Legal

Privacy Policy

Last updated: March 23, 2026

1. Data Controller

BeyondWega UG (haftungsbeschränkt)
Auf dem Kamp 74
28865 Lilienthal
Deutschland

Email: datenschutz@faktor400.com
Phone: +49 163 2580889
Website: faktor400.com | app.faktor400.com

A Data Protection Officer is not legally required and has not been appointed due to the size of the company (fewer than 20 persons regularly involved in automated processing) pursuant to § 38 (1) BDSG.

2. Overview of Processing Activities

We process personal data only to the extent necessary for the provision of our platform 'Faktor400' and the associated website.

Data Category	Data Subjects	Purpose	Legal Basis	Retention Period
Server Log Files	Website Visitors	Operations, Security	Art. 6(1)(f)	30 days (IP anonymized after 7 days)
Account Data	Registered Users	Contract Performance	Art. 6(1)(b)	Account lifetime + 30 days
Seller Business Data	Registered Users	Analytics Service	Art. 6(1)(b)	Account lifetime + 30 days
Amazon End-Customer PII (name, address, phone where applicable)	Buyers of Sellers	Data Processing	Art. 28 GDPR (legal basis determined by Seller)	PII: 30 days after shipment (automatically anonymized); aggregated business data: account lifetime + 30 days
Billing Data	Paying Users	Billing, Accounting	Art. 6(1)(b) + (c)	10 years (§ 147 AO, § 257 HGB)
Cookies / Local Storage	Website Visitors	Functionality	Art. 6(1)(f) / (a)	See Cookie Policy

3. Legal Bases

We process personal data in accordance with the GDPR. The following legal bases apply:

Consent (Art. 6(1)(a) GDPR) — e.g., for optional analytics cookies.
Performance of a contract (Art. 6(1)(b) GDPR) — e.g., for providing the user account, analytics features, and billing data.
Legal obligation (Art. 6(1)(c) GDPR) — e.g., for tax and commercial law retention obligations (§ 147 AO, § 257 HGB: 6–10 years for invoice and booking data).
Legitimate interests (Art. 6(1)(f) GDPR) — e.g., for website operation, security measures, and fraud prevention.

4. Data Collected When Using the Website

4.1 SSL/TLS Encryption

Communication between your browser and our servers occurs via HTTPS (TLS encryption). This protects transmitted data from access by third parties.

4.2 Server Log Files

Each time our website is accessed, the web server automatically collects:

IP address (anonymized after 7 days by truncating the last octet: IPv4 last 8 bits zeroed, IPv6 last 80 bits zeroed)
Date and time of the request
Requested page / URL
Referrer URL
Browser type and version
Operating system

Legal basis: Art. 6(1)(f) GDPR. The data is used to ensure operation and to defend against attacks. Log files are deleted after 30 days.

4.3 Hosting

Our website is hosted by:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen, Deutschland

Data center: Falkenstein/Vogtl. (Germany, EU).

Data Processing Agreement: hetzner.com/rechtliches/auftragsdatenverarbeitung

A data processing agreement (Art. 28 GDPR) is in place. All data is processed exclusively on servers in Germany. No CDN or WAF (e.g., Cloudflare) is currently in use; the reverse proxy (Nginx) runs on the same server.

5. User Account & Platform

5.1 Registration and Login

When registering for Faktor400, we process:

Email address
Password (stored using state-of-the-art hashing, never in plain text)
Name (optional)
Time of registration

Authentication is handled by Supabase Auth (Supabase, Inc., USA). Supabase is responsible for password hashing (bcrypt, server-side), email verification, and the password reset flow. Authentication tokens are stored in your browser's Local Storage (PKCE-based OAuth flow).

More information: supabase.com/privacy

Login via Google (OAuth 2.0): Alternatively, you can register and log in using your Google account. The following data is transmitted (OAuth scopes: email, profile):

Email address
Profile name (first and last name)
Profile picture URL
Google User ID

For Google's own data processing, their privacy policy applies: policies.google.com/privacy

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

5.2 Amazon Seller Data

When using Faktor400, users connect their Amazon Seller account via the Amazon SP-API and/or Amazon Ads API. In this context, we process business data such as product data, inventory data, fees, advertising campaign data, and aggregated revenue/order metrics. For this data, BeyondWega is the data controller within the meaning of the GDPR.

5.3 Amazon End-Customer Data (Data Processing)

Note: This privacy policy is primarily directed at website visitors and registered Faktor400 users. The following explanation of Amazon buyer data processing serves to provide transparency about our role as a data processor; the primary data protection information for buyers is the responsibility of the respective Seller as the data controller.

Order data retrieved via the Amazon SP-API may contain personal data of Amazon buyers (buyer name, delivery address, and where applicable phone number). For this data, the Seller is the data controller; BeyondWega acts as a data processor within the meaning of Art. 28 GDPR.

A Data Processing Agreement (DPA) is concluded between BeyondWega and the Seller upon connection of the SP-API. See DPA

Processed end-customer PII: buyer name, delivery address, and (where not masked by Amazon) email address. Payment information of buyers is not stored by Faktor400.

Amazon Data Protection Policy (DPP): Independent of the GDPR, SP-API data is subject to the Amazon Data Protection Policy. Personal buyer data (PII) may only be used for order fulfillment purposes and is automatically anonymized within 30 days of shipment (buyer names and addresses). Aggregated business data (revenue, ASIN metrics) is not affected.

