Privacy Policy

Controller
Conbool GmbH (hereinafter “we” or “us”) is the controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data (hereinafter “data”) in connection with the operation of our website, the handling of contact requests, sales/contract communication, and the administration of customer accounts and billing processes.
Where we process personal data within the scope of our products (e.g., Email Security Gateway, SecureMail, MailGuard, Disclaimer/Signature Manager, message portal and Outlook add-in) on behalf of a business customer, we generally act as a processor pursuant to Art. 28 GDPR. In these cases, the respective business customer is the controller; the details are governed by our Data Processing Agreement (DPA).

Contact
Conbool GmbH
Berlepschweg 11
21079 Hamburg
Germany

You can contact us via the contact form.

Data Protection Officer
Data Protection Officer
Conbool GmbH
Berlepschweg 11
21079 Hamburg
Germany

To exercise your statutory rights or if you have general questions about data protection, you can contact us at any time at info@conbool.com. This email address reaches both our data protection specialists and our Data Protection Officer. If you wish to contact only the Data Protection Officer, you may also do so in writing using the postal address above.

Role allocation (website/sales vs. product processing on behalf of customers)
We distinguish between two areas of processing:\

1. Website, sales, contract administration and support organization: In these cases, we are the controller under the GDPR.\
2. Product processing on behalf of our business customers: When personal data is processed as part of our products used by business customers, we generally act as a processor. The respective business customer is the controller. Scope, purposes, categories, and sub-processors are set out in our DPA.

1. Type and purpose of data processing
The processing of personal data by Conbool GmbH is carried out exclusively in accordance with applicable data protection laws, in particular the GDPR. The purposes and types of processing are based on the services we provide and the requirements of our customers.

1.1 Visiting the website

We process the following types of personal data when you visit our website:

IP address, date and time of access, name and URL of the retrieved page, the website from which access occurs (referrer URL), the browser used and, if applicable, your operating system, as well as the name of your access provider.

We process this data for the following purposes:

• Ensuring a smooth connection setup for the website,
• Ensuring convenient use of our website,
• Evaluating system security and stability, and
• Other administrative purposes.

We rely on our legitimate interest (Art. 6(1)(f) GDPR) for this processing. The processing is necessary to enable you to use our website without disruption.

1.2 Contact forms and email contact

We process the following types of personal data when you use our contact forms or contact us by email:

• Name
• Company
• Timestamp
• Email address
• Content of your inquiry

We process the data you provide in our contact form to respond to your inquiry. This processing is based on our legitimate interest in answering inquiries (Art. 6(1)(f) GDPR). We store the data collected via the contact form only as long as necessary to handle your inquiry. Once the purpose has been fulfilled, this information is deleted. If legal requirements mandate longer retention, we restrict the processing to the legally required minimum and delete the data after the retention period has expired.

We also process your data to inform you about our products and services. Product/service information by telephone is based on your consent (Art. 6(1)(a) GDPR). We generally also rely on your consent for information sent by email. If you have previously purchased comparable products or services from us, we base such communications on our legitimate interest (§ 7(3) UWG, Art. 6(1)(f) GDPR). You may object to such product or service information at any time. Each informational email contains a link that allows you to object to further processing for the purpose of receiving information.

1.3 Provision of services

As part of providing our Email Security Gateway, we process personal data to ensure the security and integrity of our customers’ email communication and to perform our services. This includes: sender and recipient information, subject lines, timestamps, and other metadata. The provider has no direct access to email content; emails are processed exclusively in a streaming manner.

To provide efficient support to our customers, we process the following data in connection with inquiries:

Name, email address, phone number, timestamp, and other information provided as part of a support request. Depending on the use case, this may also include temporary access to metadata (e.g., sender, recipient, timestamp) with the customer’s explicit consent for diagnosing technical issues or resolving incidents.

We also process the data provided when creating a customer account. The specific data required to create an account is indicated in the input form on our website. This includes name, company name, email address, and phone number.

To ensure the security and availability of our services, we maintain logs of security-relevant events:

These include, for example, login attempts, changes to user accounts, or system errors. These logs are used solely for troubleshooting and security monitoring.

