This is the English version of our Privacy Policy. The German version is available at sternflut.de/datenschutz. Both versions are independently valid under GDPR Art. 12.
The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you. For detailed information on data protection, please refer to our privacy policy below.
Data processing on this website is carried out by the website operator. You can find their contact details in the section “Information About the Controller” in this privacy policy.
Some data is collected when you provide it to us — for example, data you enter in a contact form.
Other data is collected automatically or with your consent when you visit the website by our IT systems. This is primarily technical data (e.g. browser type, operating system, or time of page access). This data is collected automatically as soon as you enter this website.
Some data is collected to ensure error-free provision of the website. Other data is processed to provide our service. If contracts can be concluded or initiated through the website, the transmitted data is also processed for contract offers, orders, or other inquiries.
You have the right to receive free information about the origin, recipients, and purpose of your stored personal data at any time. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time. You also have the right, under certain circumstances, to request the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
You can contact us at any time regarding this and other questions on the subject of data protection.
We host the content of our website with the following provider:
This website is hosted externally. The personal data collected on this website is stored on the servers of the host(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated through a website.
External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast, and efficient provision of our online offering by a professional provider (Art. 6(1)(f) GDPR).
We use the following host:
Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA
We have concluded a Data Processing Agreement (DPA) with this provider. Data transfers to the USA are based on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs). More information: https://vercel.com/legal/privacy-policy
This website uses Cloudflare as a DNS service and for DDoS protection. Provider: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.
When you visit our website, your requests are routed through Cloudflare servers. Your IP address may be transmitted to Cloudflare. This is based on our legitimate interest in a secure and efficient provision of our website (Art. 6(1)(f) GDPR).
We have concluded a Data Processing Agreement (DPA) with Cloudflare. Data transfers to the USA are based on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs). More information: https://www.cloudflare.com/privacypolicy/
The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.
Please note that data transmission over the Internet (e.g. communication by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.
The controller responsible for data processing on this website is:
Timo Brenner
Sternflut (Sole Proprietorship / Einzelunternehmer)
c/o POSTFLEX PFX-046-301
Emsdettener Straße 10
48268 Greven, Germany
Email: info@sternflut.de
We are not legally required to appoint a data protection officer (§ 38 BDSG, German Federal Data Protection Act — fewer than 20 persons regularly process personal data). For data protection inquiries, please contact the controller listed above.
Unless a more specific storage period is stated within this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you assert a justified deletion request or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods); in the latter case, the deletion takes place after these reasons cease to apply.
If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR. If your data is required for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data if required for the fulfilment of a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR.
Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time (objection pursuant to Art. 21(2) GDPR).
In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work, or the place of the alleged infringement.
You have the right to receive data that we process on the basis of your consent or in fulfilment of a contract in a structured, commonly used, and machine-readable format. Sternflut provides a data export function in the settings where you can download your stored data as a JSON file (Art. 20 GDPR).
You have the right to free information about your stored personal data, its origin, recipients, and the purpose of data processing, and, if applicable, a right to rectification or erasure of this data.
You have the right to request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data, or you have lodged an objection pursuant to Art. 21(1) GDPR.
This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content.
Payment transactions via Stripe are carried out exclusively via an encrypted SSL/TLS connection. Payment data is processed directly by Stripe and is not stored on our servers.
The use of contact data published within the scope of the legal notice obligation for sending unsolicited advertising and information materials is hereby objected to. The operators expressly reserve the right to take legal action in the event of unsolicited advertising.
Our website uses so-called “cookies.” Cookies are small data packets that do not cause any damage to your device. This website uses only technically necessary cookies.
