Skip to content
Biscotti CMP
FeaturesPricing🔍 Cookie Check♿ Accessibility📦 DownloadsDocumentationBlog
Login
Home›Privacy Policy

Privacy Policy

At a glance

  • What personal data we process and why.
  • The legal bases, recipients and storage periods.
  • Your data-protection rights and how to exercise them.

Privacy Policy

Comprehensive information on the processing of personal data in accordance with Art. 13 and Art. 14 of Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)

Status: April 15, 2026 | Version 2.0

1. Controller and Data Protection Officer

1.1 Controller (Art. 4 No. 7 GDPR)

The controller for the processing of personal data in connection with the operation of the website biscotti-cmp.com, the application app.biscotti-cmp.com, and all related services is:

Campcruisers GmbH
Berliner Str. 21 B
14612 Falkensee
Germany

Represented by: Daniel Bosch (Geschäftsführer / CEO)
Also authorized to represent: Philipp André Marschall (Prokurist)

Phone:+49 3322 50703301
Fax:+49 3322 50703302
Email (General):info@biscotti-cmp.com
Email (Data Protection):datenschutz@biscotti-cmp.com
Website:www.biscotti-cmp.com
Register Court:Amtsgericht Potsdam
Registration Number:HRB 40180 P
VAT ID No.:DE368000447

1.2 Data Protection Officer

If there is a legal obligation to appoint a data protection officer according to § 38 Abs. 1 BDSG or Art. 37 GDPR, this will be appointed and the contact details published here. Irrespective of this, the management (Daniel Bosch, Philipp André Marschall) ensures full monitoring and compliance with data protection obligations.

For all data protection inquiries, please contact:
Email: datenschutz@biscotti-cmp.com
Phone: +49 3322 50703301
Business hours: Monday to Friday, 10:00 AM–5:00 PM (CET/CEST)

2. Overview of Processing Activities

Biscotti CMP is a comprehensive Consent Management and Legal Compliance Platform. In the course of operating the platform, we process personal data in the following areas:

  • Registration and Account Management (Section 3)
  • Use of the SaaS Platform / Dashboard (Section 4)
  • Consent Data of our Customers' Website Visitors (Section 5)
  • Cookie Scanner (Section 6)
  • Legal Suite — AI Text Generation (Section 7)
  • Legal Sync — Legal Change Monitoring (Section 8)
  • Policy-Audit — Website Scraping and AI Analysis (Section 9)
  • Lawyer Marketplace (Section 10)
  • Agency and White-Label Functions (Section 11)
  • Newsletter (Section 12)
  • Review Rewards Program (Section 13)
  • Payment Processing (Section 14)
  • GeoIP Detection (Section 15)
  • Bot Detection (Section 16)
  • Session Tracking (Section 17)
  • Backups (Section 18)
  • Hosting and Infrastructure (Section 19)
  • Cookies and Local Storage on biscotti-cmp.com (Section 20)

For each processing activity, the purpose, legal basis, categories of processed data, recipients, and storage duration are specified below.

Important Note on Dual Role: With regard to the data of our own customers (account holders, team members), we are the controller within the meaning of Art. 4 No. 7 GDPR. With regard to the consent data of our customers' website visitors, we act as a processor in accordance with Art. 28 GDPR. The details of the processing are regulated in the separate Data Processing Agreement (DPA), which is an integral part of our General Terms and Conditions (§ 27.2 AGB).

3. Registration and Account Management

3.1 Registration and Account Creation

Purpose: Creation and management of your user account for using the Biscotti CMP platform.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — registration is a prerequisite for using the SaaS platform).

Categories of Processed Data:

  • Email address (mandatory)
  • Password (stored as a cryptographic hash, never in plain text)
  • First name, last name (optional)
  • Company name (optional)
  • Account language (automatically detected from browser language or manually selected from 42 available languages)
  • Time of registration
  • IP address at the time of registration (for logging DPA consent in accordance with Art. 28 Abs. 9 DSGVO)

Recipients: Resend (sending of verification email), Google Cloud Platform (database hosting).

Storage Duration: The data is stored for the duration of the contractual relationship. After account deletion, the data is immediately deleted, subject to statutory retention obligations (cf. Section 23).

3.2 Double-Opt-In (Email Verification)

Purpose: Verification of the email address to ensure that the owner of the email address actually performed the registration.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance) in conjunction with Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in preventing misuse).

Categories of Processed Data:

  • Email address
  • Verification token (randomly generated, valid for 24 hours)
  • Time of sending and confirmation
  • Verification status (emailVerified: true/false)

Recipients: Resend (sending of verification email).

Storage Duration: The verification token is deleted after confirmation or after the 24-hour period expires. The verification status is stored for the duration of the contractual relationship.

3.3 Password Reset

Purpose: Enabling the restoration of account access in case of a forgotten password.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Email address
  • Reset token (randomly generated, time-limited)
  • Time of request

Recipients: Resend (sending of reset email).

Storage Duration: The reset token is deleted after use or after the validity period expires.

4. Use of the SaaS Platform (Dashboard)

4.1 Dashboard Usage and Banner Configuration

Purpose: Provision of the web-based user interface (dashboard) at app.biscotti-cmp.com for configuring and managing the consent banner, websites, categories, legal texts, and all other platform functions.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Account data (email, name, company)
  • Website configurations (domain, banner settings, colors, texts, consent categories)
  • Banner statistics (views, interactions, acceptance rates)
  • Scan results and scan histories
  • Generated legal texts
  • Compliance reports and health scores
  • Audit log entries (timestamp, user ID, action performed, IP address)

Recipients: Google Cloud Platform (hosting).

