Version: 1.0 / Stand: September 2025
In this Privacy Policy, we inform you about the processing of personal data as well as about the access to and storage of information on your end device when using the elvah Market Monitor (“Market Monitor”), available at: https://www.elvah.de/market-monitor.
1. Controller
The controller responsible for the processing of yourpersonal data when using the Market Monitor within the meaning of the GeneralData Protection Regulation (GDPR) is:
elvah GmbH
Brüsseler Platz 1
45131 Essen
Phone: +49 2641 8939580
Fax: +49 2641 8939589
E-Mail: info@elvah.de
Contact details of the Data Protection Officer
PROLIANCE GmbH
Leopoldstr. 21
80802 Munich
www.datenschutzexperte.de
E-Mail: datenschutzbeauftragter@datenschutzexperte.de
For all questions regarding data protection in connection with our services on our platform, you may at any time also contact our Data Protection Officer. Please state the company to which your request relates when contacting the Data Protection Officer. Please refrain from attaching sensitive information such as a copy of an identity document to your request.
2. Purposes and Legal Bases of Processing
In the context of the Market Monitor, we process your personal data as follows:
2.1 Registration and Contract Conclusion
In order to use the Market Monitor, you must register and select a subscription. In this context, we process your master data such as name, email address, password, company affiliation (if applicable), and the selected subscription options. This processing is necessary to create a user account, to accept your order, and to conclude the contract with you. The processing is therefore based on the necessity for the performance of a contract within the meaning of Art. 6 (1) lit. b GDPR.
2.2 Use of the Market Monitor
During active use of the Market Monitor, we recordwhich features you access, which queries you make, and which reports youdownload. This enables us to ensure that the platform functions reliably andthat the content you have booked is displayed. At the same time, this datahelps us to detect misuse and to ensure the security of our systems. The legalbasis is the performance of the contract pursuant to Art. 6 (1) lit. b GDPR aswell as our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in a secureand functional operation of the Market Monitor.
2.3 Payment Processing and Invoicing
When you book a paid subscription, we process yourpayment data (e.g., billing address, payment method, transaction number,payment status) in order to process your payments correctly and provide youwith invoices. In addition, we are legally obliged to retain certain bookingand billing information, for example under tax and commercial law. Processingtherefore takes place both for the performance of the contract pursuant to Art.6 (1) lit. b GDPR and on the basis of our legal obligations pursuant to Art. 6(1) lit. c GDPR.
2.4 Support and Communication
When you contact us, we process the communication datayou provide, such as your email address, telephone number, or the content ofyour inquiry. This is done in order to respond to your request, assist you withtechnical problems, or provide you with contractually relevant information. Thelegal basis is the performance of the contract within the meaning of Art. 6 (1)lit. b GDPR; in addition, our legitimate interest pursuant to Art. 6 (1) lit. fGDPR lies in ensuring efficient and customer-oriented communication.
2.5 System Logging and IT Security
When accessing the Market Monitor, technical data suchas IP address, browser type, operating system, or access times areautomatically collected and stored in log files. We use this information toanalyze errors, monitor system stability, and prevent or defend against attacksor abusive use. The basis for this processing is our legitimate interest inensuring IT security and functionality of the platform within the meaning ofArt. 6 (1) lit. f GDPR.
2.6 Analysis and Further Development
In order to continuously improve the Market Monitorand adapt it to the needs of our users, we evaluate usage data in aggregated orpseudonymized form. This involves, for example, understanding which data isused most frequently or where user guidance can be optimized. For thesepurposes, we use analytics tools that are activated only with your priorconsent. The processing in this respect is based on Art. 6 (1) lit. a GDPR(consent); otherwise we rely on our legitimate interest pursuant to Art. 6 (1)lit. f GDPR in the further development and improvement of our services.
