Privacy Policy

1. Data Controller

The data controller responsible for the processing of personal data on this website within the meaning of the GDPR is:

Balane GmbH
Balanstraße 84
81541 Munich
Germany

Email: contact@balane.tech
Managing Director: Jonas David Höttler

2. Data Protection Officer

We have not appointed a data protection officer, as the statutory requirements under Art. 37 GDPR in conjunction with § 38 BDSG (German Federal Data Protection Act) do not apply to us. For any data protection matters, please contact us directly at contact@balane.tech.

3. General Information

The following notes provide an overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you (Art. 4 No. 1 GDPR).

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the fact that the browser's address bar changes from „http://" to „https://" and by the lock symbol in your browser bar.

Web fonts

This website uses the „Inter" and „Space Mono" fonts from the Google Fonts project. The font files are embedded once at build time and subsequently served exclusively from the server of our hosting provider (see section 4, self-hosting). When you visit this website, no connection to Google servers is made and your IP address is not transmitted to Google LLC.

Automated decision-making

Automated decision-making, including profiling, within the meaning of Art. 22 GDPR does not take place.

4. Hosting & Server Logs (Vercel)

Hosting provider

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA

Nature and scope of processing

When you visit this website, the hosting provider automatically stores technical information in server log files:

• IP address of the requesting device
• Date and time of access
• Name and URL of the retrieved file
• Website from which access was made (referrer URL)
• Browser and, where applicable, operating system used

Purpose of processing

Processing takes place for the technical provision of the website, to ensure system security (e.g., defence against attacks) and to optimise our online offering.

Legal basis

Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the proper functioning, security and availability of our website.

Storage period

Log data are deleted as soon as they are no longer required to achieve the purpose for which they were collected, typically after 7 to 30 days.

Third-country transfer (USA)

Vercel Inc. is based in the USA and operates servers worldwide, including outside the EU. Data transfer to the USA takes place on the basis of Art. 45 (3) GDPR in conjunction with the adequacy decision of the European Commission of 10 July 2023 concerning the EU-US Data Privacy Framework (DPF), under which Vercel Inc. is certified. In addition, we have concluded a data processing agreement with Vercel pursuant to Art. 28 GDPR, including the EU Standard Contractual Clauses as an additional safeguard. Official access on the basis of US surveillance laws (e.g., FISA 702, CLOUD Act) cannot be technically fully excluded.

Further information

Vercel Privacy Policy · DPF certification list

5. Reach Measurement (Umami)

This website uses Umami, a privacy-friendly open-source web analytics software that we operate on our own instance.

Nature and scope of processing

Umami collects the following data on each page view:

• Truncated or hashed IP address (not stored permanently in clear text)
• Anonymised device and browser information
• Page viewed, referrer, timestamp
• Approximate location at country level (no geo-tracking)

Umami does not set any cookies and does not access information on your device within the meaning of § 25 (1) TDDDG (German Digital Services Data Protection Act; no access to local/session storage, no fingerprinting). A hash is generated server-side from the IP and user agent on a daily basis, used only to distinguish returning visitors within one day and then discarded.

Purpose of processing

Reach measurement, analysis of user behaviour on an aggregated basis, and optimisation of our online offering.

Legal basis

Since no access to device information within the meaning of § 25 (1) TDDDG takes place, no consent is required. The remaining processing of the hashed IP address is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in data-minimising reach measurement and quality assurance of our online offering.

Hosting / third-country transfer

Our Umami instance is operated on the infrastructure of Railway Corp., 2261 Market Street #4059, San Francisco, CA 94114, USA. The servers are located in a region within the European Union (Amsterdam, Netherlands). Railway Corp. nevertheless remains a US company as the provider of the infrastructure; the transfer to Railway Corp. therefore constitutes a third-country transfer within the meaning of Art. 44 GDPR. We have concluded a data processing agreement with Railway Corp. pursuant to Art. 28 GDPR, including the EU Standard Contractual Clauses as an additional safeguard (Art. 46 (2) (c) GDPR). Official access under US law (CLOUD Act, FISA 702) cannot be fully excluded; as a supplementary technical safeguard, IP addresses are hashed server-side and not stored in clear text.

