Privacy policy

Introduction

Responsible

Definitions

Processing of your personal data

• When you call up our website

  When you access our Website, meaning when you transmit information to us by any other means, we — or the host provider acting on our behalf — only collect the personal data that your browser transmits to our server. If you wish to view our Website, we collect the following data:

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transmitted
  • Website from which the request originates
  • Operating system
  • Language and version of the browser software

  This data is technically necessary for us to display and provide our Website. The legal basis for this processing is Art. 6 (1) sentence 1 lit. f GDPR. For security reasons (e.g., to clarify cases of misuse or fraudulent activities), this data is stored for a maximum duration of 7 days and is then deleted. Data that must be retained further for evidentiary purposes is exempt from deletion until the respective incident is fully clarified. The hosting service provider we employ processes personal data on our behalf and in accordance with our instructions as a so-called processor pursuant to Art. 28 GDPR. For detailed information about our hosting provider and the location of data processing, please refer to Section 4.9 of this Privacy Policy.

• Bot detection via ALTCHA (self-hosted)

  To prevent abuse of public forms (e.g. spam), we use ALTCHA, a self-hosted, privacy-friendly proof-of-work challenge. ALTCHA runs entirely on our own servers in the European Union. No data is transmitted to third parties, no cookies are set, and no fingerprinting or behavioral tracking is performed.

  When you submit a public form, your browser is asked to perform a small computational task. The result is sent together with the form to our backend, where we verify it. The legal basis for this processing is Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in protecting our forms from automated abuse).

• YouTube embedded videos

  We have embedded videos from the platform YouTube on our website. YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) is responsible for data protection regarding the operation of the YouTube platform. You can find YouTube's privacy policy at: https://policies.google.com/privacy?hl=de.

  In this context, to the best of our knowledge, YouTube processes the following personal data from you:

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transmitted
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software
  • Data regarding interaction with the YouTube plug-in
  • If applicable, the device identifier of your device
  • The version of the YouTube software we use
  • Information on the previous playback of the video
  • Information about the manner of playback (e.g., full screen)

  The integration of YouTube videos is carried out in our interest to present you with high-quality content directly on our website. Instead of merely providing you with a link to an interesting video, you can watch the video directly on our site. This enhances our service and makes it easier for you to access engaging content. The legal basis for processing personal data in connection with the integration of YouTube videos and the associated transfer of personal data to Google LLC is Art. 6 (1) sentence 1 lit. f GDPR.

  In the context of using YouTube's services, data is also transmitted by Google to group companies and/or subprocessors. In this context, the above-mentioned data may be transferred to and stored in the USA. The level of data protection in the USA is considered inadequate by the European Commission. The data transfer to the USA is therefore based on the Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR. The Standard Contractual Clauses can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE, alternatively you can also request these documents from us using the contact details provided in Section 2.

• When contacting us via e-mail

  E-mails that you transmit to us and that we transmit to you are processed using the services of our e-mail provider. In the context of e-mail communication, our e-mail provider processes your personal data (i.e., your e-mail address and the information you provide in the e-mail) on our behalf, in order to enable e-mail communication with you or, if you are our customer, for contract processing. The processing of your personal data is based on Art. 6 (1) sentence 1 lit. f and/or Art. 6 (1) sentence 1 lit. b GDPR. We delete the data once it is no longer required and provided that no legal obligations prevent us from doing so. We review the necessity of retention every six months.

• When contacting us via telephone

  When you contact us by telephone, we require your personal data (e.g., name, telephone number, address, or e-mail address) in order to process your inquiry or concern. This data processing is necessary for us to be able to communicate with you or, if you are our customer, for contract processing. The processing of your personal data is based on Art. 6 (1) sentence 1 lit. f and/or Art. 6 (1) sentence 1 lit. b GDPR. We delete this data once it is no longer required and provided that no legal obligations prevent us from doing so. We review the necessity of retention every six months.

• When contacting us via contact form

  When you contact us via the contact form, we require your personal data (e.g., name, contact details, etc.) in order to process your inquiry or concern. This data processing is necessary for us to be able to communicate with you or, if you are our customer, for contract processing. The processing of your personal data is based on Art. 6 (1) sentence 1 lit. f and/or Art. 6 (1) sentence 1 lit. b GDPR. We delete the data once it is no longer required and provided that no legal obligations prevent us from doing so. We review the necessity of retention every six months.

• As part of the subscription to our newsletter

  If you subscribe to our newsletter, we will regularly inform you about current offers, products, promotions, and news about our company. For the purpose of sending the newsletter and addressing you personally, we process your e-mail address and, if provided, your name. The processing is based on your consent pursuant to Art. 6 (1) sentence 1 lit. a DSGVO. You can withdraw your consent at any time with effect for the future, for example, by using the unsubscribe link included in each newsletter or by contacting us at [email protected].

  We will process your data in this context until you withdraw your consent or unsubscribe from the newsletter.

