Skip to main content

GMC TASSTA GmbH – Global Privacy Policy

Last updated : 14th August 2025

1. Who we are

GMC TASSTA GmbH
Registered Address: Kurfürstendamm 14 | 10719 Berlin | Germany
Service/Trading Address: Bödekerstr. 56 | 30161 Hannover | Germany
hello@tassta.com · +49 30 57710674

Lead supervisory authority: Landesbeauftragte für den Datenschutz Niedersachsen (LfD-NI).
Prinzenstraße 5, 30159 Hannover, Germany
poststelle@lfd.niedersachsen.de · +49 511 120 4500
Website: https://lfd.niedersachsen.de

2. Definitions – plain language

  • “TASSTA” – Refers to GMC TASSTA GmbH.
  • “You” / “user” – Visitors, customers, partners, suppliers or applicants interacting with TASSTA.
  • “Services” – T.Commander, T.Flex, T.Lion, T.Bridge, websites, support portals and any SaaS or on-prem deployment we operate.
  • “Personal data” – Any information that identifies or can identify a natural person.
  • “Controller” – TASSTA when we decide the purpose/means of processing; your employer when we merely host their mission-critical content (§ 4.3).
  • “Processor” – We act as a processor when we process personal data on behalf of another party and only under their written instructions (see § 4.3).
  • “Special categories of personal data” – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation (Art. 9 GDPR).

3. Where this policy applies

This notice governs personal data processed when you:
  • Visit TASSTA websites, including those running on WordPress.
  • Use our SaaS hosted at STRATO AG German data-centres.
  • Receive support, newsletters or training.
  • Deal with us as supplier, partner or job applicant.
Where we receive your personal data from third parties (e.g., your employer, business partners, public directories), we process it in accordance with Art. 14 GDPR. This includes informing you about the source and purpose, unless an exemption under Art. 14(5) applies.

4. What we collect & why

Category Examples Purpose & Legal basis
Account & contact name, title, company, business e-mail/phone, nationality (export-control) Contract (Art 6 1 b) or Legitimate interest (Art 6 1 f)
Service credentials user-ID, hashed passwords, API tokens Same as above
Device & logs IP, OS, browser string, timestamps, crash dumps Legitimate interest – security & troubleshooting
Usage telemetry feature clicks, load times, anonymised IDs Legitimate interest – product improvement; opt-out available
Geo-location (T.Flex) GPS / Wi-Fi / beacon hits Consent (Art 6 1 a); disable in app any time
Support media Support media tickets, call recordings, screenshots Contract
Marketing data opt-in newsletters, event scans, cookie IDs Consent (Art. 6(1)(a) GDPR) or, for existing customers, legitimate interest (Art. 6(1)(f) GDPR, § 7(3) UWG) to send information about our own similar products or services to existing customers, in line with § 7(3) UWG.
In every marketing message, we include a clear option to opt out, which you can use at any time, or you can contact hello@tassta.com to object to further marketing.
Recruitment data name, contact details, CV, references, qualification documents, interview notes Contract initiation (Art 6 (1) b GDPR, § 26 (1) BDSG) or consent (Art 6 (1) a GDPR) for talent pool inclusion

We do not intentionally collect special-category data (Art 9) or data of children under 16.


If we ever need to process special-category data, we will obtain your explicit consent (Art. 9(2)(a) GDPR) or rely on another lawful basis permitted by Art. 9(2) GDPR.


Note on legitimate interests: When processing is based on Art. 6(1)(f) GDPR, we have conducted a balancing test and determined that our interests (e.g., product improvement via pseudonymised telemetry with opt-out available) do not override your fundamental rights and freedoms. You may request a copy of this assessment at hello@tassta.com.

4.1 Cookies & similar tech

Our sites use essential cookies (session, CSRF) and optional analytics cookies via self-hosted Matomo. Non-essential cookies are set only after explicit consent under § 25 (1) TTDSG.

4.2 Automated decision-making

No decisions with legal or similar significant effect are taken automatically (Art 22 GDPR ≠ applicable).

4.3 When TASSTA is a processor

For voice, video, messages, location trails and files stored by your company inside TASSTA SaaS, your organisation is the controller; TASSTA is the processor. Processing is governed by the Data-Processing Agreement (DPA) incorporated into every SaaS contract (Art 28).

4.4 Consent management

For certain processing activities such as geo-location in the T.Flex app, non-essential cookies on our websites or sending marketing newsletters, we rely on your prior consent.


You can withdraw your consent at any time with effect for the future.


For geo-location: change the settings in the relevant app or your device’s operating system.


For cookies: use the cookie settings tool on our websites or adjust your browser preferences.


For newsletters: click the “unsubscribe” link in the email or contact hello@tassta.com.


Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. Who processes the data (sub-processors*)

We use trusted third-party service providers to process personal data on our behalf, subject to Art. 28 GDPR.


Every sub-processor signs a Data Processing Agreement that requires them to act only on our instructions, apply appropriate security measures, assist with data-subject rights, cascade obligations to any sub-contractors, notify breaches immediately, and securely delete or return data at the end of the contract term.