2.7 Marketing and Existing Customer Information
If you are already a customer, we also use yourcontact details to inform you about similar products or relevant updatesregarding the Market Monitor. You may object to this use at any time. Fornewsletters or similar communication services that require prior registration,processing is carried out solely on the basis of your consent. Accordingly,depending on the situation, we rely either on Art. 6 (1) lit. f GDPR inconjunction with Sec. 7 (3) UWG / German Act Against Unfair Competition(legitimate interest in direct marketing) or on Art. 6 (1) lit. a GDPR(consent).
2.8 Tools Used
2.8.1 Webflow
Our website is hosted with Webflow. The provider isWebflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA(“Webflow”).
Webflow stores the content of our website on serversin the USA. In this context, personal data of website visitors is alsoprocessed, in particular IP address, technical information about the enddevice, browser information, and access times. The use of Webflow is based onour legitimate interest in a secure, fast, and efficient provision of ourwebsite (Art. 6 (1) lit. f GDPR) as well as for the performance of the contractwith our users (Art. 6 (1) lit. b GDPR). Webflow has acceded to the EU-US Data PrivacyFramework, so that data transfers to the USA are carried out on the basis of anadequacy decision pursuant to Art. 45 GDPR. Further information can be foundat: https://webflow.com/legal/privacy andhttps://webflow.com/legal/eu-privacy-policy.
2.8.2 Memberstack
For user management and subscription management, weuse the service Memberstack. The provider is Memberstack Inc., 1209 OrangeStreet, Wilmington, Delaware 19801, USA (“Memberstack”). Memberstack processesin particular your registration data (name, email address, password,registration date) as well as the subscription information you have selected.Data processing is based on Art. 6 (1) lit. b GDPR (performance of contract) aswell as Art. 6 (1) lit. f GDPR (legitimate interest in a secure, functional system).Memberstack transfers data to the USA on the basis of the Standard ContractualClauses pursuant to Art. 46 (2) lit. c GDPR. Further information can be foundat: https://www.memberstack.com/legal/privacy-policy
2.8.3 Supabase
For the storage and management of data as well as theoperation of our database backends, we use Supabase. The provider is Supabase,Inc., 970 Toa Payoh North #07-04, Singapore 318992 (“Supabase”). Supabaseprovides cloud infrastructure, including databases, authentication, and APIservices. In this context, in particular usage data and technical log data areprocessed. Processing takes place on the basis of Art. 6 (1) lit. b GDPR(performance of contract) and Art. 6 (1) lit. f GDPR (legitimate interest in asecure and scalable infrastructure). Supabase operates servers in the EU, butmay also transfer data to third countries. Insofar as data is transferred tothe USA, this is done on the basis of the Standard Contractual Clauses (Art. 46(2) lit. c GDPR). Further information can be found at:https://supabase.com/privacy
2.8.4 Google Analytics 4
Our Market Monitor uses the service Google Analytics 4(“Google Analytics”), which is provided for persons from Europe, the MiddleEast, and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street,Dublin 4, Ireland, and for all other persons by Google LLC, 1600 AmphitheatreParkway, Mountain View, CA 94043, USA (together “Google”). Google Analyticsuses JavaScript and pixels to read information on your end device, as well ascookies to store information on your end device. This serves to analyze yourusage behavior and improve our website. We will process the informationobtained in order to evaluate your use of the website and to compile reports onwebsite activity for the website operator. The data collected in this contextmay be transmitted by Google to a server in the USA for evaluation and storedthere. In the course of evaluation, Google Analytics also uses artificialintelligence such as machine learning for automated analysis and enrichment ofthe data. More information can be found at: https://support.google.com/analytics/answer/9443595. The following data is processed by Google Analytics:IP address, user ID, Google ID (Google Signals) and/or device ID, referrer URL(previously visited page), pages accessed (date, time, URL, title, duration ofstay), events, technical information (operating system; browser type, version,and language; device type, brand, model, and resolution), approximate location(country and, if applicable, city, based on anonymized IP address). The legalbasis for this data processing is your consent pursuant to Art. 6 (1) lit. aGDPR. Access to and storage of information on the end device is based on theimplementing laws of the EU Member States for the ePrivacy Directive, inGermany pursuant to Sec. 25 (1) TDDDG / German Telecommunications and DigitalServices Data Protection Act. We have concluded a data processing agreementwith Google Ireland Limited. Your personal data may also be transferred byGoogle Ireland Limited to Google LLC in the USA. Google LLC has acceded to theEU-US Data Privacy Framework, so that the transfer in this case is based on theadequacy decision for the USA pursuant to Art. 45 GDPR. In addition, GoogleIreland Limited and Google LLC have concluded Standard Contractual Clauses(Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46 (2) lit. cGDPR. Further information on the processing of personal data by Google can befound at: https://business.safety.google/privacy/.