Retention period: Amazon data is retained for as long as the user account is active. After account deletion, all data is deleted within 30 days, unless statutory retention obligations apply. For trial users without a subscription: 30 days after the end of the trial phase (see GTC § 3(5)).

5.4 Billing Data

We store billing address, company name, VAT ID, invoice history, payment status, and selected plan. This data is subject to retention obligations (§ 147 AO, § 257 HGB) and will be retained for up to 10 years after the end of the contract.

5.5 Payment Processing

Stripe Payments Europe, Limited (SPEL)
1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland

Stripe is an independent data controller for the processing of credit card and payment data. We do not store any credit card or bank account data ourselves.

5.6 Transactional Emails

For sending transactional emails, we use Resend, Inc. (San Francisco, CA, USA). Data transfer to the USA is based on the EU-US Data Privacy Framework (Art. 45 GDPR). Legal basis: Art. 6(1)(b) GDPR.

6. Cookies and Tracking

6.1 Strictly Necessary Cookies

We use cookies that are technically necessary for the operation of the website and the platform (e.g., session tokens, language settings). These cookies are set without consent.

Legal basis: § 25(2) TDDDG (technically required), Art. 6(1)(f) GDPR.

Supabase authentication tokens are stored in your browser's Local Storage (key: sb-auth-token). During the OAuth flow, a PKCE verifier is additionally stored in Session Storage. Server-side, @supabase/ssr sets additional SSR cookies. The language preference is stored as a cookie (faktor400-language). All of these storage operations are technically necessary and fall under § 25(2) TDDDG.

6.2 Analytics and Marketing

Within the Faktor400 app, we use PostHog as an analytics tool. PostHog is operated via the EU instance (eu.posthog.com), so analytics data is processed exclusively on servers in the EU.

Collected data: Explicitly defined events (e.g., page views, feature usage). Autocapture is disabled; only deliberately instrumented events are captured. Session recording is disabled. The Do-Not-Track browser setting is respected (respect_dnt: true). Users are identified by their app user ID (not the Supabase UID).

Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG. Analytics cookies are only set after explicit consent (via cookie banner). You may withdraw your consent at any time with effect for the future.

Provider: PostHog, Inc., San Francisco, CA, USA — EU instance (data processing in the EU).

On the landing page (faktor400.com), no analytics or marketing cookies are currently used.

7. Third-Party Providers and Data Processors

Provider	Purpose	Location	Role	DPA
Hetzner Online GmbH	Web hosting, server infrastructure	Falkenstein, Germany (EU)	Data Processor	Yes
Supabase, Inc.	Authentication, database	USA (DPF-certified)	Data Processor	Yes
Stripe Payments Europe, Limited	Payment processing	Dublin, Ireland (EU)	Independent controller (card data) / Data processor (metadata)	Yes
Resend, Inc.	Transactional emails	USA (DPF-certified)	Data Processor	Yes
PostHog, Inc.	Product analytics (EU instance)	USA (EU data processing)	Data Processor	Yes

All data processors have been carefully selected. Data processing agreements pursuant to Art. 28 GDPR are in place, where providers act as data processors and not as independent controllers.

8. Data Transfers to Third Countries

Some of our service providers are based in the USA. Data transfers are based on the following legal grounds:

Provider	Transfer Basis	Supplementary Measures
Supabase, Inc.	EU-US Data Privacy Framework (Art. 45 GDPR, EU Commission adequacy decision of 10 July 2023)	Encryption in transit (TLS) and at rest
Resend, Inc.	EU-US Data Privacy Framework (Art. 45 GDPR)	Encryption in transit (TLS)

PostHog, Inc. is based in the USA; however, data processing is carried out via the EU instance (eu.posthog.com), so analytics data is processed and stored exclusively on servers in the EU. No transfer of personal data to the USA takes place.

Stripe Payments Europe, Ltd. is based in Ireland (EU); card data is processed within the EEA. No third-country transfer takes place.

Hetzner Online GmbH operates all servers in Germany. No third-country transfer takes place.

Note: The DPF certification of the aforementioned US providers has been verified at dataprivacyframework.gov (as of March 2026). Should a provider no longer be certified in the future, we will rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR) in conjunction with a Transfer Impact Assessment (TIA) and supplementary technical measures.

9. Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

10. Your Rights

Right of access (Art. 15 GDPR) — Information about the data we have stored about you.
Right to rectification (Art. 16 GDPR) — Correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — Deletion of your data, provided no retention obligations exist.
Right to restriction (Art. 18 GDPR) — Restriction of processing under certain conditions.
Right to data portability (Art. 20 GDPR) — Receive your data in a structured, machine-readable format.
Right to object (Art. 21 GDPR) — Object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3) GDPR) — You may withdraw consent at any time with effect for the future.

To exercise your rights, please contact: datenschutz@faktor400.com

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(f) GDPR.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5, 30159 Hannover
www.lfd.niedersachsen.de

You may also contact the supervisory authority of your place of residence or workplace.

11. Changes to This Privacy Policy

We update this privacy policy as needed, in particular when changes are made to our data processing activities or legal requirements. Registered users will be notified of material changes by email.

12. Language Versions

In the event of discrepancies between the German and any English version of this privacy policy, the German version shall prevail.