Technically necessary cookies are stored on the basis of Art. 6(1)(f) GDPR. This website uses the following cookies:
| Name | Purpose | Details |
|---|---|---|
| Session token | User authentication (Supabase Auth) | Technically necessary, HttpOnly |
| Language preference | Stores your language setting (de/en) | Technically necessary |
| Active business | Business selection for multi-business accounts | Technically necessary, HttpOnly, signed |
| Admin test access | Administrator test access to customer accounts | HttpOnly, signed, 1-hour lifetime |
| Upgrade redirect | Prevents repeated redirects to plan selection | 1-hour lifetime |
Additionally, the following is stored in your browser's local storage (not cookies, disclosed for transparency):
| Name | Purpose |
|---|---|
| Consent decision | Your decision on error tracking consent (Sentry). Legal basis: Art. 6(1)(a) GDPR. |
| Theme preference | Dark or light mode setting |
| Hint status | Which UI help hints you have dismissed |
| Template hints | Collapsed state of template manager hints |
| Verification form | Form data cache for toll-free number verification (administrators only) |
In session storage (automatically deleted when the browser tab is closed):
| Name | Purpose |
|---|---|
| Demo area status | Collapsed state of the demo launcher |
| Trial notice | Whether the trial expiry notice was dismissed |
| Plan switcher | Controls the plan selection dialog |
The server automatically collects information in log files: browser type/version, operating system, referrer URL, hostname, time of request, and IP address. This data is not merged with other sources. Legal basis: Art. 6(1)(f) GDPR.
If you send us inquiries via the contact form, your details are stored for processing. Legal basis: Art. 6(1)(b) GDPR (contract) or Art. 6(1)(f) GDPR (legitimate interest).
If you contact us by email, your inquiry and all resulting personal data is stored and processed. Legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR.
You can register on this website to use additional features. Data entered (email, password) is used only for the service. Registration is via Supabase Auth (Supabase Inc., EU Frankfurt). Email confirmation (double opt-in) is enabled. Legal basis: Art. 6(1)(b) GDPR.
Sternflut processes personal data on behalf of its business clients (Art. 28 GDPR). This includes sending review requests via email, SMS, and WhatsApp, aggregating reviews from third-party platforms (Google, Facebook, Trustpilot, Instagram), managing messages (inbox), and generating analytics and sentiment analysis.
Data processed includes: names, email addresses, and phone numbers of end customers, review content, private feedback, and pseudonymised IP hashes. End customer data is encrypted with AES-256-GCM. The Data Processing Agreement (DPA) is available at sternflut.de/dpa.
We use Stripe for payment processing. Provider: Stripe Inc., South San Francisco, CA, USA (EEA: Stripe Payments Europe Ltd., Dublin, Ireland). Payment data is collected and processed directly by Stripe. Legal basis: Art. 6(1)(b) GDPR. Stripe is certified under the EU-US Data Privacy Framework. Stripe Privacy Policy
We use the following third-party services:
Provider: Supabase Inc., Server: EU Frankfurt (eu-central-1)
Purpose: Database storage, user authentication, file storage
Legal basis: Art. 6(1)(b) GDPR
Provider: Resend Inc., USA
Purpose: Sending transactional emails (confirmations, notifications, review requests)
Legal basis: Art. 6(1)(b) GDPR
Data transfer: Standard Contractual Clauses (SCCs)
Provider: Twilio Inc., USA
Purpose: Sending SMS and WhatsApp messages (review requests, notifications)
Legal basis: Art. 6(1)(b) GDPR
Data transfer: EU-US Data Privacy Framework / SCCs
Provider: LOX24 GmbH, Germany
Purpose: Sending SMS messages (German-speaking market)
Legal basis: Art. 6(1)(b) GDPR
Provider: Meta Platforms Inc., USA
Purpose: Sending WhatsApp messages (review requests, customer communication)
Legal basis: Art. 6(1)(b) GDPR
Data transfer: EU-US Data Privacy Framework / SCCs
Provider: Telegram FZ-LLC, Dubai/international
Purpose: Receiving and managing messages via Telegram
Legal basis: Art. 6(1)(b) GDPR
Data transfer: Standard Contractual Clauses (SCCs)
Provider: Google LLC, USA
Purpose: Retrieving business data and reviews, authentication (Gmail OAuth)
Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR
Data transfer: EU-US Data Privacy Framework / SCCs
Provider: Microsoft Corporation, USA
Purpose: Authentication and email sending via Outlook/Office 365
Legal basis: Art. 6(1)(b) GDPR
Data transfer: EU-US Data Privacy Framework / SCCs
Provider: Meta Platforms Ireland Ltd. / Meta Platforms Inc., USA
Purpose: Retrieving and displaying Facebook page reviews and comments
Legal basis: Art. 6(1)(b) GDPR
Data transfer: EU-US Data Privacy Framework / SCCs
Provider: Meta Platforms Ireland Ltd. / Meta Platforms Inc., USA
Purpose: Retrieving and displaying Instagram business account comments
Legal basis: Art. 6(1)(b) GDPR
Data transfer: EU-US Data Privacy Framework / SCCs
Provider: Trustpilot A/S, Denmark (EU)
Purpose: Retrieving and aggregating reviews
Legal basis: Art. 6(1)(b) GDPR
Business clients can connect their own email accounts to send review requests from their own email address. Credentials are stored encrypted (AES-256-GCM). Legal basis: Art. 6(1)(b) GDPR.
