Privacy Policy

Last updated: January 18, 2026

1. Controller

The controller responsible for data processing on this website is:

kidsbert GmbH Hegestieg 20 20249 Hamburg Germany

Email: hello@kidsbert.de

Authorized representatives: Anke Reincke, Dr. Philine Bieling

Commercial Register: District Court Hamburg, HRB 196015

2. Data Protection Officer

Due to the company size, the appointment of a data protection officer is not required. For data protection inquiries, please contact: hello@kidsbert.de

3. General Information on Data Processing

3.1 Scope of Processing Personal Data

We process personal data of our users only to the extent necessary for providing a functional website and our content and services. The processing of personal data of our users regularly takes place only with the user's consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.

3.2 Legal Bases for Processing Personal Data

3.3 Data Deletion and Storage Duration

Personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may continue if provided for by European or national legislation (e.g., tax retention periods of 10 years).

4. Hosting and Infrastructure

4.1 Vercel (Website Hosting)

Our website is hosted by Vercel Inc.

Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA Processed Data: IP address, date and time of access, transferred data volume, referrer URL, browser type and version, operating system Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient hosting) Privacy Policy: https://vercel.com/legal/privacy-policy Standard Contractual Clauses: Vercel uses EU Standard Contractual Clauses for data transfers to the USA

4.2 Neon (Database)

We use the PostgreSQL database from Neon to store user data.

Provider: Neon Inc., 535 Mission St, San Francisco, CA 94105, USA Processed Data: All user data stored in the database (account data, offers, etc.) Legal Basis: Art. 6(1)(b) GDPR (contract performance) Privacy Policy: https://neon.tech/privacy-policy Data Location: EU (Frankfurt)

4.3 Amazon Web Services S3 (File Storage)

Uploaded files (images, documents) are stored on Amazon Web Services.

Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg Processed Data: Uploaded files (images of offers, profile pictures) Legal Basis: Art. 6(1)(b) GDPR (contract performance) Privacy Policy: https://aws.amazon.com/privacy/ Data Location: EU (Frankfurt, eu-central-1)

5. Website Provision and Log Files

5.1 Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the accessing computer system.

The following data is collected:

• IP address of the user
• Date and time of access
• Pages accessed
• Websites from which the user's system reached our website (referrer)
• Browser type and version
• Operating system used
• Amount of data transferred

5.2 Purpose and Legal Basis

The temporary storage of the IP address by the system is necessary to deliver the website to the user's computer. Storage in log files ensures the functionality of the website and the security of our systems.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

5.3 Storage Duration

Server log files are deleted after 30 days at the latest.

6. Registration and User Account

6.1 Description and Scope of Data Processing

On our platform, we offer users the opportunity to register by providing personal data.

Data collected during registration:

• Name
• Email address
• Password (stored encrypted)

Additionally for provider registration:

• Company name/provider name
• Address
• Contact details (email, phone, website)
• Provider description

Automatically collected data:

• IP address at registration
• Date and time of registration
• Consent to terms and privacy policy (timestamp)

6.2 Legal Basis

Legal Basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (contract performance)

6.3 Purpose of Data Processing

Registration is required for:

• Creating and managing offers (for providers)
• Saving favorites
• Using personalized features
• Communication via the platform

6.4 Storage Duration

Data is deleted when the user account is deleted. Legal retention obligations (e.g., for billing data: 10 years) remain unaffected.

7. Offers and Content

7.1 Published Offers

Providers can publish offers on the platform with the following data:

• Title and description of the offer
• Images
• Location data (address, coordinates)
• Prices and age information
• Contact information
• Opening hours and availability

This data is publicly displayed on the platform and visible to all users.

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

7.2 QR Codes and Tracking

QR codes can be generated for offers. When scanning a QR code, the following data is stored:

• Time of scan
• User agent (browser information)
• User ID (if logged in)

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in statistics)

8. AI-Powered Features (OpenAI)

8.1 Description

We use AI services from OpenAI for:

• Assistance with form completion
• Personalized recommendations for users
• Improvement of search results

8.2 Processed Data

When using AI features, the following data is transmitted to OpenAI:

• Form inputs (as required for AI assistance)
• Search terms
• Preferences for recommendations

Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA Privacy Policy: https://openai.com/privacy/ Legal Basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest in improved user experience)

8.3 Note

AI features are optional. When used, data is transferred to servers in the USA. OpenAI has committed to complying with EU Standard Contractual Clauses.

9. Cookies and Consent

9.1 What are Cookies?

Cookies are small text files stored in the internet browser or by the internet browser on the user's computer system.

