Privacy Policy
With this Privacy Policy we inform you about how we process personal data on our website, in connection with contact enquiries, with demo and customer accounts, when displaying prices as well as when initiating and processing business relationships. Our offering is directed exclusively at companies and other entrepreneurs within the meaning of § 14 BGB. Insofar as individual processing activities are only activated after your consent, this only takes place after your selection in the consent banner.
As of: April 2026Controller
Stixchesstr. 107
51377 Leverkusen
Germany
Email address:
Imprint: https://uxspire.com/impressum
Data protection officer
We have not appointed a data protection officer. Pursuant to Art. 37 GDPR in conjunction with § 38 BDSG (German Federal Data Protection Act), there is no statutory obligation for us to appoint one.
Data categories, data subjects and purposes
Data subjects: visitors of this website, contact persons at prospects, customers and business partners, applicants, users of demo and customer accounts as well as users of Stripe-hosted payment or contract administration pages.
Processed data categories:
- Master data and contact data, e.g. name, business email address, telephone number, company, job title, country
- Communication and content data, e.g. message content, attachments, enquiry types and conversation histories
- Contract, order, invoice, subscription, account and access data, e.g. selected product, term, plan, invoice status, VAT identification number, login data, workspace and configuration settings
- Payment-related data, e.g. transaction and payment status data as well as billing-relevant information
- Application data, insofar as you submit application documents
- Usage, device, log and security data, e.g. IP address, browser, operating system, referrer, timestamps and pages accessed
- Consent and preference data, e.g. consent status, selection in the cookie banner and proof logs
Purposes of processing: provision and protection of the website, setup and administration of demo and customer accounts, answering enquiries, processing of demo, pricing, support and application enquiries, display of prices, contract initiation and contract performance, billing, consent management as well as - with consent - web analytics, reach measurement and marketing.
Legal bases
- Art. 6(1)(a) GDPR: consent, in particular for optional analytics and marketing technologies
- Art. 6(1)(b) GDPR: performance of pre-contractual measures and fulfilment of contracts or business enquiries
- Art. 6(1)(c) GDPR: fulfilment of legal obligations, in particular commercial and tax retention obligations
- Art. 6(1)(f) GDPR: safeguarding our legitimate interests, in particular in secure operation, abuse prevention, efficient communication and economic management
- § 25(1) TDDDG: storage of information on terminal equipment and access thereto for technologies requiring consent
- § 25(2) TDDDG: technically necessary storage/access, in particular for security, consent management and basic website functions
- § 26 BDSG: processing of application data, insofar as an application is submitted
Provision of the website, hosting and security
To deliver the website, to optimise performance and to defend against abuse, bot and attack scenarios, we use infrastructure and security services from Cloudflare, Inc.. In particular, the IP address, date and time of the request, requested content, referrer URL, HTTP status, browser and device information as well as security-related log data are processed in the process.
Purposes: secure and stable provision of the website, load balancing, error analysis, abuse and attack detection, ensuring short loading times.
Legal basis: Art. 6(1)(f) GDPR as well as, insofar as technically necessary, § 25(2) TDDDG.
Storage period: We regularly retain security and error logs only as long as this is necessary for operational and security purposes, typically up to 14 days. Longer retention only takes place in the case of specific security incidents, for abuse prevention or for the assertion or defence of legal claims. Service-provider-side log durations may deviate from this.
Contact and contact form
If you contact us by email or via the contact form, we process your information to handle your enquiry. The following data in particular can be processed via the form: first name, last name, business email address, optional telephone number, company, job title, country, reason for enquiry, message, optional application documents as well as technical additional data such as timestamp and source of the enquiry.
The contact form is processed via Cloudflare Pages Functions. General enquiries and applications are delivered to separate internal Discord channels. Application documents can be submitted as a PDF, DOC or DOCX file; the form checks the file type and file size and allows attachments up to 8 MB. Application attachments are not transmitted to Discord, but stored privately in Cloudflare R2. The internal Discord notification contains only the contact information required for processing and, in the case of applications, a reference to the R2 object. Application attachments are automatically deleted after 180 days.
Purposes: processing of demo, enterprise, pricing, support and other business enquiries, communication with prospects and business partners, processing of applications, spam and abuse prevention.