  The newsletter service provider we use processes personal data on our behalf and in accordance with our instructions as a processor pursuant to Art. 28 DSGVO.

• PostHog (Analytics, Error Tracking & Feature Flags)

  We use PostHog (PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA) for error tracking, product analytics, and the controlled rollout of new features (feature flags). Technical processing takes place through PostHog EU endpoints or our PostHog proxy; PostHog Inc. remains the provider of the platform.

  Error tracking without analytics cookies: To maintain platform stability and security, we also capture technical error events without your consent. This may include, in particular, the error description, stack trace, URL/path, HTTP status, app version, browser, device and operating system information, and technical request data. For this purpose, PostHog is initially operated in the browser without persistent storage of analytics identifiers on your device. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the platform).

  Product analytics and feature flags after consent: If you consent to the use of non-essential cookies and analytics functions, additional usage events (e.g. page views, clicks, registration, login, calendar, message, file, invoice, contract, and AI Agent actions), device and browser data, feature-flag assignments, and account or project references may be processed. For logged-in users, we may link PostHog to your user ID and selected account properties such as e-mail address, role, language setting, registration date, and platform (web/iOS/Android) in order to associate usage, errors, and feature rollouts with your account. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR, which you can withdraw at any time via the cookie settings.

  Server-side operational events: In addition, we collect product and operational events from our backend, for example registration, project creation, payment/Plan status, sending messages, and creating events, files, contracts, or invoices. These events may be linked to user or project identifiers and technical properties. They are used to provide the platform, analyze errors, prevent abuse, handle billing, and improve the platform. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR.

  PostHog is certified under the EU-US Data Privacy Framework; where personal data is transferred to the USA, this is additionally based on the European Commission's Standard Contractual Clauses. For more information, see PostHog's Privacy Policy.

• Hosting and Database Infrastructure (Supabase / AWS Frankfurt)

  To provide our platform, we use the infrastructure of Supabase (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992). Supabase provides the database, authentication, and file storage on which our users' personal data is processed and stored (including account data, profile information, project data, messages, and uploaded files).

  All production customer data is stored exclusively in the Central EU (Frankfurt) region. The underlying infrastructure is operated by Amazon Web Services (AWS) in the eu-central-1 data center (Frankfurt am Main, Germany). Personal data is not stored outside the European Union in regular operation.

  Since Supabase Inc. and Amazon Web Services, Inc. are headquartered in the United States, incidental data transfers to the USA may occur for technical reasons (e.g. support or administrative access). Processing is carried out on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. For any data transfers to the USA, the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR as well as a Transfer Impact Assessment (TIA) in accordance with the Schrems II requirements are in place. Supabase and AWS are also certified under the EU-US Data Privacy Framework.

  The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in the reliable and secure operation of our platform). The relevant documents (DPA, TIA) will be provided upon request via the contact details listed in Section 2. For further information, please see Supabase's Privacy Policy and the AWS GDPR Center.

• Google Maps (maps, directions, address autocomplete)

  For the display of maps on event, venue, and profile detail pages, for route planning to venues, and for the address autocomplete feature in forms, we use the Google Maps Platform provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When a map is loaded or the address input is used, your browser establishes a direct connection to Google's servers. The following data is transmitted to Google:

  • IP address of your device
  • Browser type, operating system, and language setting (user agent)
  • Technical request metadata (map bounding box, zoom level, queried coordinates, search text in autocomplete)
  • If you are simultaneously logged into a Google account, Google may associate the request with that account

  We do not store any personal data on our behalf in Google's systems; Google Maps is a transient functional service, not a data-storage service. The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in providing convenient, complete venue visualization and accurate address capture).

  Google Ireland Limited is our EU contracting party. Because its parent company Google LLC is headquartered in the USA, incidental data transfers to the USA may occur for technical reasons. For these transfers, the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR have been agreed, and Google LLC is additionally certified under the EU-US Data Privacy Framework. A Data Processing Agreement (Google Cloud Data Processing Addendum) pursuant to Art. 28 GDPR is in place with Google. For more information, please see Google's Privacy Policy.

When registering and using our platform

• Mandatory data for registration on our event platform

  When you register on our platform, you must provide certain mandatory information about yourself. We therefore process the following personal data from you:

  • E-mail address
  • Password

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR. We store your data until you cancel your user account. Afterwards, your data will be deleted in relation to the user account, unless its retention is necessary for commercial or tax reasons pursuant to Art. 6 (1) sentence 1 lit. c GDPR.

