Skip to main content
DEOpen demo

Privacy Policy

Controller

Axel Wüstemann, bestdesq | websolutions, Virchowstraße 13, 19055 Schwerin, Germany.
Contact details as listed in the Legal Notice.

Hosting

This website and the bestdesq application are hosted by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). Each page request technically generates server log data (IP address, timestamp, requested page, status code). This data is used exclusively for error analysis and abuse detection and is automatically deleted after 14 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

All data is stored and processed exclusively on servers in Germany.

Account and usage data

When you create an account, we store your email address, your password (Argon2id-hashed, never in plain text), and the business data you enter (projects, tasks, invoices, contacts, time entries, files). This data is required for contract performance (Art. 6(1)(b) GDPR).

Your data is strictly separated from other users' data through tenant isolation. Technical access to other tenants' data is impossible.

Cookies

We use only technically necessary cookies and — with your consent — analytics cookies from Matomo:

Technically necessary (always active):

  • Access token (HttpOnly) – for authentication, 15-minute lifetime
  • Refresh token (HttpOnly) – for session extension, 30-day lifetime
  • CSRF token – protection against cross-site request forgery

Only with consent (Matomo Analytics):

  • _pk_id.* – recognises returning visitors, 13-month lifetime
  • _pk_ses.* – session cookie, expires after 30 minutes of inactivity

No marketing cookies or third-party cookies are set. Legal basis for technically necessary cookies: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

Web analytics (Matomo)

This website uses Matomo, a self-hosted open-source analytics tool. Matomo runs on our own server in Germany (Hetzner Online GmbH). No data is shared with third parties.

Matomo is only loaded with your consent. Without consent, no analytics data is collected. When consent is given, the following data is collected: pages visited, navigation behaviour, approximate region of origin, browser type, device category, time on site. IP addresses are anonymised before storage (last two octets removed).

Legal basis: Art. 6(1)(a) GDPR (consent).

Your current setting and an option to change it:

No decision made

You can also reach these settings at any time via the "Privacy settings" link in the footer of this website.

Fonts

All fonts (Inter) are loaded locally from our server. No connection to Google Fonts, Adobe, or any other external font service is made. Your IP address is not transmitted to third parties.

Payment processing

Payments are processed by Paddle.com (Paddle Payments Ltd.), who acts as Merchant of Record. Paddle issues invoices, collects payments, and is your contractual partner for payment-related matters. During a purchase you are redirected to Paddle, who processes your payment data under their own privacy policy: paddle.com/legal/privacy.

Email delivery

We send transactional emails (registration, email verification, password reset, invoice delivery) via our own SMTP server. No newsletters or marketing emails are sent.

Data export and deletion

You can export all your data at any time via settings. You can delete your account at any time — all personal data will be irreversibly removed. Invoice data is subject to statutory retention obligations under German law (§ 257 HGB, § 147 AO) and will be deleted after those periods expire.

Your rights

Under GDPR you have the right to:

  • Access (Art. 15) – know what data we hold about you
  • Rectification (Art. 16) – correction of inaccurate data
  • Erasure (Art. 17) – deletion of your data, subject to statutory retention obligations
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20) – export of your data in a common format
  • Objection (Art. 21) – to processing based on legitimate interests
  • Withdrawal of any consent you have given, at any time with effect for the future (Art. 7(3) GDPR)
  • Complaint to a supervisory authority (Art. 77) – the Data Protection Authority of Mecklenburg-Vorpommern, Germany

Contact us at info@bestdesq.de to exercise your rights.