Legal bases: Art. 6(1)(b) GDPR for pre-contractual and contract-related communication, Art. 6(1)(f) GDPR for efficient communication and abuse prevention as well as, in the case of applications, additionally § 26 BDSG.
Storage period: We regularly delete general enquiries no later than 12 months after final processing, provided that no contractual relationship arises from them and no statutory retention obligations conflict with this. We regularly delete application documents and application attachments no later than after 180 days, provided that there is no consent to longer storage or an employment relationship is established.
Demo and customer accounts, prices, contract initiation, payments and billing
For the setup and administration of demo and customer accounts, we process in particular business master and contact data, account and access data, plan and contract data, workspace and configuration settings, support and communication data as well as usage, log and security data, insofar as this is necessary for provision, authentication, account administration, support, abuse prevention and contract performance.
The SaaS application is operated on Microsoft Azure infrastructure within the EU; the concrete Azure region is set per environment via deployment configuration. Survey assets and consent proof are stored or delivered in Cloudflare R2 with EU jurisdiction. Insofar as uxspire processes personal data on behalf of enterprise customers, this takes place on the basis of a separate data processing agreement pursuant to Art. 28 GDPR. Details on data categories, purposes, sub-processors, technical and organisational measures as well as deletion and return rules result from the respective DPA.
For the display of products, prices and conditions on our website, we retrieve price and product information server-side via Stripe. With the mere display of prices, generally no payment data of yours is transmitted to Stripe; the retrieval of the price structure takes place technically via our servers.
If you book a paid offering or make contract adjustments, you will be redirected to Stripe-hosted payment, checkout or contract administration pages. There, Stripe Technology Europe, Limited or Stripe Payments Europe, Limited as well as affiliated Stripe companies process the data required for this purpose.
The following in particular can be processed in the process: name, business contact and company data, billing address, VAT identification number, selected product or subscription, payment method, payment status, invoice and transaction data, amounts, currencies, device and browser information, IP address, timestamps as well as fraud prevention and compliance data.
Purposes: setup and administration of demo and customer accounts, presentation of offers, contract initiation, conclusion and administration of subscriptions, billing, payment processing, fraud prevention, accounting and tax documentation.
Legal bases: Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR; insofar as uxspire processes personal data exclusively as processor, the processing is additionally governed by the respective DPA.
Storage period: We regularly store account and contract master data for the duration of the contract and subsequently within the framework of statutory retention obligations. We regularly retain invoices, accounting vouchers and other tax-relevant documents 8 years from the end of the calendar year; received and sent business letters as well as comparable commercially relevant communication regularly 6 years. Pre-contractual data going beyond this we delete as soon as it is no longer necessary and no statutory obligations or legal claims conflict with this. Productive enterprise customer data that we process exclusively on behalf is treated in accordance with the DPA and the deletion or return obligations regulated therein. Stripe additionally stores data in accordance with its own regulatory and contractual obligations.
Consent management with uxspire
We use our own locally delivered consent management based on the open-source library vanilla-cookieconsent. The library is loaded from our website; the consent dialog does not request any external third-party CMP domain.
Processed data: consent status, selected purposes and services, pseudonymous consent ID, timestamps, language setting, accessed path and - if a server-side salt is configured - hashed technical metadata such as IP address and user agent. We do not store raw IP addresses in the consent log.
Purposes: legally compliant consent request, proof of granted or refused consents, technical control of optional services. Consent proof is received via our own Cloudflare Pages Function and stored in a private Cloudflare R2 bucket with EU jurisdiction.
Legal bases: Art. 6(1)(c) GDPR, Art. 6(1)(f) GDPR and § 25(2) TDDDG; for the activation of optional services additionally Art. 6(1)(a) GDPR and § 25(1) TDDDG.
Storage period: Your settings are stored for 365 days in the
uxspire_consent cookie and are then requested again. Consent proof is regularly
stored for 365 days unless longer storage is necessary to fulfil legal proof obligations.
Web analytics with uxspire
No optional web analytics services are currently active on this website. The following description is prepared for a later activation of our own analytics tool uxspire. Activation will only take place after corresponding consent via the cookie settings.