We rely on the legal basis of contract performance (Art. 6(1)(b) GDPR). Where we process data on behalf of a business customer, this is done on the basis of the DPA (Art. 28 GDPR) and the documented instructions of the controller.

1.3.1 Disclaimer/Signature Manager (templates, rules, assets)
Where our business customers use the Disclaimer/Signature Manager, we process—depending on the customer’s configuration—the following additional categories of data to provide the function:\

• Template/configuration data: signature/disclaimer templates (HTML/text), languages, versions, template IDs, routing/rule configurations, exceptions.\
• Placeholder/directory data: e.g., name, business contact details, organizational unit, role, location, insofar as such data is provided by the customer or connected via integrations.\
• Assets: e.g., logos/images/files including technical metadata (file name, size) that are embedded in templates.
  Processing is carried out exclusively to render and deliver the signatures/disclaimers defined by the customer.

1.3.2 Outlook add-in (client-side signature insertion)
Where our business customers use the Outlook add-in, the add-in may—depending on configuration—access data from the email draft in order to correctly display or insert signatures/disclaimers. This may include, in particular: the sender account, recipients, subject, language/locale, and the draft content (body) to the extent technically necessary for insertion.
We design processing according to the principle of data minimization. Logs used for troubleshooting/security monitoring generally contain no email content.

1.4 Cookies and website data

Conbool GmbH uses cookies and similar technologies to improve the functionality of the website, optimize the user experience, and provide certain services. In doing so, we comply with the requirements of the GDPR and the TTDSG (Telecommunications-Telemedia Data Protection Act).

We use only technically necessary cookies. These cookies are required for the website to function properly (e.g., for login functions or shopping carts). They are set without your consent because they are technically necessary to provide our services.

Types of cookies:

• Session cookies: Temporary cookies stored during your visit and automatically deleted when you close your browser.
• Persistent cookies: Cookies stored on your device for a longer period in order to restore preferences or settings for future visits.

Specifically, the following cookies are used:

Essential cookies:

• csrfSecret: Used for security purposes to prevent Cross-Site Request Forgery (CSRF) attacks.
• lang: Stores your language preference during the session so the website is displayed in your preferred language.
• Session cookies: Required for user authentication and session management.

Preference cookies

• theme: Stores your preferred display mode (dark or light mode). This cookie is only created if you actively change the theme settings.

Third-party cookies

• Stripe cookies (__stripe_mid): Used for payment processing and fraud prevention. These cookies are set only when you perform a payment action.

Cookie retention period

• Session cookies are deleted when you close your browser.
• Preference cookies (e.g., theme) are stored for up to 1 year.
• Stripe cookies follow Stripe’s retention policy as described in its cookie policy.

Managing cookies

You can manage or delete cookies via your browser settings. Please note that disabling essential cookies may impair the functionality of our website.

Processing is based on legitimate interests (Art. 6(1)(f) GDPR) and § 25(2) TTDSG, as these cookies are essential for operating the website.

2. Storage and deletion of data

Conbool GmbH stores personal data only as long as necessary for the respective purposes or as required by statutory retention obligations. After the respective periods have expired, the data is deleted.

2.1 Retention periods by data category

• Contract data
  • Contract-related data (e.g., invoices, customer contracts) is stored for the duration of the contractual relationship.
  • After termination of the contractual relationship, data is stored further in accordance with statutory retention periods:
    • 6 years for commercially relevant documents (§ 257 HGB).
    • 10 years for tax-relevant documents (§ 147 AO).
• Email metadata & logs
  • Metadata & logs such as sender, recipient, subject lines, and timestamps are stored for up to 90 days.
  • Purpose: analysis and remediation of technical issues and ensuring the functionality of the Email Security Gateway.
• Content data
  • Email content (e.g., text content, attachments) is processed only temporarily and in an automated manner and stored until final delivery or deletion by the customer.
  • After processing is completed, this data is automatically deleted.
• Template/configuration data (templates, rules, routing): stored for the duration of the contract or until deleted by the customer; after contract termination, deleted or returned in accordance with the DPA.
• Assets (e.g., logos/images): stored for the duration of the contract or until deleted by the customer; after contract termination, deleted or returned in accordance with the DPA.
• Add-in technical event data (e.g., error messages/status codes): stored solely for troubleshooting and security monitoring, generally up to 90 days, unless statutory retention obligations apply.
• Cookies
  • Session cookies: stored only during your use of our website and automatically deleted when you close your browser.
  • Persistent cookies: remain stored for a longer period to restore settings or preferences.

