offerra

Privacy Policy

1. Controller

The controller responsible for data processing on this website is:

Tiemo Timtschenko

Kaiserstr. 91, 40764 Langenfeld, Germany

Email: datenschutz@offerra.de

2. Data We Collect

We collect and process the following personal data:

  • Contact details (name, email address) upon registration
  • Usage data (log files, IP address) when accessing our services
  • Proposal and customer data you enter into offerra
  • Payment and billing data for paid subscriptions
  • SMTP credentials if you connect a custom mail server
  • Device information and push notification tokens if you enable browser notifications

3. Purposes and Legal Bases

We process your data for contract performance (Art. 6(1)(b) GDPR), compliance with legal obligations (Art. 6(1)(c)), legitimate interests such as operational security and error monitoring (Art. 6(1)(f)), and — for analytics and push notifications — only with your explicit consent (Art. 6(1)(a)).

4. Sub-processors and Third-party Services

We use the following service providers to operate our platform. Data processing agreements pursuant to Art. 28 GDPR are in place with all providers. For transfers to third countries (USA) we rely on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

Vercel Inc. (USA) – Hosting & CDN

The web application is hosted on Vercel infrastructure. Connection data (IP address, request headers) is processed on servers in the USA and globally distributed edge locations. Legal basis: Art. 6(1)(b) GDPR, third-country transfer based on SCCs. Vercel Privacy Policy

Supabase Inc. (USA) – Authentication & Database

Supabase manages user accounts, sessions, and the application database. Our database project is hosted in the EU region (Frankfurt, AWS eu-central-1). Authentication servers may use US locations. Legal basis: Art. 6(1)(b) GDPR, SCCs for US components. Supabase Privacy Policy

Stripe Inc. (USA) – Payment Processing

Stripe processes payment data, invoices, and subscription information. Payment card data is transmitted directly to Stripe and never stored on our servers. Legal basis: Art. 6(1)(b) GDPR, SCCs. Stripe Privacy Policy

Resend Inc. (USA) – Transactional Email

System transactional emails (notifications, confirmations) are delivered via Resend. Your email address and message content are transmitted in this process. Legal basis: Art. 6(1)(b) GDPR, SCCs. Resend Privacy Policy

PostHog Inc. (EU Cloud, Frankfurt) – Product Analytics

We use PostHog hosted in the EU (Frankfurt data centre) to improve our product. Anonymised usage data (page views, interactions) is collected. Session recording is disabled. Data is only collected with your consent. Legal basis: Art. 6(1)(a) GDPR. PostHog Privacy Policy

Sentry (Functional Software Inc., USA) – Error Monitoring

We use Sentry for error logging to ensure operational stability. Error messages, stack traces, and technical context are transmitted. Authentication tokens, cookies, and payment data are automatically stripped before transmission. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational security), SCCs. Sentry Privacy Policy

OpenAI OpCo LLC (USA) – AI Features

Certain features (e.g. proposal summaries and follow-up suggestions) use the OpenAI API. Proposal content is transmitted to OpenAI for processing. We use the API with data training opt-out (Zero Data Retention). Legal basis: Art. 6(1)(b) GDPR, SCCs. OpenAI Privacy Policy

5. Custom Mail Server (SMTP)

If you connect your own SMTP mail server, emails are sent via your own infrastructure. In this case the SMTP server operator bears independent responsibility for that data processing. offerra stores SMTP credentials in encrypted form.

6. Push Notifications

If you enable browser push notifications, a device token is transmitted through your browser's push service (e.g. Google FCM for Chrome, Mozilla for Firefox) to our servers. Activation occurs only on your explicit request. Legal basis: Art. 6(1)(a) GDPR.

7. Cookies and Local Storage

We use technically necessary cookies for authentication and session management (legal basis: Art. 6(1)(b) GDPR). PostHog analytics cookies are only set with your consent. Your cookie preference is stored in your browser's local storage.

8. Retention Periods

Personal data is deleted once the purpose of processing has lapsed and no statutory retention obligations apply. Account data is deleted within 30 days of cancellation. Billing records are subject to the statutory 10-year retention period.

9. Your Rights

Under GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). You may withdraw consent at any time with effect for the future. Contact us at: datenschutz@offerra.de

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence or the company's registered office.

Last updated: April 2026