Privacy Policy

Last updated: June 2025

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

CleverApprove UG (haftungsbeschränkt)
Musterstraße 12, 10115 Berlin, Germany
Email: privacy@cleverapprove.de

2. What Data We Process and Why

2.1 Account and Authentication

When you create an account, we store your email address and, optionally, your name. Authentication uses magic links: we send a one-time login link to your email address. No password is stored. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Retention: as long as your account exists, plus 30 days after deletion.

2.2 Session Cookie

After login we set a single, technically necessary session cookie. This cookie identifies your authenticated session and is required for the service to function. It is set as HttpOnly and Secure; it cannot be read by JavaScript. No tracking or advertising cookies are used. Legal basis: § 25(2) No. 2 TTDSG (strictly necessary); Art. 6(1)(f) GDPR (legitimate interest in a secure, functional service). The cookie expires after 30 days or when you sign out.

2.3 Files and Request Content

Files you upload as part of an approval request, as well as any message text, approval decisions, comments, and annotations, are stored to provide the core service. Legal basis: Art. 6(1)(b) GDPR. Files are deleted within 90 days after a request is closed or deleted.

2.4 Recipient Data

When you add recipients to a request, we store their name, email address, and/or phone number solely to deliver the approval notification and process their response. Recipients are not required to create an account. Legal basis: Art. 6(1)(b) GDPR. Recipient data is deleted along with the associated request.

2.5 Payment Data

Billing is handled by Stripe, Inc. (see section 3). We do not store full payment card details. We receive and store your Stripe customer ID, subscription status, and billing email. Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(c) GDPR (legal obligation for invoice retention). Invoices are retained for 10 years as required by German commercial law.

2.6 Server Logs and Error Monitoring

Our infrastructure generates access logs (IP address, timestamp, URL, HTTP status code) for security and operational purposes. We use Sentry for automated error tracking; error reports may contain stack traces and request metadata. Logs are retained for 14 days; Sentry events for 90 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system stability and security).

3. Third-Party Processors

We use the following sub-processors. Each has been contractually bound under Art. 28 GDPR:

Amazon Web Services (AWS) – File Storage

Uploaded files are stored on AWS S3. Storage region: eu-central-1 (Frankfurt). AWS Inc., 410 Terry Ave N, Seattle, WA 98109, USA. Data transfer to the US is covered by the EU-US Data Privacy Framework.

Twilio Inc. – Email and SMS/WhatsApp Notifications

Notification delivery (magic links, approval invitations) is handled via Twilio's messaging APIs. Twilio Inc., 375 Beale St, San Francisco, CA 94105, USA. Data transfer covered by standard contractual clauses (SCCs).

Stripe – Payments

Subscription billing is processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland. Stripe processes payment card data under PCI DSS compliance. See Stripe’s privacy policy at stripe.com/privacy.

Sentry – Error Monitoring

Functional errors are reported to Sentry (Functional Software Inc. dba Sentry, 45 Fremont St, San Francisco, CA 94105, USA). Data transfer covered by SCCs. Error events may contain partial request data but are stripped of file content.

4. Data Transfers Outside the EEA

Some processors listed in section 3 are based in the United States. Transfers are safeguarded by the EU-US Data Privacy Framework adequacy decision and/or standard contractual clauses (Art. 46(2)(c) GDPR).

5. Your Rights

Under the GDPR you have the following rights regarding your personal data:

  • Access (Art. 15) – obtain a copy of the data we hold about you.
  • Rectification (Art. 16) – correct inaccurate data.
  • Erasure (Art. 17) – request deletion (“right to be forgotten”).
  • Restriction (Art. 18) – limit processing in certain cases.
  • Portability (Art. 20) – receive your data in a machine-readable format.
  • Objection (Art. 21) – object to processing based on legitimate interest.
  • Withdraw consent – at any time, where processing is based on consent.

To exercise any of these rights, contact us at privacy@cleverapprove.de. We will respond within 30 days.

6. Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority responsible for us:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
www.datenschutz-berlin.de

7. Changes to This Policy

We may update this privacy policy as our services evolve or legal requirements change. The current version is always available at this URL. Material changes will be communicated via email.

Diese Seite nutzt ein einziges Session-Cookie, das für die Authentifizierung technisch notwendig ist. Keine Tracking- oder Werbe-Cookies. Datenschutz