Privacy Policy

Privacy Policy (Datenschutzerklärung) of Builderz GmbH for skillatelier.ai

Last updated: 3 March 2026

1. Controller and Contact Information

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Builderz GmbH Schlederloh 12 82057 Icking, Germany

Managing Director: Bernhard Neumann Email: kontakt@builderz.org

For data protection inquiries, please contact: kontakt@builderz.org

Note: A Data Protection Officer (DPO) is not mandatory for Builderz GmbH under §38 BDSG as fewer than 20 persons are regularly engaged in automated data processing.

1. Overview of Data Processing

We process personal data only to the extent necessary for the operation of our website and the fulfilment of our contractual obligations. Processing is based on one of the legal bases set out in Art. 6(1) GDPR.

1. Data Processing Activities — Detailed Mapping

3.1 Website Access and Server Logs

Data collected: IP address, date and time of access, pages visited, browser type and version, operating system, referrer URL Purpose: Website operation, security, abuse prevention, error diagnosis Legal basis: Art. 6(1)(f) GDPR — legitimate interest (security and technical operation of the website) Retention: 7–30 days, then automatically deleted Recipients: Hosting provider (processor, see §6 below)

3.2 Purchase and Order Processing

Data collected: Name, email address, billing address, order details, payment transaction ID Purpose: Contract performance — processing the order, delivering the digital product, generating invoices Legal basis: Art. 6(1)(b) GDPR — performance of a contract Retention: For the duration of the contractual relationship; thereafter retained only as required by law (see §5) Recipients: Whop (EU) Limited (Merchant of Record, see §6)

3.3 Payment Processing

Data collected: Payment method details (tokenized — Builderz GmbH does not receive or store raw credit card numbers or bank account details) Purpose: Processing payment for the purchased Skill Files Legal basis: Art. 6(1)(b) GDPR — performance of a contract Retention: Payment transaction records retained per legal obligations (see §5) Recipients: Whop (EU) Limited as Merchant of Record (independent controller for payment processing, see §6)

3.4 Tax and Accounting Records

Data collected: Invoice data, transaction amounts, VAT details Purpose: Compliance with tax and commercial law retention obligations Legal basis: Art. 6(1)(c) GDPR — legal obligation (§147 AO, §257 HGB) Retention: Invoices: 8 years (§257 HGB — reduced from 10 in 2025); tax records: 10 years (§147 AO) Recipients: Tax advisor (processor or independent controller, depending on engagement) Note: During legal retention periods, data is restricted to the legally required purpose only.

3.5 Website Analytics

Analytics tool: Plausible Analytics (Plausible Insights OÜ, Estonia) Data collected: Plausible processes no personal data, sets no cookies, and does not use browser fingerprinting. All data is aggregated and anonymous. No individual visitors are tracked. Purpose: Understanding website usage patterns to improve the service Legal basis: Not applicable — Plausible does not process personal data within the meaning of Art. 4(1) GDPR Consent: Not required (no cookies, no personal data) Recipients: Plausible Insights OÜ (processor within the EU; data remains in the EU)

3.6 Customer Support Communications

Data collected: Name, email address, content of support inquiries Purpose: Responding to and resolving customer inquiries Legal basis: Art. 6(1)(b) GDPR (contract-related inquiries) or Art. 6(1)(f) GDPR (general inquiries — legitimate interest in providing customer service) Retention: 3 years after resolution (§195 BGB — general limitation period) Recipients: Email provider (processor, see §6)

3.7 Email Marketing

Status: Builderz GmbH does not currently operate an email marketing program. If email marketing is introduced in the future, participation will require explicit consent via double opt-in (Art. 6(1)(a) GDPR; UWG §7(2)). This privacy policy will be updated accordingly before any marketing emails are sent.

1. Your Rights as a Data Subject

Under the GDPR, you have the following rights. To exercise any of these rights, contact us at: kontakt@builderz.org

(a) Right of access (Art. 15 GDPR) — You may request confirmation of whether we process your personal data and obtain a copy.

(b) Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate personal data.

(c) Right to erasure (Art. 17 GDPR) — You may request deletion of your personal data, subject to legal retention obligations.

(d) Right to restriction of processing (Art. 18 GDPR) — You may request that processing be restricted under certain circumstances.

(e) Right to data portability (Art. 20 GDPR) — You may receive your personal data in a structured, commonly used, machine-readable format.

(f) Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interest (Art. 6(1)(f)) at any time, on grounds relating to your particular situation.

(g) Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

(h) Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority for Builderz GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach, Germany https://www.lda.bayern.de

1. Retention Periods

• Tax records: 10 years (§147 AO)
• Invoices: 8 years (§257 HGB — reduced from 10 in 2025)
• Commercial correspondence: 6 years
• Server logs: 7–30 days
• Customer support: 3 years after resolution (§195 BGB)

During statutory retention periods, data is restricted to the legally required purpose and not processed for other purposes.

1. Recipients, Processors, and International Transfers

6.1 Whop (EU) Limited

Role: Merchant of Record — independent controller for payment processing, VAT collection, and order management Data shared: Order data, payment data, billing details Location: EU (Ireland) Legal basis for sharing: Art. 6(1)(b) GDPR — contract performance Transfer mechanism: EU-based; no international transfer Note: As Merchant of Record, Whop acts as an independent controller, not a processor. Whop's own privacy policy governs its processing activities.

6.2 Plausible Insights OÜ

Role: Analytics provider (processor) Data shared: None (Plausible does not collect personal data) Location: EU (Estonia) DPA: In place Transfer mechanism: No international transfer

6.3 Hosting Provider

Role: Processor Data shared: Server log data (IP addresses, access data) Location: [TO BE SPECIFIED — confirm hosting provider] DPA: Required — must be in place before launch Transfer mechanism: If EU-based, no further mechanism required. If US-based, EU-US Data Privacy Framework (DPF) adequacy decision (valid as of March 2026) or Standard Contractual Clauses (SCCs) as backup.

Note on EU-US Data Privacy Framework: The DPF adequacy decision (July 10, 2023) is currently valid. The Latombe challenge was dismissed by the EU General Court in September 2025. An appeal to the European Court of Justice was filed October 31, 2025, and is pending. Standard Contractual Clauses are maintained as a backup transfer mechanism.

1. Cookies and Tracking Technologies

skillatelier.ai uses only strictly necessary cookies (session management, consent preference storage). No analytics cookies or marketing tracking technologies are deployed. Plausible Analytics operates without cookies.

For further details, see our separate Cookie Policy.

1. Provision of Data — Statutory or Contractual Requirement

The provision of personal data for purchase processing (name, email, billing address) is a contractual requirement. Without this data, we cannot conclude or perform the purchase contract. Server log data is processed automatically and is necessary for the secure operation of the website.

1. Automated Decision-Making

Builderz GmbH does not use automated decision-making including profiling within the meaning of Art. 22 GDPR.

1. Notice to US Residents

Builderz GmbH does not currently meet the thresholds for the California Consumer Privacy Act (CCPA) ($26.6M revenue, 100,000+ California consumers, or 50%+ revenue from data sales). Should these thresholds be met, a jurisdiction-specific addendum will be added to this policy. In the meantime, California residents may exercise their data rights by contacting kontakt@builderz.org.

1. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our data processing practices or legal requirements. Significant changes will be communicated via our website. The "Last updated" date at the top of this policy indicates the most recent revision.