• Optional profile information for musicians / artists

  In addition to the required mandatory information, you can provide additional details that make it easier for other users to get to know you better and, for example, to book you as a project. We may therefore process personal data that you voluntarily add to your profile, such as

  • Nickname/artist name or project name
  • If your profile is associated with a project: status within the project ("Admin" / "Member" / "Guest")
  • Profile photo
  • Hometown and details regarding the radius within which jobs should be accepted
  • Skills, instruments, equipment
  • Details about your artistic career
  • Genres
  • Details about lineup/cast
  • Details about bookable events
  • Self-description
  • Age
  • Physical features (eye color, hair color, etc.)
  • Voice, accents & languages
  • Contact information
  • Homepage
  • Address
  • Songs in the setlist (for music projects)

  Other users can view, share, or link to this data. Certain information about you may be accessible by default to other users of our platform (e.g., your username, your profile picture, content added to your profile). In addition, we will inform you via e-mail if there are details missing in your profile or if your profile is incomplete. For this purpose, we use your e-mail address and your name (to be able to address you personally).

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR. The deletion of this data occurs either selectively for specific details when you remove them from our platform, or completely when you delete your account on our platform.

• Contact management through HubSpot

  We use HubSpot (hubspot.com) for the management of user and customer data (CRM) and in particular for capturing process data (e.g., e-mails, notes from conversations, etc.). This provides us with an overview of previous communications. In addition, we use HubSpot for lead generation via our blog (blog.connactz.com) and for the automated sending of e-mails. In doing so, we sometimes transfer data from sections 5.1 and 5.2 as well as usage statistics and usage-relevant information (e.g. the number of new event inquiries) to HubSpot in order to make the e-mails with personalized content more relevant to you.

  Our HubSpot account is configured so that all customer and CRM data is stored and processed exclusively in the data hosting region "European Union (Germany)". In regular operation, such data is not stored outside the European Union.

  For EU-based customers, our contracting party is HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, D01 K2C5, Ireland. Since the parent company HubSpot, Inc. is based in the USA, incidental data transfers to the USA may occur for technical reasons (e.g., support or administrative access by HubSpot staff). For any such transfers, the European Commission's Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR have been agreed. HubSpot, Inc. is additionally certified under the EU-US Data Privacy Framework. A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place with HubSpot.

  The legal basis for processing is Art. 6 (1) sentence 1 lit. f GDPR (legitimate interest in efficient customer and contact management) and Art. 6 (1) sentence 1 lit. b GDPR (performance of a contract). The Standard Contractual Clauses can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE. For more information, please see HubSpot's Privacy Policy.

• Use of your e-mail address for system notifications

  We send you e-mails when a message is received in your connactz inbox or when an appointment is approaching. This is to ensure that you do not overlook a message sent to you by another user and that you do not miss an appointment. The legal basis for this is Art. 6 (1) sentence 1 lit. b GDPR. We delete this data once it is no longer required for system notifications and platform communication. Typically, this is the case when you delete your user account with us. We review the necessity every six months.

• Personalization of your search results

  We also process your data to suggest to you, if you are an organizer, those projects/artists or, if you are a project/artist, those organizers and events as well as other projects/artists that best match you. This requires a user-specific evaluation of the relevance of products and content, i.e., personalization. Only with such personalization can we present you with results that truly match you. In doing so, your profile information and your previous use of our platform are analyzed and compared using an algorithm with the anonymized profiles of other users with similar characteristics. This is intended to ensure that the suggestions presented to you better match you. Of course, you have access to all profiles despite the personalization. The personalization merely serves to draw your attention earlier to the profiles that are more relevant to you.

  For the purpose of personalization, we use the following data that we collect as part of your use of our platform:

  • Types of events
  • Desired genres
  • Desired lineups
  • Special requirements of an event
  • Date information
  • Information about your use of our platform (e.g., booked or performed events, requested fee or planned budget, songs on your setlist)
  • Data from Section 5.2

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. f GDPR. We delete this data once it is no longer required for the purpose for which it was collected – in this case, the personalization of your profile. Typically, this is the case when you delete your profile with us. We review the necessity every six months.

• When you create an event

  When you, as an organizer, create an Open Call on our platform, we collect various pieces of information from you that may include personal data. These include:

  • Name of the event for which you are searching for artists/projects
  • Date and time of the event
  • Details regarding any available equipment
  • Details about the desired act (genre, lineup, etc.)
  • E-mail address
  • Telephone number (optional)
  • Details about your budget

  With the exception of your contact data (i.e., your e-mail address and telephone number) and the budget, these details are visible to other users of our platform. If another user contacts you and you initiate contact with another user, the entire communication takes place via the chat function on our platform, so that your communication partner does not automatically receive your contact details. However, you can optionally activate the publication of your contact data. In that case, they will be visible to other users of our platform.

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR. We store your data until you cancel your user account.

  If you reach an agreement with an artist/project, that artist/project has the option to generate a contract and invoices using our contract and invoice generator (see also Section 5.9 of this Privacy Policy). These documents will be enriched with the contact data stored in your profile. This data transfer only occurs with your explicit consent and only if you reach an agreement with an artist/project.