Monitoring of scheduled background processes. No personal data is transmitted to Healthchecks.io.
We use AI for reply suggestions and sentiment analysis. Provider: Anthropic PBC, USA. Data transmitted: business name, review/message text (truncated to 500 chars for sentiment). NO contact data (emails, phone numbers) is sent to Anthropic. Data is processed transiently and not stored or used for training. Legal basis: Art. 6(1)(f) GDPR. Data transfer: SCCs.
This website uses Sentry for error detection. Provider: Functional Software Inc. (Sentry), San Francisco, CA, USA. Sentry is activated ONLY with your explicit consent. Data collected (only with consent): technical error messages, browser type, OS, URL. No personal user data is transmitted. Legal basis: Art. 6(1)(a) GDPR (consent). Consent can be revoked at any time. Data transfer: SCCs.
We collect, process, and use personal customer and contract data for the establishment, arrangement, and modification of our contractual relationships. Legal basis: Art. 6(1)(b) GDPR. We only transmit personal data to third parties if necessary for contract processing, e.g. to the payment service provider (Stripe).
The following data is encrypted at rest using AES-256-GCM: API credentials for third-party integrations, names and contact details of end customers in review requests, and contents of incoming messages (WhatsApp, Telegram, SMS). IP addresses are never stored. For deduplication, only SHA-256 hashes with a daily rotating salt are used.
We store personal data only for as long as required for the respective purpose or as required by statutory retention obligations:
Extended retention due to tax law obligations is based on Art. 6(1)(c) GDPR.
Sternflut provides an embeddable widget for displaying reviews on client websites. Pursuant to the CJEU ruling “Fashion ID” (C-40/17), joint controllership (Art. 26 GDPR) exists for the collection of visitor IP addresses. Sternflut does not store widget visitor IP addresses. All fonts are served locally. The widget does not set cookies or use tracking. Business clients receive a pre-drafted privacy notice in the widget settings. Legal basis: Art. 6(1)(f) GDPR. Server location: EU (Vercel, Frankfurt).
No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. The AI used on this website (Section 8) only creates reply suggestions that are reviewed and edited by the user before sending. No automatic decision without human involvement is made.
If you are based in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of your personal data. Your rights under the UK GDPR are substantially identical to those listed in Section 3 above.
The relevant supervisory authority for UK residents is:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK
Website: https://ico.org.uk
Phone: +44 0303 123 1113
Data transfers between the EU and the UK are covered by the EU adequacy decision for the UK (Commission Implementing Decision (EU) 2021/1772).
We do not sell or share your personal information as defined by the California Consumer Privacy Act (CCPA/CPRA) or any other US state privacy law.
Depending on your state of residence, you may have the right to: (a) request access to your personal information, (b) request deletion of your personal information, (c) opt out of the sale or sharing of your personal information (we do not sell or share), (d) non-discrimination for exercising your rights. To exercise any of these rights, contact us at info@sternflut.de.
This service is a B2B platform. Consumer data (end-customer names, phone numbers, emails) is processed on behalf of our business clients as a service provider / data processor.
If you believe that content displayed through our service infringes your copyright, you may send a notice pursuant to the Digital Millennium Copyright Act (17 U.S.C. § 512) to: info@sternflut.de.
Your notice must include: (a) identification of the copyrighted work, (b) identification of the infringing material with sufficient detail to locate it, (c) your contact information, (d) a statement of good faith belief that the use is not authorised, (e) a statement under penalty of perjury that the information is accurate and that you are the copyright owner or authorised to act on their behalf, (f) your physical or electronic signature.
Source: https://www.e-recht24.de
Supplemented with service-specific sections by the website operator.