Privacy Policy

1. Privacy at a Glance

2. Data Controller

The controller within the meaning of the GDPR is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

We have not appointed a Data Protection Officer as the legal prerequisites for this are not met. For all data protection enquiries please contact us at the email address above.

3. Supervisory Authority

In the event of data protection violations you have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR):

This right of complaint exists without prejudice to any other administrative or judicial remedy.

4. Legal Bases for Processing

We process personal data on the following legal bases:

• Art. 6(1)(a) GDPR — Consent (e.g. analytics cookies)
• Art. 6(1)(b) GDPR — Performance of a contract or pre-contractual measures (e.g. account, subscription)
• Art. 6(1)(c) GDPR — Legal obligation (e.g. retention obligations, erasure requests)
• Art. 6(1)(f) GDPR — Legitimate interest (e.g. hosting, security, vendor catalogue)
• Art. 46(2)(c) GDPR — Standard Contractual Clauses (SCCs) for third-country transfers

We only share personal data with external parties where this is required for contract performance, a legal obligation exists, a legitimate interest applies, or another legal basis permits it. Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.

Data minimisation and B2B context (Art. 5(1)(c) GDPR): We only process data that is necessary for the respective purpose. As a platform for business users, we primarily process company data (e.g. company names, product descriptions, industry data) that does not constitute personal data within the meaning of the GDPR and to which the GDPR therefore does not apply. Where personal data is nonetheless involved, it is limited to the minimum necessary.

Residual risk of third-country transfers: Transfers to the USA are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). Despite SCCs, a residual risk remains, as US authorities may under US law (e.g. FISA Section 702) access data under certain conditions. In our Transfer Impact Assessment (TIA) we concluded this risk is acceptable: the data transferred is technical in nature, does not require a high level of protection, and the volume of personal data transferred is low.

5. Retention Periods

Unless a more specific retention period is stated in this Privacy Policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you submit a legitimate request for deletion or withdraw consent to data processing, your data will be deleted unless we have other legally permissible reasons for retaining it (e.g. statutory retention periods under commercial or tax law); in the latter case, deletion will occur once those reasons cease to apply.

Data relevant under commercial and tax law (in particular payment records) is retained for the legally prescribed period of 10 years (§ 257 HGB, § 147 AO).

Following termination of the user agreement, personal data is permanently deleted within 30 days, unless statutory retention obligations apply. There is no obligation to restore lost data or to provide data backups after the contract ends. Users are responsible for exporting any desired content before closing their account.

6. Hosting and Server Log Files

This platform is hosted on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All data is stored exclusively on servers within the EU/EEA. A data processing agreement pursuant to Art. 28 GDPR is in place with Hetzner. Privacy policy: hetzner.com/legal/privacy-policy

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable and secure platform provision).

Server log files

The hosting provider automatically collects and stores information in server log files transmitted by your browser:

• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing device
• Time of the server request
• IP address

This data is not merged with other data sources. Legal basis: Art. 6(1)(f) GDPR (technically error-free platform provision).

7. SSL/TLS Encryption

This platform uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognise an encrypted connection by the fact that the browser address bar shows "https://" and a padlock icon. When SSL/TLS encryption is active, data you transmit to us cannot be read by third parties.

8. Registration and User Account

To use the platform you can create an account. We collect:

• Name and email address
• Password (one-way hashed with bcrypt, not stored in readable form)
• User role and account settings
• Time of last login

Legal basis: Art. 6(1)(b) GDPR. Retention: Until account deletion; data is permanently deleted within 30 days thereafter.

9. Login via Google or Microsoft (OAuth)

You can alternatively sign in using your Google or Microsoft account. In this case we receive your name, email address, and a user ID from the respective service. Google LLC and Microsoft Corporation are independent data controllers in this context — their own privacy policies govern their data processing:

• Google: policies.google.com/privacy
• Microsoft: privacy.microsoft.com

Legal basis: Art. 6(1)(b) GDPR. OAuth login is initiated exclusively at your request.

10. Transactional Emails (Resend)

For sending system emails (account verification, password reset, notifications) we use Resend (Plus Five Five, Inc., USA). Your email address and name are transmitted to Resend. Transfer to the USA is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), incorporated into Resend's Terms of Service.

Legal basis: Art. 6(1)(b) GDPR. Privacy: resend.com/legal/privacy-policy

11. Marketing Emails (Product Updates and Industry News)

If you have given your explicit consent (e.g. by ticking the corresponding checkbox during registration or in your account settings), we will send you emails about product updates, new features, industry briefings and occasional offers from Signage Compass.

Data processed: name, email address and the timestamp of your consent. Sending is handled by our delivery provider Resend (see Section 10).

Legal basis: Art. 6(1)(a) GDPR — your explicit consent. This consent is voluntary, given separately from the acceptance of the Terms of Service / Privacy Policy, and is not required for using the platform.

Withdrawal: You may withdraw your consent at any time with effect for the future — either via the unsubscribe link in any marketing email or directly in your account settings. The lawfulness of processing carried out before withdrawal remains unaffected.

Retention: Until consent is withdrawn. After withdrawal your email address is no longer used for marketing purposes; the time of withdrawal is retained for evidentiary purposes.

12. AI-Powered Chat Function

The platform provides an AI-powered chat function for answering questions about the digital signage industry. Your messages are transmitted to the following providers:

Chat messages are stored encrypted (AES-256-CBC) in our database. Legal basis: Art. 6(1)(b) GDPR.

The chat function does not make automated decisions with legal effects. See Section 22 for details.