• When submitting a bid for an event

  When you, as an artist/project, submit an offer for an Open Call on our platform, we collect various pieces of information from you that may include personal data and transmit them to the respective organizer for whose event you are submitting an offer. These include:

  • The price at which you are willing to perform the event
  • Information provided in the comment field

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR. We store your data until you cancel your user account. Afterwards, your data in relation to the user account is deleted.

• When connecting calendar services

  We offer our users the option to display their private calendars on our website by connecting through the Google Calendar API, the Microsoft Outlook integration, or by sharing their iCloud (Apple) calendars, in order to check scheduling conflicts and make availabilities visible to team members (members of the same project). Members of the same project can view the availability of their teammates but not the reasons for any scheduling conflicts. Only the user themselves can view event details and the reasons for scheduling conflicts. An exception applies where the user actively provides such data to the AI assistant as working context (see section 5.13).

  From external calendars, connactz permanently stores only the connection and configuration data required for the calendar integration, in particular OAuth access and refresh tokens for Google or Microsoft, an app-specific password for iCloud, the calendar identifier, calendar names, and priority settings. Individual calendar events from Google Calendar, Microsoft Outlook, or iCloud (e.g. title, description, time period, status, or attendees) are generally not stored permanently in our database. This information is reloaded through the connection each time the service is used and thereby kept up to date.

  If you expressly ask the AI assistant to list or analyze external calendar entries or to take them into account for planning suggestions, the retrieved appointment data may be included as a tool result in the AI chat history and in the context of the respective AI request. The information on the AI chat assistant in section 5.13 applies additionally to processing by AI providers.

  To enable this functionality, you sign in with Google or Microsoft and authorize the API integration; for iCloud (Apple) calendars, you set up an app-specific password for the connection. Please note that we do not have access to your Microsoft or Google account password and that you can deactivate and delete the integration at any time by removing these connections within connactz or from your Microsoft/Google account settings, or by changing or removing the app-specific password for Apple.

  The use or disclosure of information obtained through Google APIs to other apps is subject to the Google API Services User Data Policy (available at https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes) and the Limited Use requirements.

• When using our contract or invoice generator

  When you, as an artist/project, use our contract and invoice generator, we create contracts and invoices for you with organizers or other artists/projects with whom you have reached an agreement. In this context, we process the following data which may include personal data:

  • Your contact details stored in your profile
  • The contact details stored in the profile of the respective contractual partner
  • For invoices, details regarding your tax attributes (tax rate, tax ID, VAT ID)
  • Settings and contract options that you enter during the contract generation process (arrangements for accommodation, payment formalities, etc.)

  In addition, you have the possibility, within your project, to make an internal division of your fee and to create corresponding invoices and receipts. For this, we process the following data:

  • The agreed fee
  • The internal division of the fee within the project
  • The names and contact details of the team members
  • The expenses to be credited and information about them (such as travel costs, accommodation costs, etc.)

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR. We store this data until you cancel your user account. Afterwards, your data is deleted in relation to the user account. Please remember, however, that you must archive these documents in compliance with tax regulations at all times.

• When you communicate with other users of our platform

  You have the option to get in touch with other users of our platform. As part of this communication, we generally process all data that you provide within this context and transmit it to the recipient you have selected. This data includes, in particular:

  • Message content
  • Shared files

  The legal basis for the processing is Art. 6 (1) sentence 1 lit. b GDPR. The deletion of this data occurs either selectively for specific details when you remove them from our platform or completely for all data when you delete your account on our platform.

• Processing of Personal Data in Connection with Invitations for Guest Users

  Artists have the option to invite other individuals to a project or event on the platform via e-mail. In this context, the provider processes the e-mail address of the invited person, as provided by the inviting artist, solely for the purpose of carrying out the invitation and enabling participation in the respective project or event. The processing is based on Art. 6 (1) lit. b GDPR, insofar as the invitation serves the initiation or execution of a project- or event-related collaboration, as well as on Art. 6 (1) lit. f GDPR within the legitimate interest of the inviting artist or project in organizing the event or project. In cases where the invited person has previously consented to being contacted by the artist, the processing of the e-mail address for sending an invitation is based on Art. 6 (1) lit. a GDPR. The inviting artist is responsible for ensuring that the invited individuals have consented to electronic contact via e-mail based on Art. 6 (1) lit a DSGVO. The e-mail address of the invited person will be stored for the duration of the invitation and, if applicable, the event or project participation, and subsequently deleted unless statutory retention obligations prevent this.

• Processing of Personal Data of Guest Users

  Guest users are individuals who are invited to a project via e-mail without registering their own user account on the platform. Scope of data processing:

  • For the invitation and communication with guest users, their e-mail address is processed.
  • Guest users can send messages to the respective event/project via e-mail. These messages are published in the overview of the event/project and are visible to participants involved in the event/project.
  • Guest users can view the overview of the event/project.
  • No further use or processing of data takes place.

