Inboundy
DEEN
Start free
← Back to home

Privacy notice

Inboundy platform notice: This notice applies to the Inboundy website and related online services. When you use app features (for example account management, subscriptions, or LinkedIn integrations), additional feature-level privacy information may apply in the product interface.

Contents

  • A. Controller, roles and scope
  • B. Technical usage data
  • C. Accounts, contracts and payments
  • D. Providers, international transfers and cookies
  • E. AI transparency
  • F. Retention
  • G. Your rights
  • H. Data protection contact

A. Controller, roles and scope of processing

A.1 Controller

The controller under the GDPR is Lorenz Wieseke, LOVIZ, Roßmarktstraße 37, 04177 Leipzig, Germany, phone: +49 1577 1572415, email: contact@inboundy.app.

A.2 Data protection roles

Depending on the processing activity, we act in different roles under the GDPR:

  • We act as controller for data that concerns us directly: website visitors, prospects, customer account and contract data, and general communication.
  • We act as processor under Art. 28 GDPR where our customers use Inboundy to process personal data of third parties (in particular LinkedIn profile and contact data of their own target persons). In that case the customer is controller and bears sole responsibility for the lawfulness of the processing.

A data processing agreement (DPA) under Art. 28 GDPR is available to customers on request at contact@inboundy.app.

A.3 Scope and legal bases

We process personal data only where this is required to operate the website, provide our SaaS services, perform contracts, or communicate with you. Depending on the context, legal bases are Art. 6(1)(a), (b), (c), or (f) GDPR.

B. Technical data when visiting the website

When you access our pages, we process technically required connection and log data. This includes in particular requested URL, timestamp, amount of transferred data, referrer, browser type, operating system, and IP address (where applicable in shortened form).

This processing is necessary for secure delivery of the website, error diagnostics, and abuse prevention. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and stability).

Our website uses HTTPS/TLS encryption to protect data in transit.

C. Accounts, contracts and payments

C.1 Registration and customer account

If you create an account, we process the data provided in the form for account creation, authentication, and account administration. Legal basis: Art. 6(1)(b) GDPR.

You may request account deletion at any time. After open contractual matters are completed, we erase data unless statutory retention duties apply.

C.2 Contract performance and support

To provide booked services, handle requests, and perform contract-related operations, we process required master data, usage data, and communication data. Legal basis: Art. 6(1)(b) GDPR and, where necessary, Art. 6(1)(c) GDPR.

C.3 Payment processing (Stripe)

For payment flows we use Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Depending on the selected payment method, billing-relevant data are transferred to Stripe.

For certain payment methods, Stripe may conduct credit or risk checks. Legal bases: Art. 6(1)(b) GDPR (payment execution) and Art. 6(1)(f) GDPR (default prevention).

C.4 Electronic cancellation option for continuing obligations

Where legally required, we provide an electronic cancellation option for consumers. Data entered in that process are used for identification, handling, and confirmation of cancellation (Art. 6(1)(b) and (c) GDPR).

C.5 Public LinkedIn profile data in research and contact-list features

If you use Inboundy features for research, target-person identification, or contact-list management, publicly accessible data from LinkedIn profiles may be processed. This typically includes name, professional title, company, location, and public profile URL.

For these processing activities, you as the customer act as controller under the GDPR, and we act as processor pursuant to Art. 28 GDPR. In your role, the legal basis will typically be Art. 6(1)(f) GDPR (legitimate interest in business communication). Please assess the lawfulness of each specific use case yourself and observe the terms of service of the relevant platform.

C.6 Contact form

When you use our contact form, we process the data you provide (name, email address, message) to handle your request and any follow-up communication. Legal basis: Art. 6(1)(b) GDPR for contract-related requests, otherwise Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

For technical delivery of the form submission to our inbox, we use Web3Forms as a processor. Data may be transferred to third countries outside the EEA; appropriate safeguards under section D.6 (such as standard contractual clauses) apply where required. We retain the content of your request for as long as necessary to handle it and to comply with statutory retention obligations.