2.2 Deletion

After the respective retention periods have expired, personal data is either fully deleted or anonymized.

3. Disclosure to third parties

3.1 Sub-processors

To provide our services, we use the following sub-processors:

• IONOS SE
  • Service: cloud infrastructure for operating our services.
  • Place of processing: Germany (EU).
  • Notes: hosting in ISO 27001-certified data centers with strict security measures.
• Supabase Inc.
  • Service: database services with storage in the EU.
  • Place of processing: Germany (EU).
  • Notes: a data processing agreement has been concluded and GDPR-compliant processing is ensured.

3.2 Transfers to third countries

Personal data is generally not transferred to countries outside the European Union (third countries). Where a transfer to a third country should be technically or organizationally necessary in individual cases to provide the services (e.g., as part of support/maintenance or through service providers used), we ensure that appropriate safeguards pursuant to Art. 44 et seq. GDPR are in place (e.g., EU Standard Contractual Clauses) and that processing is limited to what is necessary. Further details can be found in the DPA and/or the sub-processor list contained therein.

3.3 Legal basis for disclosure

• Art. 6(1)(b) GDPR: performance of a contract (e.g., provision of the Email Security Gateway).
• Art. 6(1)(f) GDPR: legitimate interests, in particular to ensure secure operation and to handle support requests.

3.4 Transparency and control

We ensure that all sub-processors we use are contractually obligated to comply with the requirements of the GDPR and to process personal data solely in accordance with our instructions.

Note on third-party platforms (e.g., Microsoft 365/Outlook)
Where business customers use the Outlook add-in, the add-in is executed within Microsoft’s platform (Outlook/Office). Processing within this platform is carried out under the responsibility of the respective business customer and in accordance with the platform provider’s terms. We receive only those data that are necessary to provide our services and that are transmitted to us by the customer and/or by the add-in.

4. Rights of data subjects

Data subjects have various rights under the GDPR with regard to the processing of their personal data. These rights ensure transparency and control over one’s own data.

4.1 Overview of rights

Right of access (Art. 15 GDPR): You have the right to request confirmation as to whether we process personal data about you. You may also request information about the processed data and further details such as processing purposes and recipients.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate or incomplete personal data.

Right to erasure (“right to be forgotten”, Art. 17 GDPR): You have the right to request the deletion of your personal data, provided there are no legal grounds for further processing (e.g., statutory retention obligations).

Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing if certain conditions are met.

• the accuracy of the data is contested;
• the processing is unlawful, but you do not want deletion;
• we no longer need the data, but you need it for the establishment, exercise, or defense of legal claims; or
• you have objected to processing and it is not yet determined whether our legitimate interests override yours.

Right to object to processing (Art. 21 GDPR): You may object to processing where it is based on legitimate interests (Art. 6(1)(f) GDPR). This applies in particular to direct marketing.

Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.

Withdrawal of consent (Art. 7(3) GDPR): If processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a competent supervisory authority.

We do not make automated decisions based on your personal data.

4.2 Exercising your rights

• Contact options: To exercise your rights, you may contact us at any time using the contact details above.
• Identity verification: To process your request and to ensure that your personal data is not disclosed to unauthorized third parties, we reserve the right to verify your identity (e.g., by requesting an appropriate form of identification).
• Response time: We will respond without undue delay and no later than one month after receipt (Art. 12(3) GDPR). If a request is particularly complex, this period may be extended by a further two months; in this case, we will inform you in due time.
• Costs: Exercising your rights is generally free of charge. However, if requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request (Art. 12(5) GDPR).
• Note in case of processing on behalf of a controller: Where personal data is processed as part of the use of our products by a business customer, the business customer is generally the controller. Data subjects should first contact the respective business customer to exercise their rights. We support the controller in handling data subject requests within the scope of the DPA.

5. Changes to this privacy policy

We reserve the right to update this privacy policy as needed, e.g., to reflect changes to our services or legal requirements. We will inform you of material changes in due time by email or by a notice on our website.