  The processing is carried out pursuant to Art. 6 (1) lit. b GDPR for the purpose of carrying out the invitation and enabling communication within the event/project, as well as pursuant to Art. 6 (1) lit. f GDPR on the basis of the legitimate interest of the inviting artist or project in collaborating with external individuals. In cases where the invited person has previously consented to being contacted by the artist, the processing of the e-mail address for sending an invitation is based on Art. 6 (1) lit. a GDPR. The personal data processed in the context of invitations and guest user communication are visible within the platform to users involved in the respective event/project. Data will not be shared with third parties outside the platform unless required by law. The personal data processed in connection with invitations and guest users are stored only for as long as necessary for the respective purposes:

  • Unaccepted invitations: The e-mail address of an invited person will be deleted no later than 30 days after the invitation is sent, unless registration or participation in the project occurs.
  • Guest user data: Data of guest users (in particular e-mail addresses and transmitted messages) are stored for the duration of the event/project and deleted after its completion or removal, unless statutory retention obligations prevent this.
  • Log data: Technical logs related to the sending and delivery of invitations are retained for security and verification purposes for up to 90 days and then deleted.

• AI Chat Assistant and AI-powered features

  We offer an AI-powered chat assistant (the "AI Agent") as well as other AI-powered features that support you in using the platform. The assistant answers questions about the platform and, at your request, can perform actions in your account (e.g. create events, draft messages, prepare contracts, suggest venues, draft social media posts). You can also set up AI-powered automations that run recurring tasks on a schedule (CRON-style). The following data is processed:

  • Your chat messages and queries
  • Context information about your account (profile type, active role, language preference)
  • Project, event, and external calendar data you select as working context for the AI
  • Generated responses and conversation histories
  • Actions executed by the AI assistant on your behalf and their results
  • AI memory: the assistant creates summaries of earlier conversations so it can respond in context in future sessions
  • Automation configurations (schedules, triggers, execution results)

  External calendar data in AI chat: If you expressly ask the assistant to list or analyze external calendar events or to take them into account for planning suggestions, this calendar data is retrieved from the connected calendar service only for the requested function and transmitted as working context to the AI provider active under the project setting. The tool results and the responses generated from them may become part of the AI chat history.

  Choice of processing region (EU / Global): Administrators can configure, for each project, whether AI requests are processed in the EU or Global region. The setting is located in the project settings under "AI data processing region". New projects are created with the "EU" setting by default (Mistral AI, Paris). Switching to "Global" is possible at any time; before switching, we explicitly warn that data will then be transferred to the USA.

  • EU mode: All AI requests for the project in question are processed exclusively by Mistral AI SAS, 15 rue des Halles, 75001 Paris, France. Data processing takes place on servers within the European Union. Personal data is not transferred to third countries in this mode.
  • Global mode: AI requests are primarily processed by OpenAI OpCo, LLC, 1455 3rd Street, San Francisco, CA 94158, USA. OpenAI transfers data to the USA. The data transfer is based on the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. OpenAI is additionally certified under the EU-US Data Privacy Framework.

  A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is in place with both providers. Neither OpenAI nor Mistral is permitted to use your inputs to train their own models.

  No automated individual decision-making: The AI assistant only produces suggestions and prepares actions. The final decision on whether an action is executed (e.g. sending a message, concluding a contract) always rests with you. No automated individual decision-making or profiling within the meaning of Art. 22 GDPR takes place.

  Usage limits: Monthly usage limits per user and project apply to the AI assistant in order to ensure fair and sustainable use.

  Retention: Chat histories and AI memories are linked to your user account or the respective project and stored as long as you or your project administrators actively keep them. You can review and delete AI memories at any time via the AI settings in your account. Automatic deletion occurs when you delete a conversation, your project, or your user account.

  The legal basis for the processing is Art. 6(1)(b) GDPR (performance of a contract — AI-powered features are part of our service offering) and Art. 6(1)(f) GDPR (legitimate interest in the continuous improvement of our services). For more information, see Mistral AI's Privacy Policy and OpenAI's Privacy Policy.

• WhatsApp Integration

  We offer the option to receive notifications and messages via WhatsApp and to use the AI chat assistant through WhatsApp. The following data is processed:

  • Your mobile phone number
  • Verification data (e.g. verification code, expiry time, and verification timestamp)
  • Incoming and outgoing message content, including transmitted files or media
  • Delivery and read receipts, Meta message identifiers, and communication timestamps
  • Context for notifications recently sent via WhatsApp (e.g. workflow, template, and related event or project), where this is required to assign your reply

  Processing is carried out via the Meta Business API (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland). If you use the AI chat assistant through WhatsApp, your WhatsApp messages and any transmitted files are processed like chat inputs and transmitted to the AI provider active under the project or conversation setting. The information on the AI chat assistant in Section 5.13 applies additionally to this processing, in particular with regard to the choice of processing region, AI providers, and retention of chat histories.

