GMC TASSTA GmbH – Global Privacy Policy
1. Who we are
Registered Address: Kurfürstendamm 14 | 10719 Berlin | Germany
Service/Trading Address: Bödekerstr. 56 | 30161 Hannover | Germany
hello@tassta.com · +49 30 57710674
Lead supervisory authority: Landesbeauftragte für den Datenschutz Niedersachsen (LfD-NI).
Prinzenstraße 5, 30159 Hannover, Germany
poststelle@lfd.niedersachsen.de · +49 511 120 4500
Website: https://lfd.niedersachsen.de
2. Definitions – plain language
- “TASSTA” – Refers to GMC TASSTA GmbH.
- “You” / “user” – Visitors, customers, partners, suppliers or applicants interacting with TASSTA.
- “Services” – T.Commander, T.Flex, T.Lion, T.Bridge, websites, support portals and any SaaS or on-prem deployment we operate.
- “Personal data” – Any information that identifies or can identify a natural person.
- “Controller” – TASSTA when we decide the purpose/means of processing; your employer when we merely host their mission-critical content (§ 4.3).
- “Processor” – We act as a processor when we process personal data on behalf of another party and only under their written instructions (see § 4.3).
- “Special categories of personal data” – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation (Art. 9 GDPR).
3. Where this policy applies
- Visit TASSTA websites, including those running on WordPress.
- Use our SaaS hosted at STRATO AG German data-centres.
- Receive support, newsletters or training.
- Deal with us as supplier, partner or job applicant.
4. What we collect & why
Category | Examples | Purpose & Legal basis |
---|---|---|
Account & contact | name, title, company, business e-mail/phone, nationality (export-control) | Contract (Art 6 1 b) or Legitimate interest (Art 6 1 f) |
Service credentials | user-ID, hashed passwords, API tokens | Same as above |
Device & logs | IP, OS, browser string, timestamps, crash dumps | Legitimate interest – security & troubleshooting |
Usage telemetry | feature clicks, load times, anonymised IDs | Legitimate interest – product improvement; opt-out available |
Geo-location (T.Flex) | GPS / Wi-Fi / beacon hits | Consent (Art 6 1 a); disable in app any time |
Support media | Support media tickets, call recordings, screenshots | Contract |
Marketing data | opt-in newsletters, event scans, cookie IDs | Consent (Art. 6(1)(a) GDPR) or, for existing customers, legitimate interest (Art. 6(1)(f) GDPR, § 7(3) UWG) to send information about our own similar products or services to existing customers, in line with § 7(3) UWG. In every marketing message, we include a clear option to opt out, which you can use at any time, or you can contact hello@tassta.com to object to further marketing. |
Recruitment data | name, contact details, CV, references, qualification documents, interview notes | Contract initiation (Art 6 (1) b GDPR, § 26 (1) BDSG) or consent (Art 6 (1) a GDPR) for talent pool inclusion |
We do not intentionally collect special-category data (Art 9) or data of children under 16.
If we ever need to process special-category data, we will obtain your explicit consent (Art. 9(2)(a) GDPR) or rely on another lawful basis permitted by Art. 9(2) GDPR.
Note on legitimate interests: When processing is based on Art. 6(1)(f) GDPR, we have conducted a balancing test and determined that our interests (e.g., product improvement via pseudonymised telemetry with opt-out available) do not override your fundamental rights and freedoms. You may request a copy of this assessment at hello@tassta.com.
4.1 Cookies & similar tech
4.2 Automated decision-making
4.3 When TASSTA is a processor
4.4 Consent management
For certain processing activities such as geo-location in the T.Flex app, non-essential cookies on our websites or sending marketing newsletters, we rely on your prior consent.
You can withdraw your consent at any time with effect for the future.
For geo-location: change the settings in the relevant app or your device’s operating system.
For cookies: use the cookie settings tool on our websites or adjust your browser preferences.
For newsletters: click the “unsubscribe” link in the email or contact hello@tassta.com.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
5. Who processes the data (sub-processors*)
We use trusted third-party service providers to process personal data on our behalf, subject to Art. 28 GDPR.
Every sub-processor signs a Data Processing Agreement that requires them to act only on our instructions, apply appropriate security measures, assist with data-subject rights, cascade obligations to any sub-contractors, notify breaches immediately, and securely delete or return data at the end of the contract term.