2.8.5 Stripe
For payment processing, we use the services ofexternal payment service providers. If you initiate a payment, in particularyour contact and billing data, the chosen payment method, as well astransaction-related data such as payment status or transaction number will betransmitted to the payment service provider used by us. This is done in orderto receive, process, and ensure the secure execution of the respective payment.At present, we particularly use Stripe Payments Europe Ltd., 1 Grand Canal StreetLower, Grand Canal Dock, Dublin, D02 H210, Ireland (“Stripe”). Stripe alsoprocesses your personal data for the detection and prevention of fraudulentfinancial transactions, for compliance with statutory obligations in thefinancial sector, as well as for the analysis and further development of itsproducts. A data processing agreement exists with Stripe Payments Europe Ltd.Furthermore, Stripe may transfer your data to Stripe Inc., Corporation TrustCenter, 1209 Orange Street, Wilmington, New Castle, DE 19801, USA. Stripe Inc.has acceded to the EU-US Data Privacy Framework, so that the data transfertakes place on the basis of the adequacy decision of the European Commissionpursuant to Art. 45 GDPR. Further information on data processing by Stripe canbe found in their privacy policy at https://stripe.com/privacy.
3. Disclosure of Data (Data Sharing)
Disclosure (sharing) of the data collected by usgenerally only takes place where there is a legal basis for doing so in thespecific case, in particular if:
· youhave given your express consent thereto pursuant to Art. 6 (1) lit. a GDPR,
· thedisclosure is necessary for the establishment, exercise, or defense of legalclaims pursuant to Art. 6 (1) lit. f GDPR and there is no reason to assume thatyou have an overriding legitimate interest in the non-disclosure of your data,
· we arelegally obliged to disclose pursuant to Art. 6 (1) lit. c GDPR, in particularwhere this is necessary for law enforcement or prosecution on the basis ofofficial requests, court orders, and legal proceedings, or
· disclosureis lawful and necessary pursuant to Art. 6 (1) lit. b GDPR for the performanceof contractual relationships with you or for pre-contractual measures taken atyour request.
Some of the data processing may be carried out by ourservice providers. In addition to the service providers mentioned in thisPrivacy Policy, these may in particular include data centers that store ourwebsite and databases, software providers, IT service providers that maintainour systems, agencies, market research companies, group companies, andconsulting firms. Where we pass on data to our service providers, they may usethe data exclusively for the performance of their tasks. The service providershave been carefully selected and commissioned by us. They are contractuallybound by our instructions, have suitable technical and organizational measuresto protect the rights of data subjects, and are regularly monitored by us.
4. Data Transfers to Third Countries
As explained in this Privacy Policy, we use serviceswhose providers are partly located in so-called third countries (outside theEuropean Union or the European Economic Area) or process personal data there,i.e. countries whose level of data protection does not correspond to that ofthe European Union. Where this is the case and the European Commission has notissued an adequacy decision (Art. 45 GDPR) for these countries, we have takenappropriate safeguards to ensure an adequate level of data protection for anydata transfers. These include, inter alia, the Standard Contractual Clauses ofthe European Union or binding corporate rules.
Where this is not possible, we base the data transferon exceptions pursuant to Art. 49 GDPR, in particular your express consent orthe necessity of the transfer for the performance of a contract or theimplementation of pre-contractual measures.