Storage period

Aggregated usage statistics are retained for 24 months and then deleted. Pseudonymous individual records are not stored for longer than 30 days.

6. Session Replay (OpenReplay) — only with consent

For quality assurance and error analysis, we use the open-source software OpenReplay, which we host exclusively on our own self-operated instance at replay.balane.tech. OpenReplay is only loaded after you have actively given your consent. Without consent, no data is transmitted to our replay instance.

Legal basis

Art. 6 (1) (a) GDPR (consent) in conjunction with § 25 (1) TDDDG. You can withdraw your consent at any time with effect for the future by clicking „Privacy settings" in the footer of this website and then selecting „Decline". Withdrawal is as simple as granting consent.

Nature and scope of processing

Once you have granted consent, the following data are collected during your visit:

• DOM structure and changes of visited pages (for later pixel-accurate replay of your visit)
• Mouse movements, clicks, scroll behaviour, keystroke events (without their content — see below)
• Technical characteristics: browser, operating system, screen size, time zone, language
• Truncated or pseudonymised IP address (server-side, not stored in clear text)
• Randomly generated session identifier in your browser's local storage (purely technical, not linked to other data)

Technical safeguards (privacy by default)

We have configured OpenReplay so that the following data are never transmitted:

• Form inputs of any kind — all <input>, <textarea> and <select> values are globally set to „ignored" (defaultInputMode: 2). Name, email, phone, message content etc. are not captured.
• Email addresses and numerical sequences in body text are masked before transmission.
• Request and response bodies as well as sensitive HTTP headers (Authorization, Cookie, Set-Cookie) are not captured.
• The contact form overlay is entirely excluded from recording (data-openreplay-hidden).
• OpenReplay is not started at all on the /privacy and /imprint pages.

A note on „Do Not Track": your active consent through the banner is based on Art. 6 (1) (a) GDPR. The Do-Not-Track browser setting is a legally non-binding default preference. If you actively click „I agree" after the banner is shown, we treat that as a deliberate override of your default. If you do not want OpenReplay to run, click „Decline" on the banner — or withdraw at any time via „Privacy settings" in the footer.

Purpose of processing

Detection of technical errors (JavaScript errors, layout issues, broken interaction flows), analysis of usability problems, and optimisation of the user experience. No profiling, no combination with CRM or contact data, no advertising, no automated decision-making.

Recipients / third-country transfer

The data collected remains exclusively on our self-operated OpenReplay instance at replay.balane.tech. No transfer to third parties takes place. The instance is operated on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. No transfer to a third country takes place. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner.

Storage period

Session recordings are automatically deleted after 30 days at the latest. Aggregated evaluations that cannot be traced back to individual sessions (e.g., heatmaps) are retained for a maximum of 12 months.

Further information

OpenReplay Privacy Policy · OpenReplay on GitHub (open source)

7. Contact by Email

If you contact us by email, the data you provide (email address, name if applicable, subject, message content and any other information you voluntarily provide) is stored by us in order to process your request.

Legal basis

For enquiries relating to a (potential) contract: Art. 6 (1) (b) GDPR (performance of pre-contractual measures / contract performance). For other enquiries: Art. 6 (1) (f) GDPR (legitimate interest in responding).

Obligation to provide data

Providing your data is neither required by law nor by contract. However, without valid contact information we cannot respond to your request.

Email service provider

Our email traffic is handled by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Email processing takes place on servers in Germany; there is no transfer to a third country. We have concluded a data processing agreement with IONOS pursuant to Art. 28 GDPR. Further information: IONOS Privacy Policy.

Storage period

The data are deleted as soon as your request has been processed and no statutory retention obligations (in particular § 257 HGB, § 147 AO) apply.

8. Contact Form & Lead Management (Odoo CRM)

If you contact us via a contact form on this website, your data are processed in our self-operated Odoo CRM system.