  The legal basis for linking and communication via WhatsApp is your consent (Art. 6(1)(a) GDPR). The legal bases listed in Section 5.13 apply additionally to the processing of your content in AI chat. You can deactivate the WhatsApp integration at any time in your account settings. For more information, see our WhatsApp Data Deletion Instructions below.

• Social Media Connections

  We offer the option to connect your social media accounts to your connactz project so that our AI Agent or you yourself can publish posts on your own channels. Connecting an account is entirely optional; the platform is fully usable without it.

  Data processed:

  • OAuth access and refresh tokens of the connected platform (stored AES-256-GCM encrypted)
  • Profile information of the connected accounts (account ID, account name, profile picture)
  • Post content (text, images, video) created by you or the AI Agent, during publication
  • Time and status of publications

  Permissions (scopes) you grant:

  • Facebook: pages_show_list, pages_read_engagement, pages_manage_posts — allows listing your Facebook pages and publishing posts
  • Instagram: instagram_basic, instagram_content_publish, pages_show_list, pages_read_engagement — allows access to your Instagram Business or Creator accounts and publishing media
  • TikTok: user.info.basic, video.publish — allows retrieving your basic profile data and publishing videos
  • YouTube: youtube.upload — allows uploading videos

  These permissions limit us to publishing only. We do not read third-party posts, comments, or private messages. We do not collect usage statistics from your social media account and do not perform any tracking across the connected platforms.

  Controllers and third-country transfers:

  • Facebook / Instagram — Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (EU contracting party). Parent company Meta Platforms, Inc. is headquartered in the USA; for technical reasons, data transfers to the USA may occur. Legal basis: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR; Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework.
  • YouTube — Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (EU contracting party). Parent company Google LLC is headquartered in the USA. Legal basis: Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR; Google LLC is certified under the EU-US Data Privacy Framework.
  • TikTok — TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland (EU contracting party). Special notice: The TikTok group maintains staff in the USA and in the People's Republic of China; personal data may be transferred to those countries. The European Commission has not issued an adequacy decision for the People's Republic of China. The transfer is carried out on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. If you wish to avoid such transfers, please do not connect your TikTok account.

  Once a post has been published, its content is subject to the privacy policy and terms of service of the respective platform where it now appears.

  Retention: OAuth tokens and profile information are stored as long as the connection is active. When you disconnect an account in your account settings, the tokens are deleted immediately. Post content is stored within our platform as long as you keep it in connactz; after publication, the copy on the respective platform continues to exist independently of us.

  Processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future by disconnecting the account in your account settings. For more information, see the privacy policies of the respective platforms: Meta (Facebook/Instagram), TikTok, Google (YouTube).

• Search queries to Brave Search and Spotify search / embeds

  To provide certain platform features, we send search queries that you trigger within the platform to specialized third-party providers. Only the entered search terms and technical request metadata (such as our server's IP address) are transmitted — no user identifiers, e-mail addresses, or other personal account information.

  • Brave Search (Brave Software, Inc., 420 S El Camino Real, Suite 210, San Mateo, CA 94402, USA): Used by the AI assistant as a web-search tool and for automatic lookup of official venue websites when creating an event. Transmitted: the search query (derived from your AI inputs or from event data such as venue name, city, and date) plus technical metadata.
  • Spotify (Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden; affiliate Spotify USA Inc., 150 Greenwich Street, New York, NY 10007, USA): Used for track search (e.g., when maintaining your setlist). Transmitted: the search query (e.g., song title or artist name) plus technical metadata. Requests run through a technical platform account (Client Credentials Flow); no connection to personal Spotify accounts is established.

  Spotify embeds on public profile pages: If a project or artist adds a Spotify link to a public profile, we may embed a Spotify player from open.spotify.com. When the player loads, your browser as a visitor to the public profile page establishes a direct connection to Spotify. In particular, Spotify may process your IP address, browser and device information, referrer, requested Spotify content and, where applicable, Spotify cookies or Spotify account status. If you want to avoid this, please do not load the player or block external content in your browser.

  Both providers have affiliated companies in the USA. Data transfers are carried out on the basis of the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The legal basis for server-side search functions is Art. 6(1)(b) GDPR (performance of a contract — the search features are part of our service offering) and Art. 6(1)(f) GDPR (legitimate interest in a convenient and complete platform experience). The legal basis for embedding Spotify players on public profile pages is Art. 6(1)(f) GDPR (legitimate interest in displaying artist and project content). For more information, see Brave's Privacy Policy and Spotify's Privacy Policy.

• Venue discovery search

  We offer an automated venue discovery feature that suggests suitable performance locations. For this, we process your search criteria (genre, region, event type) as well as event and project data in order to match relevant results.

