Privacy Policy
This policy explains what personal data we process when you use the Berlin SaaS Club, on what legal basis, and the rights you have under the EU General Data Protection Regulation (GDPR / DSGVO). It is written in plain English; the German statutory references are given where they apply.
1. Controller
The controller responsible for data processing on this website (within the meaning of Art. 4 No. 7 GDPR) is:
Industrial Code & Magic GmbHc/o Factory Works GmbH
Rheinsberger Straße 76/77
10115 Berlin, Germany
mail@industrial-code-and-magic.com
Full operator and register details are in our Imprint. We have not appointed a Data Protection Officer, as we are not legally required to do so.
2. The principle: as little data as possible
The Berlin SaaS Club is a public directory. You can browse, search and filter the entire directory without an account. We do not use analytics, tracking pixels, advertising networks, or social media plugins, and we do not load web fonts from third parties (the site uses the fonts already installed on your device). The only cookies we set are strictly necessary for signing in (see §5).
3. Hosting & server log files
This site is hosted on Cloudflare Pages, provided by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) and its EU affiliate Cloudflare Germany GmbH. When you visit the site, our hosting provider automatically processes technical access data (server log files) such as your IP address, the requested URL, date and time of the request, the referring page, and your browser/operating-system identifiers. This data is necessary to deliver the site reliably and securely (e.g. to defend against attacks).
Legal basis: Art. 6 (1) (f) GDPR (our legitimate interest in the secure, stable operation of the website). Cloudflare acts as our processor under a data-processing agreement (Art. 28 GDPR). Where data is transferred to the USA, the transfer is safeguarded by the EU–U.S. Data Privacy Framework and/or EU Standard Contractual Clauses.
4. Backend & account services (Supabase)
User accounts, the company database, and uploaded media are powered by Supabase (Supabase, Inc., 970 Toa Payoh North, Singapore — EU data region: AWS Frankfurt, eu-central-1). Supabase processes data on our behalf as a processor under a data-processing agreement (Art. 28 GDPR). Your browser connects directly to Supabase to load stored images (logos, founder photos, avatars) and, when you are signed in, to read and write directory data.
5. Cookies
We use only strictly necessary cookies. When you sign in, Supabase sets session/authentication cookies so that you stay logged in across page loads. These cookies are essential for the login function you request; under § 25 (2) No. 2 TDDDG they do not require consent, and we therefore do not show a cookie banner. We do not set any analytics or advertising cookies. If you do not sign in, no cookies are required.
6. Signing in (email magic code)
To sign in, you enter your email address and we send a one-time six-digit code (or magic link) to that address via Supabase Auth. We process your email address, the verification code, login timestamps and your session token to authenticate you. Your verified email domain is also used to confirm that you are entitled to manage a company whose website matches that domain. We do not store passwords.
Legal basis: Art. 6 (1) (b) GDPR (performance of, and steps prior to, the user agreement you enter into when you create an account) and Art. 6 (1) (f) GDPR (our legitimate interest in secure, password-less authentication).
7. Content you publish in the directory
If you add or manage a company, the information you enter — company name, website, description, categories, location, social links, logos, and the public professional details of founders (name, role, photo, LinkedIn/X/website) — is stored and shown publicly in the directory. Please only publish information you are entitled to make public. We deliberately do not collect private or contact email addresses of founders.
Legal basis: Art. 6 (1) (b) GDPR (managing your listing) and Art. 6 (1) (f) GDPR (operating a public, useful directory). Where a listing describes a natural person (e.g. a founder), processing of their public professional data also rests on Art. 6 (1) (f) GDPR; such persons may object at any time (see §11).
8. Map placement (opt-in)
A company appears on the public map only if its owner explicitly switches placement on and saves a location. This is off by default. When enabled, the company's chosen coordinates are stored and displayed publicly. Legal basis: Art. 6 (1) (a) GDPR (consent), which the owner can withdraw at any time by removing the placement.
9. Company favicons (Google)
For directory cards and map pins of companies that have not uploaded a logo, we display the company website's favicon retrieved from Google's public favicon service (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). In that case your browser connects directly to Google and transmits your IP address and the requested company domain. Logos shown in the 3D hero on the home page are instead routed through our own server, so no direct connection to Google occurs there.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in recognisable, lightweight directory visuals). Transfers to the USA are covered by the EU–U.S. Data Privacy Framework, under which Google is certified.
10. Storage periods
Server log data is retained only as long as needed for security and troubleshooting and then deleted or anonymised. Account and directory data is kept for as long as your account or listing exists. If you delete your account or ask us to remove a listing, the associated personal data is deleted, unless we are required to retain it to comply with statutory retention obligations.
11. Your rights
Under the GDPR you have the right to:
- access your personal data (Art. 15);
- rectify inaccurate data (Art. 16);
- erase your data (Art. 17);
- restrict processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interests, on grounds relating to your particular situation (Art. 21); and
- withdraw any consent you have given, with effect for the future (Art. 7 (3)).
To exercise any of these rights, contact us at mail@industrial-code-and-magic.com.
12. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Alt-Moabit 59–61, 10555 Berlin.
13. Data security & automated decisions
This website is served exclusively over an encrypted TLS (HTTPS) connection to protect data in transit. We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
14. Changes to this policy
We may update this policy to reflect changes to the service or to legal requirements. The current version always applies.