D. Providers, international transfers and cookies

D.1 Hosting

We host our website via providers with processing in the EU. Data processing agreements are in place with relevant processors.

D.2 Supabase (authentication)

For sign-in and access checks we use Supabase, Inc., 548 Market St, San Francisco, CA 94104, USA. Credentials required for authentication are transferred. Legal basis: Art. 6(1)(f) GDPR.

D.3 n8n (workflow automation)

For technical orchestration of internal workflows we use n8n GmbH, Novalisstr. 10, 10115 Berlin, Germany. Where personal data are involved, processing is based on Art. 6(1)(f) GDPR.

D.4 LinkedIn integrations

Where you use LinkedIn-related Inboundy features (for example OAuth linking or posting), we process the required authentication and action data. Relevant provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Legal bases: Art. 6(1)(b) and (f) GDPR.

D.5 YouTube and reCAPTCHA

If YouTube content is embedded or reCAPTCHA is used, data may be transferred to Google Ireland Limited and Google LLC (USA). The product demo video on the homepage loads only after you click “See 90-second demo” (two-click solution). Cookie-based processing occurs only on the basis of your consent (Art. 6(1)(a) GDPR). Where no cookies are used, processing may be based on Art. 6(1)(f) GDPR.

D.6 Transfers to third countries

Where data are transferred outside the EEA, we apply appropriate safeguards where required, such as adequacy decisions or standard contractual clauses.

D.7 Cookies and similar storage technologies

Cookies and similar storage technologies (for example localStorage) may be used to operate and optimise the website. Technically necessary cookies (session, security, core functionality) are set without separate consent on the basis of Art. 6(1)(f) GDPR.

Non-essential cookies (for example analytics, marketing, third-party embeds) are only set with your consent under Section 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR. You can withdraw your consent at any time via the cookie settings.

D.8 First-party web analytics (marketing site)

To measure reach and usage of our marketing site we use our own anonymous analytics system. This may process page views, anonymous session identifiers (stored in sessionStorage, not cookies), time on page, call-to-action clicks, coarse device category (mobile/tablet/desktop), and referrer or UTM parameters.

Data is stored via Supabase, Inc. (see D.2). We do not build personal profiles or share data with advertising networks. Raw data is deleted after 90 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in optimising our website).

E. Transparency on AI-supported features

If Inboundy provides AI-supported suggestion features, we present transparency information in line with Art. 50 of Regulation (EU) 2024/1689 (AI Act). Purpose and functional logic are explained in the relevant feature context.

No solely automated decision with legal or similarly significant effect within the meaning of Art. 22 GDPR is carried out unless explicitly indicated otherwise.

F. Retention and deletion approach

We keep personal data only for as long as needed for the relevant purpose. Data are then erased or anonymised unless legal retention obligations require longer storage.

As a guideline, unless diverging statutory obligations apply, the following retention periods are used:

  • Server and security logs: as a rule, up to 30 days
  • Account data: until account deletion; thereafter, in accordance with German commercial and tax retention duties (typically 6 or 10 years under Section 147 AO / Section 257 HGB)
  • Contract and billing data: statutory retention periods (typically 10 years)
  • Consent-based data (for example cookies, communications): until withdrawal, then deletion in the next regular cleanup cycle
  • LinkedIn / contact data processed by you (processor role): as long as you actively maintain the data in Inboundy, at the latest until termination of the contract

G. Your data protection rights

Under the GDPR, you have in particular the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), withdrawal of consent (Art. 7(3)), and complaint to a supervisory authority (Art. 77).

If processing is based on legitimate interests (Art. 6(1)(f) GDPR), you may object under Art. 21 GDPR on grounds relating to your particular situation.

The supervisory authority competent for us is the Saxon Commissioner for Data Protection and Transparency (Sächsische Datenschutz- und Transparenzbeauftragte), Devrientstraße 1, 01067 Dresden, Germany, website: www.saechsdsb.de.

H. Contact for privacy requests

For privacy questions, access requests, DPA requests, or other data subject matters, please contact: contact@inboundy.app.

Last updated: 2026-04-24