Processed data: usage and event data, survey responses, project and survey references, session ID, pseudonymous distinct ID, browser and device information, operating system, language, referrer, visited pages, interaction events, timestamps, UTM and campaign parameters as well as - insofar as used - cookie or local storage identifiers. Server-side, additionally the IP address (client_ip from X-Forwarded-For or X-Real-IP), origin, user agent and accept language can be processed and browser, operating system, device and referrer context can be derived therefrom. The assignment is regularly carried out via pseudonymous identifiers and not via clear names. Separately from this, our website consent logs do not store raw IP addresses; technical metadata such as IP address and user agent is only stored there in hashed form if a server-side salt is configured.
Purposes: statistical evaluation, product and content optimisation, error detection, reach measurement.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.
Recipients/place of processing: uxspire GmbH as well as technical service providers used by us, in particular Microsoft Azure for app operation, database, logging and monitoring within the EU as well as Cloudflare R2/CDN with EU jurisdiction for survey assets. Data protection signals such as Global Privacy Control or Do Not Track are respected by default on the client and server side, provided that the respective organisation, workspace or project does not expressly deactivate this check.
Storage period: The consent status uxspire.consent is regularly stored for up to 365 days, provided that GPC/DNT are not active. We regularly store analytics identifiers for up to 365 days, event and evaluation data regularly for up to 12 months, insofar as no longer retention is necessary for security, proof or contractual reasons.
Google Ads
Google Ads is currently not actively embedded on this website. The following description is prepared for a later activation of campaign measurement, conversion tracking and remarketing. The provider for users in the EEA is generally Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; technically, processing may also be carried out by Google LLC, USA.
Processed data: cookie and online identifiers, IP address, date and time of the request, referrer URL, accessed pages, device and browser information, advertising interactions as well as conversion data. Insofar as certain functions such as Enhanced Conversions are activated, additionally hashed contact identifiers can be processed.
Purposes: measurement of campaign success, attribution of enquiries or conclusions to advertising campaigns, re-engagement of website visitors, optimisation of advertising budgets.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.
Storage period: The storage period depends on the specific Google product used, the cookie settings and the configured conversion window. For website conversions, this is typically 30 days and can - depending on the configuration - be up to 90 days.
LinkedIn Ads
LinkedIn Ads including the LinkedIn Insight Tag is currently not actively embedded on this website. The following description is prepared for later activation for campaign measurement, audience building and conversion tracking. The provider for users in the EEA is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; processing may also be carried out by LinkedIn Corporation, USA.
Processed data: URL and referrer of the visited page, IP address, device and browser characteristics, timestamps, page and event data as well as cookie identifiers. Insofar as activated by us, additionally hashed business contact identifiers can be processed for matching purposes.
Purposes: reach and campaign measurement, website retargeting, building of audiences, proof and optimisation of conversions.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG.
Storage period: According to its own information, LinkedIn regularly removes direct identifiers within 7 days, pseudonymised data is subsequently regularly deleted within 180 days. In addition, reporting and aggregate data may remain available in your LinkedIn Ads account in accordance with the settings there.
Recipients and third-country transfers
Recipients or categories of recipients can in particular be:
- internal bodies of uxspire GmbH, insofar as this is necessary for processing your enquiry or for contract performance
- Cloudflare for website hosting, Pages Functions, private R2 storage of consent proof and application attachments, security and performance services as well as R2/CDN for survey assets
- Microsoft Azure for hosting, database, Key Vault, authentication infrastructure, email dispatch, logging and monitoring of the SaaS application
- Stripe companies for price administration, billing, checkout, contract and payment processing
- Google and LinkedIn for analytics and marketing purposes, insofar as the services are activated later and you have consented
- Discord for internal notifications about website form enquiries and applications
- tax advisors, legal advisors, authorities and other bodies, insofar as we are legally obliged to do so or legitimate interests require this
Some recipients also process data outside the EU or the EEA, in particular in the USA. Third-country transfers only take place in accordance with Art. 44 et seq. GDPR. Where available, these transfers are based on an adequacy decision, in particular the EU-U.S. Data Privacy Framework, or on standard contractual clauses and supplementary protective measures.
13a. Processors and sub-processors for uxspire
Insofar as we process personal data for enterprise customers on behalf, additionally the respective data processing agreement and Art. 28 GDPR apply. The public listing serves transparency about essential service providers and sub-processors; the legally binding approval, change notices and objection periods must be regulated in the DPA or in its annexes.
