&act Logo

Privacy Policy

Last updated: May 2026

1. Data Controller

The data controller within the meaning of Art. 4(7) GDPR is:

andact GmbH
Bavariafilmplatz 7
82031 Grünwald
Germany

Email: kontakt@andact.io
Commercial Register: HRB 307748 (Amtsgericht München)
Managing Directors: Kai Sahling, Andreas Gillhuber

Further details can be found in our Imprint.

2. Legal Bases for Processing

The following legal bases apply to our data processing activities:

Art. 6(1)(a) GDPR – Consent of the data subject
Art. 6(1)(b) GDPR – Performance of a contract or pre-contractual measures (e.g. enquiries about our products or services)
Art. 6(1)(c) GDPR – Compliance with a legal obligation (e.g. statutory retention requirements)
Art. 6(1)(f) GDPR – Legitimate interests (e.g. technically necessary storage for website operation)

3. Data Transfers Outside the EEA

Where we transfer data to service providers or other third parties outside the European Economic Area (EEA), we ensure an adequate level of data protection:

• Transfers to countries covered by an EU Commission adequacy decision (Art. 45 GDPR) are treated as equivalent.
• Transfers to the USA rely on an adequacy decision where the recipient is certified under the EU-US Data Privacy Framework.
• In all other cases, transfers are based on Standard Contractual Clauses adopted by the EU Commission (Art. 46(2)(c) GDPR).

4. Retention Periods

Unless stated otherwise in this privacy policy, stored data is deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations prevent deletion. Where data cannot be deleted because it is required for other lawful purposes, its processing is restricted — i.e. the data is blocked and not processed for other purposes (e.g. data retained for commercial or tax law reasons).

5. No Automated Decision-Making

We do not use fully automated individual decision-making as referred to in Art. 22 GDPR for establishing or conducting a business relationship. Should we use such procedures in individual cases, we will provide separate notice where required by law.

6. Obligation to Provide Data

You are only required to provide us with the personal data necessary for establishing, conducting or terminating a business relationship, or which we are legally obliged to collect. Without this data, we will generally be unable to enter into a contract or provide a service. Mandatory fields are marked as such.

7. Notice for Visitors from Germany (§ 25 TDDDG)

Our website stores information on visitors' devices or accesses information already stored there. This is governed by the German Telecommunications Digital Services Data Protection Act (TDDDG):

Where such storage or access is strictly necessary to provide a service explicitly requested by you (e.g. language preference, IT security), it is carried out on the basis of § 25(2)(2) TDDDG.

Otherwise, storage or access is based on your consent (§ 25(1) TDDDG). Subsequent data processing is governed by the GDPR.

8. Informational Use of the Website (Server Logs)

When you browse our website, your browser automatically transmits the following data to our server:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Page requested (content of the request)
• HTTP status code / access status
• Amount of data transferred
• Referring website
• Browser, operating system and interface
• Language and version of browser software

This data is processed solely to ensure the stability and security of the website (Art. 6(1)(f) GDPR) and is deleted after no more than 14 days.

9. Web Hosting – Google Cloud Platform

Our website is operated via Google Cloud Platform (GCP). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data processing may also be carried out by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

As part of hosting, personal data (content, usage, meta/communication or contact data) may be processed and transferred to the USA. Further information: policies.google.com/privacy

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a technically reliable website). Transfers to the USA are based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

10. Contact Form

When you request a demo via our contact form, we collect the following information:

Required: Business email address
Optional: Name, company, industry, employee count, ERP system, inside sales team size, phone number, message

Purpose: Processing and responding to your demo request and initiating a business relationship.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to business enquiries) and Art. 6(1)(b) GDPR (pre-contractual measures).

Retention: Data is deleted once the purpose of processing no longer applies and no statutory retention obligations exist.

11. Data Processing – Google Apps Script

Data submitted via the contact form is technically processed and forwarded to us via Google Apps Script (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google processes this data solely for technical forwarding; no further use takes place.

We have a data processing agreement with Google pursuant to Art. 28 GDPR. Transfers to the USA are based on the EU-US Data Privacy Framework (where Google LLC is certified) and supplementarily on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

12. Language Preference (localStorage)

To remember your chosen language (German/English), the website uses your browser's localStorage (§ 25(2)(2) TDDDG – technically necessary storage). This is purely functional storage with no personal reference. This data is not shared with third parties and is not used for tracking or analysis. You can clear localStorage at any time via your browser settings.

13. No Analytics or Tracking Cookies

This website does not use any analytics services (e.g. Google Analytics, Matomo), advertising pixels (e.g. Facebook Pixel, LinkedIn Insight Tag), or third-party tracking cookies. No profiles of your browsing behaviour are created.

14. LinkedIn

We maintain a company profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. When you contact us via LinkedIn, we process the data provided in order to respond to enquiries (Art. 6(1)(f) GDPR).

LinkedIn processes user data for its own purposes, in particular for advertising. Further information: linkedin.com/legal/privacy-policy. Opt out of personalised advertising: linkedin.com/psettings/guest-controls/retargeting-opt-out

15. Your Rights as a Data Subject

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Right to withdraw consent – Any consent given may be withdrawn at any time with effect for the future.

To exercise your rights, please contact us at: kontakt@andact.io

16. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany
www.lda.bayern.de

A list of all German supervisory authorities is available at: bfdi.bund.de

17. Updates to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes to our website or revised legal requirements. The current version is always available on this page.