on the right of access, erasure, objection, processing of special categories of personal data, processing for other purposes, transfers, and automated individual decision-making including profiling. State data protection laws may also apply.

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risks to natural persons' rights and freedoms, to ensure a level of security appropriate to the risk.

Measures include in particular ensuring confidentiality, integrity, and availability of data by controlling physical and electronic access to data as well as access, input, disclosure, ensuring availability, and separation. We have also established procedures to exercise data subject rights, erase data, and respond to threats to data. Furthermore, we consider the protection of personal data during development or selection of hardware, software, and procedures, in line with the principles of data protection by design and by default.

Securing online connections with TLS/SSL (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption. SSL and TLS are core technologies for secure data transmission on the internet. They encrypt information exchanged between the website or app and the user's browser (or between servers), protecting it from unauthorized access. TLS is the more secure successor to SSL and helps ensure transmissions meet high security standards. HTTPS in the URL indicates that the site is secured with SSL/TLS, signaling to users that data is transmitted securely and encrypted.

We erase personal data we process in accordance with statutory requirements as soon as the underlying consent is withdrawn or no further legal basis for processing exists. This applies where the original purpose no longer applies or the data is no longer needed. Exceptions apply where statutory retention obligations or particular interests require longer storage or archiving.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal enforcement or protection of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on retention and erasure for specific processing activities.

Where multiple retention or erasure periods apply to data, the longest period applies. Data retained no longer for the original purpose but due to statutory requirements or other grounds are processed solely for the reasons that justify retention.

Period start at year-end: Unless a period starts on an explicit date and is at least one year, it begins automatically at the end of the calendar year in which the triggering event occurred. For ongoing contractual relationships where data is stored, the triggering event is termination or other end of the legal relationship.

Rights under the GDPR: As a data subject you have various rights, in particular under Articles 15–21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent related to such direct marketing.
• Withdrawal of consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain confirmation as to whether personal data concerning you are being processed, and to access those data and further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right to obtain completion of incomplete data or rectification of inaccurate data concerning you, in accordance with legal requirements.
• Right to erasure and restriction: You have the right to request erasure of personal data concerning you without undue delay, or alternatively restriction of processing, in accordance with legal requirements.
• Right to data portability: You have the right to receive personal data concerning you which you have provided in a structured, commonly used, and machine-readable format, or to have those data transmitted to another controller, where legally required.
• Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that processing infringes the GDPR.

We process user data to make our online services available. For this purpose we process the user's IP address, which is necessary to deliver content and functions to the user's browser or device.

• Categories of data: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved). Log data (e.g. log files for logins, data retrieval, or access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes: Provision of our online offer and usability; IT infrastructure (operation and provision of information systems and technical devices such as computers and servers). Security measures.
• Retention and erasure: As described in the section "General information on storage and erasure".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

When you contact us (e.g. by post, contact form, email, phone, or social media) or within existing user or business relationships, we process the data of the requesting persons where necessary to respond to inquiries and any requested measures.

• Categories of data: Master data (e.g. full name, address, contact details, customer number); contact data (e.g. postal and email addresses or phone numbers); content data (e.g. text or image messages and related information such as authorship or creation time); usage data (e.g. page views, dwell time, click paths, device types, OS, interactions). Meta, communication, and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Communication partners.
• Purposes: Communication; organizational and administrative procedures; feedback (e.g. via online forms). Provision of our online offer and usability.
• Retention and erasure: As described in the section "General information on storage and erasure".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR).

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the recipients' consent or another legal basis. If contents are described when signing up, those contents are decisive for consent. Usually your email address is sufficient to subscribe. Where we offer a more personalized service, we may ask for your name or further information if needed for the newsletter.

Erasure and restriction: We may store unsubscribed email addresses for up to three years based on legitimate interests before erasure, to demonstrate that consent was previously given. Processing is limited to defending against potential claims. Individual erasure is possible at any time if the former existence of consent is confirmed. Where we must permanently honor objections, we may store the email address on a blocklist solely for that purpose.

Logging of the signup process is based on our legitimate interests to demonstrate proper procedure. If we use a provider to send emails, this is based on our legitimate interests in an efficient and secure mailing system.

Content: Information about us, our services, promotions, and offers.

• Categories of data: Master data (e.g. name, address, contact details, customer number); contact data (e.g. postal and email addresses or phone numbers). Meta, communication, and procedural data (e.g. IP addresses, timestamps, identifiers, persons involved).
• Data subjects: Communication partners.
• Purposes: Direct marketing (e.g. by email or post).
• Legal bases: Consent (Art. 6(1)(a) GDPR).
• Opt-out: You may unsubscribe from our newsletter at any time, i.e. withdraw consent or object to further receipt. Use the link at the end of each newsletter or contact us via the channels above, preferably by email.

Please review this privacy policy regularly. We update it when changes to our processing make this necessary. We will inform you if changes require action on your part (e.g. consent) or individual notification.

Where we list addresses and contact details of companies or organizations, please note they may change over time—verify before contacting.

This section explains terms used in this privacy policy. Where terms are legally defined, those definitions apply. The explanations below mainly aid understanding.

• Master data: Essential information for identifying and managing contractual partners, user accounts, profiles, and similar relationships. May include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and identifiers (user IDs). Master data enables clear assignment and communication.
• Content data: Information generated when creating, editing, and publishing content of any kind. May include text, images, video, audio, and other multimedia published on various platforms, including metadata such as tags, descriptions, author information, and publication dates.
• Contact data: Information needed to communicate with persons or organizations, including phone numbers, postal and email addresses, and identifiers such as social handles or messaging IDs.
• Meta, communication, and procedural data: Information about how data is processed, transmitted, and managed. Metadata describes context, origin, and structure of other data (e.g. file size, creation date, author, change history). Communication data covers exchanges via email, call logs, social messages, and chats, including participants, timestamps, and channels. Procedural data describes workflows, transaction logs, activities, and audit trails.
• Usage data: Information about how users interact with digital products, services, or platforms—features used, session length, navigation paths, frequency, timestamps, IP addresses, device information, and location data where applicable. Valuable for behavior analysis, UX optimization, personalization, and product improvement.
• Personal data: Any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
• Log data: Information about events or activities recorded in a system or network, typically including timestamps, IP addresses, user actions, error messages, and operational details. Often used for troubleshooting, security monitoring, or performance reporting.
• Controller: The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data.
• Processing: Any operation or set of operations performed on personal data, whether or not by automated means—such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, or destruction.