The following list contains the service providers derivable from code, website functions and Terraform. Provider data protection notices and DPA pages are linked, insofar as publicly available.
| Provider / service | Role | Purpose | Data categories | Location / status |
|---|---|---|---|---|
| Microsoft Ireland Operations Ltd. / Microsoft Azure Privacy · Microsoft DPA |
Processor or sub-processor | Hosting of the SaaS application on Azure Container Apps, PostgreSQL database, Key Vault, Log Analytics, Application Insights, Microsoft Entra External ID and Better-Auth integration | Account, contract, workspace, configuration, event, log and security data | EU hosting; the Azure region is set via deployment configuration. Microsoft DPA and data protection provisions apply including the transfer mechanisms described therein. ZU KLÄREN: actually rolled-out production region and Microsoft support/diagnostic data. |
| Microsoft Azure Communication Services Privacy · Microsoft DPA |
Processor or sub-processor, insofar as Azure email is used productively | Transactional emails, system messages, invitations and delivery logs of the SaaS application | Email address, message content, dispatch status, technical delivery data | Production default of the SaaS stack: mail provider azure. The ACS data location is configurable via Terraform mail_data_location, default Global; user engagement tracking is deactivated in the Terraform default. ZU KLÄREN: productive ACS data location, if deviating from the default. |
| Cloudflare, Inc. / Cloudflare R2 and CDN Privacy · DPA |
Processor or sub-processor | Website hosting and Pages Functions, processing of contact forms, private storage of consent proof and application attachments in R2, delivery, storage and caching of website and survey assets, security and performance functions | IP address, request and security logs, contact form request data, consent ID, consent choices, timestamp, language, accessed path, application attachments, asset files, technical request data | Cloudflare R2 is used productively with EU jurisdiction. The Cloudflare DPA describes the Data Privacy Framework, standard contractual clauses and further protective measures for restricted transfers. |
| Stripe Technology Europe, Limited / Stripe Payments Europe, Limited and affiliated Stripe companies Privacy · DPA |
Recipient; depending on the processing, own controller and/or processor | Price administration, checkout, customer portal, subscription and payment processing, fraud prevention, webhooks | Contact, company, invoice, payment, transaction, device and compliance data | EU/Ireland with possible intra-group third-country references. Not to be classified as a pure sub-processor. |
| Discord, Inc. Privacy |
Recipient for internal notifications | Internal notification about new website contact form enquiries and applications via separate webhooks or channels | Contact reason, source, name, company if provided, email address, telephone number if provided, country, job title, message as well as, in the case of applications, file name and private R2 object reference; application attachments are not transmitted to Discord | Discord processes data in accordance with its own data protection terms with possible third-country references. Access to the internal channels is organisationally restricted to responsible team members. |
In this presentation, Google and LinkedIn are not sub-processors of the uxspire SaaS, but recipients for our own marketing and analytics processing only after later activation and consent.
Storage period
Unless otherwise regulated in the individual sections, we store personal data only as long as this is necessary for the respective purpose or statutory retention obligations exist.
- Security and error logs: regularly up to 14 days
- General contact enquiries: regularly up to 12 months after final processing
- Application documents and application attachments: regularly no later than after 180 days
- Consent settings and consent proof: until change/withdrawal, renewed request or regular deletion after 365 days at the latest
- Analytics identifiers: regularly up to 365 days; pseudonymised analytics data regularly up to 12 months
- Demo, account and contract master data: regularly for the contract duration and subsequently in accordance with statutory retention obligations
- Invoices and accounting vouchers: regularly 8 years from the end of the calendar year
- Commercial and business letters as well as comparable correspondence: regularly 6 years from the end of the calendar year
Longer storage can take place if this is necessary for the assertion, exercise or defence of legal claims or to fulfil legal obligations.
Rights of data subjects
Within the scope of the statutory requirements, you have in particular the following rights:
- Access to the processed personal data (Art. 15 GDPR)
- Rectification of inaccurate or completion of incomplete data (Art. 16 GDPR)
- Erasure of your data, insofar as the requirements are met (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing on the basis of Art. 6(1)(f) GDPR (Art. 21 GDPR)
- Withdrawal of granted consents with effect for the future (Art. 7(3) GDPR)
- Complaint to a data protection supervisory authority (Art. 77 GDPR)
If you would like to assert a right, a message to the contact details stated under this Privacy Policy is sufficient.
Contact for data protection questions
Email: