GDPR Compliance

Last updated: 1 May 2025

1. Our commitment

Vindaris is built for European businesses and is designed to be fully compliant with the General Data Protection Regulation (GDPR / Regulation (EU) 2016/679). We store all data in the EU, minimise what we collect, and give you full control over your data.

2. Data residency

All customer data is stored exclusively in Germany:

No personal data processed by Vindaris in connection with the core platform is transferred to or stored in countries outside the EU/EEA. This means you do not need Standard Contractual Clauses (SCCs) or other transfer mechanisms for data in Vindaris.

3. Legal bases for processing

• Art. 6(1)(b) GDPR — Contract performance: processing necessary to provide the Vindaris service to you
• Art. 6(1)(f) GDPR — Legitimate interests: security, fraud prevention, service improvement
• Art. 6(1)(a) GDPR — Consent: optional analytics cookies (withdrawable at any time)
• Art. 6(1)(c) GDPR — Legal obligation: tax and accounting retention requirements

4. Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is available for all Scale plan customers. If you require a DPA, please contact privacy@vindaris.com.

The DPA covers: the subject matter and duration of processing; the nature and purpose of processing; the type of personal data and categories of data subjects; the obligations and rights of the controller.

5. Subprocessors

We use subprocessors that may process personal data on our behalf. The current, authoritative list of subprocessors, with the purpose, location, and DPA status of each, is maintained on our Security page.

We notify customers of material changes to that list via e-mail at least 14 days in advance. To object to a new subprocessor, contact privacy@vindaris.com within 14 days of notification.

6. Your rights under GDPR

As a data subject you have the following rights, exercisable by contacting privacy@vindaris.com:

• Access (Art. 15) — obtain a copy of your personal data
• Rectification (Art. 16) — correct inaccurate data
• Erasure (Art. 17) — "right to be forgotten" where legally permissible
• Restriction (Art. 18) — restrict processing in certain circumstances
• Portability (Art. 20) — receive your data in a machine-readable format
• Objection (Art. 21) — object to processing based on legitimate interests
• Withdraw consent (Art. 7(3)) — for consent-based processing, at any time

We respond to requests within 30 days. In complex cases, we may extend this by a further two months with notice.

7. Data subject request process

To submit a data subject request: e-mail privacy@vindaris.com from the e-mail address associated with your account, specifying the right you wish to exercise. We may ask for additional verification to confirm your identity before processing the request.

8. Supervisory authority

You have the right to lodge a complaint with the supervisory authority in your EU member state. The authority competent for our registered address is:

9. Privacy by design and by default

We apply privacy-by-design and privacy-by-default principles (Art. 25 GDPR): data minimisation, pseudonymisation where possible, purpose limitation, storage limitation, and default-off settings for optional data collection.

10. Contact

For all GDPR and data protection matters: privacy@vindaris.com
Full privacy information: Privacy Policy