Data collected

Name, email address, telephone number (optional), company (optional), message content and timestamp of the enquiry.

Purpose of processing

Processing of your enquiry, contract initiation, customer support and lead management.

Legal basis

For enquiries with specific contractual relevance: Art. 6 (1) (b) GDPR. For other enquiries: Art. 6 (1) (f) GDPR (legitimate interest in processing).

Obligation to provide data

Providing the mandatory fields is necessary to process your enquiry. You can leave optional fields blank without any disadvantages.

Hosting location

Odoo is operated on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. No transfer to a third country takes place. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner.

Storage period

Lead data without a subsequent contract conclusion are deleted no later than 12 months after the last contact. For established business relationships, the commercial and tax retention periods apply (§ 257 HGB, § 147 AO: 6 and 10 years respectively from the end of the calendar year in which the documents were created).

Further information

Hetzner Privacy Policy

9. Support & Live Chat (Zammad)

For support enquiries, we use the self-hosted open-source system Zammad (ticket system and live chat widget at support.balane.tech and ws.support.balane.tech).

Data collected

Name, email address, subject, message content, chat history, technical connection data (IP address, browser, timestamp) and, where applicable, an associated ticket number.

Purpose of processing

Handling your support or chat enquiry, tracking the issue, communication and quality assurance.

Legal basis

For existing business relationships: Art. 6 (1) (b) GDPR (contract performance). For general enquiries: Art. 6 (1) (f) GDPR (legitimate interest in processing).

Use of the chat widget / § 25 TDDDG

The chat widget is only loaded after you actively click the chat button. For the duration of an active chat session, Zammad may store a pseudonymous session identifier on your device that is technically necessary to associate the conversation with you. This storage is based on § 25 (2) No. 2 TDDDG (strictly necessary service explicitly requested by the user).

Hosting location

Zammad is operated on servers of Hetzner Online GmbH in Germany. No transfer to a third country takes place. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner.

Storage period

Support tickets are deleted 24 months after final processing, unless commercial or tax retention obligations apply. Chat histories without ticket assignment are deleted after 90 days at the latest.

10. Recipient Overview

We transfer your personal data only to the following categories of recipients, each acting as a data processor pursuant to Art. 28 GDPR:

• Vercel Inc. (USA) – Website hosting
• Railway Corp. (USA, servers in Amsterdam/EU) – Hosting of the Umami analytics instance
• Hetzner Online GmbH (Germany) – Hosting of Odoo CRM and Zammad Support
• IONOS SE (Germany) – Email services

No further transfer to third parties (e.g., for advertising purposes) takes place.

11. Data Backups

To ensure data security and recoverability, we create regular backups. Backups are stored encrypted and are overwritten on a rolling basis no later than after 30 days. Legal basis: Art. 6 (1) (f) GDPR in conjunction with Art. 32 GDPR (security of processing).

12. Your Rights as a Data Subject

You have the following rights with regard to your personal data. You can assert all rights informally by email to contact@balane.tech.

Right of access (Art. 15 GDPR)

You have the right to obtain information about the personal data we process about you.

Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate data or the completion of your stored data without undue delay.

Right to erasure (Art. 17 GDPR)

You have the right to request the deletion of the data we have stored about you, unless processing is required for exercising the right of freedom of expression and information, for compliance with legal obligations, for reasons of public interest, or for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data.

Right to data portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format, or to request the transfer to another data controller.

Right to withdraw consent (Art. 7 (3) GDPR)

If processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out until the withdrawal remains unaffected.

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, place of work or place of the alleged infringement (see section 14).

13. Right to Object under Art. 21 GDPR

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR (legitimate interest).

If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Contact for objection: contact@balane.tech

14. Competent Supervisory Authority

The competent data protection supervisory authority for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

Telephone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de

15. Changes to this Privacy Policy

We reserve the right to amend this privacy policy so that it always complies with the current legal requirements or to reflect changes to our services in the privacy policy. The version currently available when visiting the website applies. Version date: 24. April 2026.