9.2 Cookies Used

Technically necessary cookies (without consent):

Analytics cookies (only with consent):

9.3 Legal Basis

• Technically necessary cookies: Art. 6(1)(f) GDPR (legitimate interest)
• Analytics cookies: Art. 6(1)(a) GDPR (consent)

9.4 Objection and Revocation

You can change your cookie settings at any time via our cookie banner or delete cookies in your browser.

10. Google Analytics

10.1 Description

We use Google Analytics to analyze user behavior on our website. Google Analytics is only activated if you have given your consent via our cookie banner.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

10.2 Processed Data

• IP address (anonymized)
• Pages visited
• Time spent
• Device and browser information
• Approximate location (city level)

10.3 IP Anonymization

We have activated IP anonymization. Your IP address will be truncated by Google within EU member states before being transmitted to Google servers in the USA.

10.4 Legal Basis

Legal Basis: Art. 6(1)(a) GDPR (consent)

10.5 Revocation

You can revoke your consent at any time via our cookie banner.

Privacy Policy: https://policies.google.com/privacy Opt-Out: https://tools.google.com/dlpage/gaoptout

11. Email Communication

11.1 Email Sending (Amazon SES)

We use Amazon Simple Email Service (SES) for sending emails.

Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg Data Location: EU

11.2 Types of Emails

We send the following emails:

Transactional emails (without separate consent):

• Registration confirmation
• Password reset
• Payment confirmations
• Offer notifications

Newsletter (only with double opt-in):

• Information about new offers and features

11.3 Newsletter and Double Opt-In

For newsletter delivery, we use the double opt-in procedure:

1. You enter your email address
2. You receive a confirmation email with a link
3. Only after clicking the confirmation link will you be added to the mailing list

We store:

• Email address
• Time of registration
• IP address at registration
• Time of confirmation
• IP address at confirmation

Legal Basis: Art. 6(1)(a) GDPR (consent)

11.4 Unsubscribe

You can unsubscribe from the newsletter at any time via:

• The unsubscribe link in every email
• Email to hello@kidsbert.de

12. Payment Processing (Stripe)

12.1 Description

We use Stripe for payment processing.

Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland

12.2 Processed Data

For payments, the following data is transmitted to Stripe:

• Name
• Email address
• Payment information (credit card, SEPA, etc.)
• Billing address (if required)
• Purchase amount

12.3 Legal Basis

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Privacy Policy: https://stripe.com/privacy

13. Contact Form

13.1 Description

When you use our contact form, the following data is processed:

• Name
• Email address
• Message

13.2 Legal Basis and Purpose

The data is used exclusively to process your inquiry.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries)

13.3 Storage Duration

Data is deleted as soon as the inquiry has been conclusively processed, unless legal retention obligations prevent this.

14. Google Maps

14.1 Description

We use Google Maps to display locations of offers.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

14.2 Processed Data

When using Google Maps, the following data is transmitted to Google:

• IP address
• Location data (if shared)
• Search queries

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in user-friendly presentation)

Privacy Policy: https://policies.google.com/privacy

15. Data Processors

We use the following data processors:

Contracts according to Art. 28 GDPR have been concluded with all data processors.

16. Data Transfer to Third Countries

Some of our service providers are located outside the EU/EEA (particularly the USA). Data transfer is based on:

• EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
• EU Commission adequacy decision (where available)

17. Rights of the Data Subject

You have the following rights regarding your personal data:

17.1 Right of Access (Art. 15 GDPR)

You can request information about your personal data stored by us.

17.2 Right to Rectification (Art. 16 GDPR)

You have the right to have incorrect data corrected.

17.3 Right to Erasure (Art. 17 GDPR)

You can request the deletion of your data, provided no legal retention obligations prevent this.

17.4 Right to Restriction of Processing (Art. 18 GDPR)

Under certain conditions, you can request the restriction of processing of your data.

17.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format.

17.6 Right to Object (Art. 21 GDPR)

You can object to the processing of your data at any time if the processing is based on Art. 6(1)(f) GDPR.

17.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You can withdraw consent given at any time with effect for the future.

17.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority.

Competent Supervisory Authority: The Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Str. 22, 7th floor 20459 Hamburg https://datenschutz-hamburg.de

18. Data Security

We use SSL/TLS encryption for all data transfers. All passwords are stored encrypted. We employ appropriate technical and organizational measures to protect your data from unauthorized access.

19. Updates and Changes to this Privacy Policy

This privacy policy is currently valid (as of January 18, 2026).

Due to the further development of our website and offerings or due to changed legal requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed at any time at https://kidsbert.de/en/legal/privacy-policy.

---

Contact for Data Protection Inquiries: kidsbert GmbH Email: hello@kidsbert.de