  To look up venues, we transmit the relevant search terms to the following third-party providers:

  • Google Places API (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) — location and business information
  • Brave Search API (Brave Software, Inc., 420 S El Camino Real, Suite 210, San Mateo, CA 94402, USA) — web search for official venue websites
  • Ticketmaster Discovery API (Ticketmaster, a brand of Live Nation Entertainment, Inc., 9348 Civic Center Drive, Beverly Hills, CA 90210, USA) — event and venue data
  • OpenStreetMap / Overpass API (OpenStreetMap Foundation, 132 Maney Hill Road, Sutton Coldfield, United Kingdom) — map data and geocoding
  • Wikidata API (Wikimedia Foundation, Inc., 1 Montgomery Street, Suite 1600, San Francisco, CA 94104, USA) — public reference data

  As part of the analysis, our AI assistant may additionally retrieve venue websites automatically and extract their publicly accessible content (description, contact information, opening hours); that content is then analyzed by the AI provider as described in Section 5.13.

  Transfers to US-based providers are carried out on the basis of the European Commission's Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR; for Google the EU-US Data Privacy Framework applies in addition. The legal basis for the processing is Art. 6(1)(b) GDPR (performance of a contract) combined with Art. 6(1)(f) GDPR (legitimate interest in a relevant matchmaking service).

• Notifications via Novu

  For sending system notifications (email, push notifications, optionally SMS and WhatsApp) we use the service Novu (Novu Inc., 548 Market Street, San Francisco, CA 94104, USA) through Novu's EU instance. The following data is transmitted to Novu:

  • Email address
  • First and last name
  • Mobile number (if provided for WhatsApp/SMS notifications)
  • Language preference
  • Notification settings and content (e.g. booking requests, status updates, reminders)

  Novu processes this data on our behalf as a processor pursuant to Art. 28 GDPR. Processing takes place in Novu's EU region; in regular operation, these notification data are not transmitted to a Novu US instance. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) for transactional notifications and Art. 6(1)(a) GDPR (consent) for optional channels such as WhatsApp.

• Email reply feature (reply tokens)

  System email notifications can include an individual reply-to address that lets you reply directly to a platform message without signing in. To enable this, we embed a cryptographically signed token (HMAC-SHA256) in the reply-to address that encodes your identity and the related conversation. The token is valid for a limited time and expires automatically thereafter.

  Incoming reply emails are processed by our notification provider (see Section 5.18) and assigned to the corresponding conversation on our platform. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

• Calendar feed (iCal export)

  You can optionally export your events as an iCal feed (.ics) and subscribe to it in external calendar applications (e.g. Google Calendar, Apple Calendar, Outlook). The feed is available via an individual, hard-to-guess URL tied to your account. The event data contained in the feed (title, date, location, description) is accessible through this URL without additional authentication.

  You can disable the feed at any time in your account settings or regenerate the URL, which immediately invalidates the previous URL. The legal basis is Art. 6(1)(a) GDPR (consent expressed by actively enabling the feed).

• Digital contract signing

  For the digital signing of contracts created via our contract generator, we use a token-based procedure. The signer receives a cryptographically signed link (HMAC-SHA256) by email that is valid for a limited time. When signing, we record the following data to document the legally binding declaration of intent:

  • Name of the signer
  • Timestamp of signing
  • Explicit consent (consent flag)
  • IP address at the time of signing

  The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in the legally sound documentation of a declaration of intent). The documents and related evidentiary data are stored until deletion of the user account; statutory commercial and tax retention periods (in particular § 147 AO) apply accordingly.

• E-invoice (ZUGFeRD format)

  Invoices created through our invoice generator can optionally be exported in the ZUGFeRD format (PDF/A-3 with embedded structured XML). To do so, the data contained in the invoice (issuer, recipient, line items, tax details, bank details) is converted into a machine-readable XML format and embedded into the PDF.

  Processing takes place exclusively on our servers in the EU (see Section 4.9); no invoice data is transmitted to external providers for conversion. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

Processing of your data as a paying artist / project

• Processing of your data for contract management

  If you are or become our customer, we process data from you that may include personal data in the context of processing your order and fulfilling our contractual obligations. The data processed includes master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) as well as payment data (e.g., your bank details, payment history). We require this data to fulfill the contract. If this includes personal data, the processing is based on Art. 6 (1) lit. b GDPR. There is no legal or contractual obligation to provide this data.

  All data processed for contractual purposes is processed by us for at least the duration of the contractual relationship plus the applicable warranty period. Afterwards, the data is deleted if it is no longer required for the purpose stated and no retention obligations prevail.

• Marketing to existing customers (§ 7 para. 3 UWG)

  We process certain personal data from you in order to regularly send you status e-mails as well as advertising for our own similar products and services or surveys for our own market research purposes. This includes the following personal data from you:

  • Name
  • E-mail address

  This processing is carried out in our interest in direct marketing and maintaining customer relationships. The legal basis for this is Art. 6 (1) sentence 1 lit. f GDPR. The deletion of this data occurs either selectively for specific details when you remove them from our platform or completely when you delete your account on our platform.

• Stripe payment processing

  The execution and thus the collection, processing, and storage of electronic payment transaction data is carried out by our payment service provider, Stripe Payments Europe, Limited, The One Building, 1 Grand Canal Street Lower, Dublin 2, Co. Dublin, Ireland ("Stripe"). Stripe Payments Europe, Ltd. is the EU contracting entity of the Stripe group responsible for customers established in the European Economic Area. Through Stripe, it is possible to offer various payment methods, such as credit card payments or SEPA direct debit.

  With every payment transaction, Stripe receives data for processing the electronic payment transaction, such as the information you provided during the order process along with the details of your order (name, address, e-mail address, IBAN/BIC, possibly credit card number, invoice amount, currency, and transaction number). The processing of your data by Stripe is necessary for payment processing and thus for the fulfillment of the contract. The legal basis for this is Art. 6 (1) sentence 1 lit. b GDPR. This data is deleted after the statutory retention periods have expired. Stripe processes your personal data on our behalf and in accordance with our instructions as a so-called processor pursuant to Art. 28 GDPR. A corresponding Data Processing Agreement (DPA) is in place.

  Primary processing takes place within the European Union. However, Stripe may in individual cases transfer data to affiliated companies, in particular to Stripe, Inc. in the USA. For any such data transfers to the USA, the European Commission's Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR have been agreed. Stripe, Inc. is additionally certified under the EU-US Data Privacy Framework and thus provides a level of data protection recognized by the European Commission. The Standard Contractual Clauses can be retrieved at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32010D0087&from=DE; alternatively, you can request these documents from us using the contact details provided in Section 2. For more information, please see Stripe's Privacy Policy.

• Processing of your data for contact management purposes

  We store master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), as well as contract data (e.g., services used, contract contents, contractual communication, names of contact persons) of customers, prospects, suppliers, and other business partners for later contact purposes. These personal data may be stored in a CRM system ("Customer Relationship Management System") or comparable systems for managing inquiries. This enables us to efficiently organize incoming contacts. The processing of your personal data is carried out on the basis of Art. 6 (1) lit. f GDPR. All data processed in this context is stored by us for at least the duration of the contractual relationship plus an additional period of three years.

• Processing of your data for accounting purposes

  In addition, we process your data, in particular your master, contract, and payment data, for accounting purposes. This processing is carried out in part on the basis of legal obligations pursuant to Art. 6 (1) lit. c GDPR.

  Under legal requirements in Germany, we are further obliged to retain or store certain data, so that we may not delete or destroy it even after the intended purpose has been achieved; see Art. 17 (3) lit. b GDPR. This applies to master data (e.g., names and addresses), contact data (e.g., e-mail addresses and telephone numbers), contract data (e.g., services used, contract contents, contractual communication, names of contact persons) and payment data (e.g., bank details, payment history). In particular, the retention or storage of books, records, inventories, annual financial statements, management reports, opening balances, as well as the work instructions and other organizational documents necessary for their understanding, the received and sent commercial or business letters, the accounting documents, and other documents, insofar as they are relevant for taxation, is prescribed for ten years in accordance with § 147 (1) of the Fiscal Code (AO). This also applies to any personal data of the data subjects contained in the documents mentioned above. The legal basis for this retention or storage is Art. 6 (1) lit. c GDPR.

• Transfer of your data to external consultants and professional secrecy holders and for accounting purposes

  In addition, we may sometimes transfer your personal data to advisors such as tax consultants, lawyers, auditors, or accountants. This is done in our interest in legally compliant business operations or for financial accounting purposes. The legal basis for this is Art. 6 (1) sentence 1 lit. f GDPR or § 24 (1) no. 2 of the new BDSG.

Deletion of data

Data subject rights

• in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you may request details regarding the purposes of the processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage duration, the existence of a right to rectification, deletion, restriction of processing, or objection, the existence of a right to lodge a complaint, the origin of your data (if it was not collected by us), as well as the existence of any automated decision-making including profiling and, where applicable, meaningful information about its details;
• in accordance with Art. 16 GDPR, to request the prompt rectification of inaccurate or the completion of your personal data stored with us;
• in accordance with Art. 17 GDPR, to request the deletion of your personal data stored with us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the assertion, exercise, or defense of legal claims;
• in accordance with Art. 18 GDPR, to request the restriction of processing of your personal data, insofar as you dispute the accuracy of the data, the processing is unlawful, yet you refuse their deletion and we no longer require the data, but you need them for the assertion, exercise, or defense of legal claims, or you have objected to the processing pursuant to Art. 21 GDPR;
• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller;
• in accordance with Art. 77 GDPR, to lodge a complaint with a supervisory authority. In general, you may contact the supervisory authority of your usual place of residence or place of work, or that of our company headquarters.

Revocation of consent given

Objection in case of processing based on legitimate interest

Security measures

Changes to this privacy policy