If a transfer to a third country is intended andneither an adequacy decision nor suitable safeguards exist, it is possible andthere is a risk that authorities in the respective third country (e.g.,intelligence services) may gain access to the transferred data in order torecord and analyze it, and that the enforceability of your data subject rightscannot be guaranteed. You will be informed of this when your consent isobtained.
5. Storage Period
As a general rule, we store personal data only for aslong as is necessary to fulfill the purposes for which we collected the data.Thereafter, we delete the data without undue delay, unless we still require thedata until the expiry of the statutory limitation period for evidentiarypurposes in civil law claims, due to statutory retention obligations, or unlessanother legal basis for continued processing of your data exists in thespecific individual case.
For evidentiary purposes, we must in particular retaincontractual data for three years after the end of the year in which thebusiness relationship with you ends. Claims become time-barred under thestatutory limitation period at the earliest at this point in time. Eventhereafter, we must partially retain your data for accounting reasons. We areobliged to do so due to statutory documentation obligations, which may arisefrom the Commercial Code, the Fiscal Code, the Banking Act, the Anti-MoneyLaundering Act, and the Securities Trading Act. The retention periods fordocuments specified therein amount to two to ten years.
6. Your Rights, in Particular Withdrawal and Objection
You are entitled at any time, subject to therespective legal requirements, to the rights of data subjects set out in Art. 7(3), Arts. 15–21 GDPR:
· Rightto withdraw your consent (Art. 7 (3) GDPR);
· Rightto object to the processing of your personal data (Art. 21 GDPR);
· Rightof access to your personal data processed by us (Art. 15 GDPR);
· Rightto rectification of inaccurate personal data stored by us (Art. 16 GDPR);
· Rightto erasure of your personal data (Art. 17 GDPR);
· Rightto restriction of processing of your personal data (Art. 18 GDPR);
· Rightto data portability of your personal data (Art. 20 GDPR).
To exercise your rights as described above, you maycontact us at any time using the contact details specified above. This alsoapplies if you wish to receive copies of safeguards to demonstrate an adequatelevel of data protection. If the respective legal requirements are met, we willcomply with your data protection request.
Your requests for the exercise of data protectionrights and our responses thereto will be retained for documentation purposesfor a period of up to three years and, in individual cases, beyond this wherenecessary for the establishment, exercise, or defense of legal claims. Thelegal basis is Art. 6 (1) lit. f GDPR, based on our interest in defendingagainst potential civil claims under Art. 82 GDPR, avoiding fines under Art. 83GDPR, and complying with our accountability obligation under Art. 5 (2) GDPR.
You have the right to withdraw consent given to us atany time. As a result, we will no longer continue the data processing that wasbased on this consent in the future. The withdrawal of consent does not affectthe lawfulness of the processing carried out on the basis of the consent untilwithdrawal.
Where we process your data on the basis of legitimateinterests, you have the right to object to the processing of your data at anytime on grounds relating to your particular situation. If the objection relatesto processing for direct marketing purposes, you have a general right toobject, which will also be implemented by us without you having to statereasons.
If you wish to exercise your right of withdrawal orobjection, a simple notification to the contact details specified above issufficient.
Finally, you have the right to lodge a complaint witha data protection supervisory authority pursuant to Art. 77 GDPR. You may, forexample, exercise this right with a supervisory authority in the Member Stateof your residence, your place of work, or the place of the allegedinfringement. In Essen, our seat, the competent supervisory authority is:
Landesbeauftragte fürDatenschutz und Informationsfreiheit Nordrhein-Westfalen, P.O. Box (Postfach)200444, 40102 Düsseldorf, Germany.
7. Amendments to this Privacy Policy, Language Versions
We occasionally update this Privacy Policy, forexample when we adapt our services or if legal or regulatory requirementschange.
This Privacy Policyis available in multiple languages. In case of any discrepancies orinconsistencies, the German version shall prevail.