13. Bot Protection (Cloudflare Turnstile)

To protect our forms from automated abuse we use Cloudflare Turnstile (Cloudflare, Inc., USA). IP address and browser signals are transmitted to Cloudflare and not permanently stored. Transfer based on EU SCCs incorporated into Cloudflare's Self-Serve Subscription Agreement.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: platform security). Privacy: cloudflare.com/privacypolicy

14. Payment Processing (Stripe)

For payment processing we use Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Dublin, Ireland — an EU entity. Card data never reaches our servers; entry is made directly via Stripe's PCI-DSS Level 1 certified forms. We only store the following payment metadata: Stripe customer ID, subscription status (active/cancelled), selected plan, and billing interval. Card numbers, account numbers, or any other full payment method details are never transmitted to us and remain exclusively with Stripe.

Legal basis: Art. 6(1)(b) GDPR. Retention: Payment records 10 years (§ 257 HGB). Privacy: stripe.com/privacy

15. Web Analytics (PostHog)

With your consent we use PostHog (PostHog, Inc., USA) to analyse platform usage. PostHog collects pseudonymised page views, click events, and session data. Data is stored exclusively on PostHog's EU servers (eu.i.posthog.com) and does not leave the EU.

PostHog is only activated after your explicit consent via the cookie banner. You can withdraw your consent at any time via the "Cookie Settings" link in the footer.

Legal basis: Art. 6(1)(a) GDPR (consent). Privacy: posthog.com/privacy

16. Cookies

Our platform uses cookies — small data packets stored on your device. Technically necessary cookies are set on the basis of our legitimate interest in error-free platform provision. Analytics cookies are only set with your consent. You can configure your browser to inform you about cookies and allow or reject them individually or generally.

Cookie settings can be adjusted at any time via the "Cookie Settings" link in the footer.

Consent and rejection decisions for non-essential cookies are managed via the cookie banner (consent management tool) that appears on your first visit to the Platform. Your decision is stored in the cookie_consent cookie and is valid for up to 12 months. You can update your preferences or withdraw consent at any time via the "Cookie Settings" link in the footer.

17. Contact Form

When you use our contact form we collect your name, email address, and message content. These data are stored encrypted (AES-256-CBC). IP addresses are stored as an irreversible hash (SHA-256) and cannot be used for identification. Data entered via the contact form remains with us until you request deletion, withdraw your consent, or the purpose for storage no longer applies.

Legal basis: Art. 6(1)(b) GDPR (where the enquiry relates to a contract) or Art. 6(1)(f) GDPR (legitimate interest in effectively handling incoming enquiries).

18. Vendor Opt-Out and Data Erasure Requests

Via the opt-out form, vendors may request the removal of their data from the catalogue. We collect contact name, email address, and message (stored encrypted). These data are used exclusively to process the request. Legal basis: Art. 6(1)(c) GDPR (legal obligation, Art. 17 GDPR).

19. Collection of Publicly Available Vendor Information

To populate the vendor catalogue we automatically collect publicly available information from vendor websites (company name, product descriptions, company contact details). Individual names of contact persons published on public company pages may be incidentally collected.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest consists in providing a comprehensive, up-to-date industry directory for digital signage professionals — a recognised business model that serves the informational needs of commercial users. Balancing test: (1) The data collected consists exclusively of company information made publicly available by the companies themselves. (2) Where personal data (e.g. names of contact persons) is collected, it concerns information voluntarily published in a professional context. (3) Processing is limited to the minimum necessary. (4) Affected parties may object at any time and request full erasure without any disadvantage. We consider our interests not to outweigh the interests of data subjects, as long as an effective and easy opt-out is in place. Affected companies may request removal of their data at any time via the vendor opt-out form. The processors named in Section 11 are used for AI-assisted processing of collected content.

21. Further Rights as a Data Subject

You have the following further rights against us:

• Access (Art. 15 GDPR): Information about the origin, recipient, purpose and duration of the processing of your stored data.
• Rectification (Art. 16 GDPR): Correction of inaccurate or completion of incomplete data.
• Erasure (Art. 17 GDPR): Deletion of your data, provided no statutory retention obligations apply.
• Restriction of processing (Art. 18 GDPR): Restriction of processing in the following cases: you contest the accuracy of data; processing is unlawful but you oppose erasure; we no longer need the data but you need it to establish legal claims; you have objected and the balancing of interests is still pending.
• Data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format or have it transmitted directly to another controller (where technically feasible).
• Withdrawal of consent (Art. 7(3) GDPR): Withdraw any consent given (e.g. for analytics cookies) at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal is not affected.

To exercise your rights: hello@infinity-edge.de. We respond to requests as a rule within 30 days of receipt (Art. 12(3) GDPR). For complex or extensive requests, this period may be extended by up to two further months; in that case we will inform you of the extension and the reasons within the initial 30-day period.

22. Automated Decision-Making and Profiling

We do not make automated decisions that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR). This applies expressly to all AI-powered features of the Platform: the chat function generates information in response to queries — it does not evaluate individuals, build user profiles for decision-making purposes, or influence contract conclusions, credit assessments, or similar legally relevant decisions. The automatic AI usage budget limit is also based purely on pre-agreed contractual rules, not on any AI evaluation of the individual.

23. Data Security

We apply the following technical and organisational measures to protect your data:

• TLS encryption for all data transfers (HTTPS)
• AES-256-CBC encryption for personal data in the database
• Irreversible hashing (SHA-256) of IP addresses
• bcrypt hashing of passwords
• Access control and role-based permissions
• Server location exclusively in Germany / EU (Hetzner)

24. Objection to Advertising Emails

We hereby object to the use of contact data published in the context of the imprint obligation for the purpose of sending unsolicited advertising and information materials. The operators of this platform expressly reserve the right to take legal action in the event of unsolicited advertising being sent, such as spam emails.