Layer Provider Type of data processing Location Safeguard DPA / GDPR info
Hosting & VMs STRATO AG Hosting of SaaS and infrastructure Berlin & Karlsruhe (DE) ISO 27001-certified, TÜV audited Link
Corp. e-mail & docs Google Workspace (Gmail, Drive) Corporate email, file storage, collaboration EU/US/Singapore ISO 27001/27017/27018; EU SCCs + EU-US DPF Link
Analytics Matomo On-Premise Website analytics (self-hosted) Same STRATO DC No third-party transfer Link
Support ticketing Atlassian Jira Support tickets, service requests EU & US EU SCCs Link
Error logging Sentry Application monitoring and error tracking EU & US EU SCCs Link
Customer communication Microsoft Teams Online meetings, chat, file sharing EU & US EU SCCs + EU–US DPF Link
Cloud hosting Hetzner, OVH, AWS, Azure, Alibaba Cloud Hosting, storage, cloud infrastructure EU, US, APAC ISO 27001 where applicable and EU SCCs where required Link 1
Link 2
Link 3
Monitoring Zabbix (Hetzner) System monitoring (Premium SLA only) Germany ISO 27001 Hetzner data centres and Zabbix not certified Link
This list is updated regularly to reflect any additions or removals of subprocessors. Where required by law or contract, we will notify customers in advance of any intended addition or replacement of subprocessors, giving them the opportunity to object in accordance with Art. 28(2) GDPR.

6. International transfers

Primary hosting is in Germany. Only corporate e-mail/Drive data may transit outside the EEA. Transfers rely on:
  • EU Standard Contractual Clauses (2021/914/EU) + Google’s supplementary technical & organisational measures;
  • Google LLC’s certification under the EU–US Data Privacy Framework (DPF).

We monitor court rulings (Schrems II/III) and will adjust safeguards if required. If we determine that adequate protection for personal data can no longer be ensured, we will suspend the affected transfers until an alternative lawful mechanism is implemented.


Some subprocessors are only used when specific services or features are activated.


Transfers to Singapore (Google Workspace).


For any transfers of personal data to Singapore, we rely on the EU Standard Contractual Clauses (2021/914/EU) as the legal safeguard, together with Google’s supplementary technical and organisational measures.


Singapore does not currently benefit from an adequacy decision by the European Commission; the SCCs therefore ensure an adequate level of data protection equivalent to that in the EEA.

7. Security measures

Although TASSTA itself is not ISO 27001-certified, we mirror the standard and leverage certified partners:
  • STRATO ISO 27001/TÜV DCs with 24×7 guards, biometric access, redundant power & cooling.
  • Transport Layer Security (TLS 1.3) on every public endpoint; AES-256 encryption at rest (STRATO) and in Google Workspace.
  • Company-wide Multi-Factor Authentication (MFA) and least-privilege IAM.
  • WordPress hardened: auto-patching, limited plugins, Web Application Firewall, rate limiting.
  • Continuous vulnerability scanning; independent penetration test twice a year; remediation tracked by the CTO.
  • Daily encrypted off-site backups inside Germany; RPO < 15 min, RTO < 1 h.
  • Immutable audit logs retained 365 days.
  • Formal Incident-Response Plan (IRT < 2 h, Regulator notice < 72 h).

We monitor court rulings (Schrems II/III) and will adjust safeguards if required. If we determine that adequate protection for personal data can no longer be ensured, we will suspend the affected transfers until an alternative lawful mechanism is implemented.


Some subprocessors are only used when specific services or features are activated.


Transfers to Singapore (Google Workspace).


For any transfers of personal data to Singapore, we rely on the EU Standard Contractual Clauses (2021/914/EU) as the legal safeguard, together with Google’s supplementary technical and organisational measures.


Singapore does not currently benefit from an adequacy decision by the European Commission; the SCCs therefore ensure an adequate level of data protection equivalent to that in the EEA.

8. Data retention

Category Standard retention Rationale
Account & billing Contract term + 3 yrs German Commercial Code (HGB) limitation
Geo-location logs 30 days (default, admin-configurable) Safety vs data-minimisation
Crash/telemetry 180 days Trend analysis
Support tickets 5 yrs Defence against legal claims
Marketing lists Until you unsubscribe Consent withdrawal

Longer retention only where statutory (e.g. tax = 10 yrs). Afterwards data is securely erased or irreversibly anonymised.

9. Your rights (Arts 15-22 GDPR)

Access · Rectification · Erasure · Restriction · Portability · Objection · Withdraw consent · Complain to a supervisory authority.
We respond within one month; complex cases may extend to two (Art 12 3).

10. Liability & force majeure

We apply “state-of-the-art” security (§ 7). However, TASSTA is not liable for breaches caused by events beyond reasonable control (war, riots, nationwide Internet outages, natural disasters, laws prohibiting service), except for mandatory liability in cases of intent or gross negligence (§ 276 BGB).

11. Children

Services are not directed to children under 16. We delete any such data on discovery.

12. Changes to this notice

Material changes → 30 days’ prior e-mail or in-app banner; minor text tweaks → posted with new “Last updated” date.

13. Contact – Data Protection Officer

DPO: Lars Mohrmann
lm@tassta.com
GMC TASSTA GmbH

Bödeckerstrasse 56, 30167 Hannover, Germany

hello@tassta.com · +49 30 57710674

We keep the legalese light, the walls thick, and your data yours.

Educational resources

Stay ahead with insightful resources.
Explore our latest blogs, case studies, and whitepapers that delve into the intricacies of mission-critical communication, technological advancements, and industry trends.

Explore more about TASSTA

Social media
       
Media partnership
marketing@tassta.com
Headquarters
GMC TASSTA GmbH
Hannover
Bödekerstr. 56 
30161 Hannover
Germany
Berlin
Kurfürstendamm 14
10719 Berlin
Germany

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.