Layer | Provider | Type of data processing | Location | Safeguard | DPA / GDPR info |
---|---|---|---|---|---|
Hosting & VMs | STRATO AG | Hosting of SaaS and infrastructure | Berlin & Karlsruhe (DE) | ISO 27001-certified, TÜV audited | Link |
Corp. e-mail & docs | Google Workspace (Gmail, Drive) | Corporate email, file storage, collaboration | EU/US/Singapore | ISO 27001/27017/27018; EU SCCs + EU-US DPF | Link |
Analytics | Matomo On-Premise | Website analytics (self-hosted) | Same STRATO DC | No third-party transfer | Link |
Support ticketing | Atlassian Jira | Support tickets, service requests | EU & US | EU SCCs | Link |
Error logging | Sentry | Application monitoring and error tracking | EU & US | EU SCCs | Link |
Customer communication | Microsoft Teams | Online meetings, chat, file sharing | EU & US | EU SCCs + EU–US DPF | Link |
Cloud hosting | Hetzner, OVH, AWS, Azure, Alibaba Cloud | Hosting, storage, cloud infrastructure | EU, US, APAC | ISO 27001 where applicable and EU SCCs where required | Link 1 Link 2 Link 3 |
Monitoring | Zabbix (Hetzner) | System monitoring (Premium SLA only) | Germany | ISO 27001 Hetzner data centres and Zabbix not certified | Link |
6. International transfers
- EU Standard Contractual Clauses (2021/914/EU) + Google’s supplementary technical & organisational measures;
- Google LLC’s certification under the EU–US Data Privacy Framework (DPF).
We monitor court rulings (Schrems II/III) and will adjust safeguards if required. If we determine that adequate protection for personal data can no longer be ensured, we will suspend the affected transfers until an alternative lawful mechanism is implemented.
Some subprocessors are only used when specific services or features are activated.
Transfers to Singapore (Google Workspace).
For any transfers of personal data to Singapore, we rely on the EU Standard Contractual Clauses (2021/914/EU) as the legal safeguard, together with Google’s supplementary technical and organisational measures.
Singapore does not currently benefit from an adequacy decision by the European Commission; the SCCs therefore ensure an adequate level of data protection equivalent to that in the EEA.
7. Security measures
- STRATO ISO 27001/TÜV DCs with 24×7 guards, biometric access, redundant power & cooling.
- Transport Layer Security (TLS 1.3) on every public endpoint; AES-256 encryption at rest (STRATO) and in Google Workspace.
- Company-wide Multi-Factor Authentication (MFA) and least-privilege IAM.
- WordPress hardened: auto-patching, limited plugins, Web Application Firewall, rate limiting.
- Continuous vulnerability scanning; independent penetration test twice a year; remediation tracked by the CTO.
- Daily encrypted off-site backups inside Germany; RPO < 15 min, RTO < 1 h.
- Immutable audit logs retained 365 days.
- Formal Incident-Response Plan (IRT < 2 h, Regulator notice < 72 h).
We monitor court rulings (Schrems II/III) and will adjust safeguards if required. If we determine that adequate protection for personal data can no longer be ensured, we will suspend the affected transfers until an alternative lawful mechanism is implemented.
Some subprocessors are only used when specific services or features are activated.
Transfers to Singapore (Google Workspace).
For any transfers of personal data to Singapore, we rely on the EU Standard Contractual Clauses (2021/914/EU) as the legal safeguard, together with Google’s supplementary technical and organisational measures.
Singapore does not currently benefit from an adequacy decision by the European Commission; the SCCs therefore ensure an adequate level of data protection equivalent to that in the EEA.
8. Data retention
Category | Standard retention | Rationale |
---|---|---|
Account & billing | Contract term + 3 yrs | German Commercial Code (HGB) limitation |
Geo-location logs | 30 days (default, admin-configurable) | Safety vs data-minimisation |
Crash/telemetry | 180 days | Trend analysis |
Support tickets | 5 yrs | Defence against legal claims |
Marketing lists | Until you unsubscribe | Consent withdrawal |
Longer retention only where statutory (e.g. tax = 10 yrs). Afterwards data is securely erased or irreversibly anonymised.
9. Your rights (Arts 15-22 GDPR)
We respond within one month; complex cases may extend to two (Art 12 3).
10. Liability & force majeure
11. Children
12. Changes to this notice
13. Contact – Data Protection Officer
lm@tassta.com
GMC TASSTA GmbH
Bödeckerstrasse 56, 30167 Hannover, Germany
hello@tassta.com · +49 30 57710674
We keep the legalese light, the walls thick, and your data yours.