Storage Duration: For the duration of the contractual relationship. Audit logs are stored for 12 months. After account deletion, data is irrevocably deleted after the 30-day grace period.

4.2 Team Management

Purpose: Enabling multi-user access to the account by inviting team members.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Email addresses of invited team members
  • Assigned roles and permissions
  • Time of invitation and acceptance

Recipients: Resend (sending of invitation email), Google Cloud Platform (hosting).

Storage Duration: For the duration of team membership. Upon removal from the team, the assignment data is deleted.

4.3 Consent Analytics and A/B Testing

Purpose: Statistical evaluation of consent rates, banner interactions, and conversion tracking. A/B testing allows comparing different banner variants to optimize acceptance rates.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — the analytics functions are part of the booked plan).

Categories of Processed Data:

  • Aggregated consent statistics (no individual personal data)
  • Banner variant assignment (for A/B testing)
  • Traffic distribution and conversion rates

Recipients: Google Cloud Platform (hosting).

Storage Duration: Aggregated statistics are stored for the duration of the contractual relationship.

5. Consent Data of Website Visitors

Note: With regard to the consent data of our customers' website visitors, we act as a processor in accordance with Art. 28 GDPR. The customer is the controller. The following information serves transparency towards website visitors.

5.1 Collection of Consent Decisions

Purpose: Collection, storage, and documentation of website visitors' consent decisions to fulfill the website operator's obligation to provide evidence in accordance with Art. 7 Abs. 1 DSGVO and § 25 Abs. 1 TDDDG.

Legal Basis: Art. 6 Abs. 1 lit. c DSGVO (legal obligation — obligation to provide evidence under Art. 7 Abs. 1 DSGVO) in conjunction with Art. 6 Abs. 1 lit. f DSGVO (legitimate interest of the website operator in documenting consent).

Categories of Processed Data:

  • Consent ID (pseudonymous UUID assigned to the end device/browser)
  • Consent decisions per category (Essential, Functional, Analytics, Marketing, and possibly custom categories)
  • Timestamp of consent (date and time)
  • IP-Hash (the IP address is processed exclusively for jurisdiction detection and then anonymized into a cryptographic hash; raw IP addresses are not permanently stored)
  • Country code (determined via GeoIP detection)
  • Browser language
  • User-Agent string
  • Referrer category (organic, social, paid, direct, referral)
  • TCF-String (if IAB Transparency & Consent Framework 2.3 is activated)
  • Consent variant (if A/B testing is activated)
  • Google Consent Mode v2 signals
  • Global Privacy Control (GPC) signal

Recipients: Google Cloud Platform (hosting, database), MinIO (backup, self-hosted on GCP).

Storage Duration: Consent data is stored for 18 months by default. The website operator (customer) can individually configure the retention period. After the retention period expires, the data is automatically and irrevocably deleted.

5.2 Consent-Lookup (Information for Website Visitors)

Purpose: Enabling website visitors to view stored consent data to fulfill the right of access under Art. 15 DSGVO.

Legal Basis: Art. 6 Abs. 1 lit. c DSGVO (legal obligation — right of access under Art. 15 DSGVO).

Categories of Processed Data:

  • Consent ID (entered by the website visitor)
  • IP address (for rate-limiting, not permanently stored)

Recipients: Google Cloud Platform (hosting).

Storage Duration: No additional data is stored. The query is limited to 10 requests per minute per IP address.

6. Cookie Scanner

6.1 Automated Website Scan

Purpose: Automated scanning of our customers' websites for cookies, local storage entries, and third-party trackers for identification, categorization, and documentation of the technologies used. The results serve to configure the consent banner in compliance with data protection regulations.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — the cookie scanner is a core function of the platform).

Categories of Processed Data:

  • Domain and URL of the scanned website
  • Found cookies (name, value, domain, expiration date, path, secure flag, SameSite attribute)
  • Local storage entries
  • Third-party trackers and integrated external resources
  • Categorization of found elements (Essential, Functional, Analytics, Marketing)
  • Comparison with the IAB Global Vendor List (GVL)
  • Scan time and scan duration

Technical Implementation: The scanner uses Playwright (open-source headless browser from Microsoft), which is operated on our own servers on the Google Cloud Platform (europe-west4, Netherlands). No data is transmitted to Microsoft. The scanner visits the customer's website like a regular browser to capture JavaScript-rendered content and dynamically set cookies.

Recipients: Google Cloud Platform (hosting), Google Gemini (AI-powered categorization of found cookies).

Storage Duration: Scan results are stored for the duration of the contractual relationship. Scan histories allow comparison with previous scans.

6.2 Public Cookie Checker

Purpose: Provision of a free, public cookie checker on the marketing website, usable without registration.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in providing an information service and customer acquisition).

Categories of Processed Data:

  • Entered domain/URL
  • IP address (for rate-limiting, not permanently stored)
  • Scan results

Recipients: Google Cloud Platform (hosting).

Storage Duration: Scan results of the public checker are stored temporarily. Usage is limited to 3 scans per day per IP address.

7. Legal Suite — AI Text Generation

7.1 AI-powered Generation of Legal Texts

Purpose: Generation of customized legal texts (Impressum, Privacy Policy, Cookie Policy, GTC, Right of Withdrawal, DPA, Shipping and Return Conditions, Terms of Use, Disclaimer, NDA, DSA information, and over 30 other document types) based on information entered by the customer using Artificial Intelligence.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — the Legal Suite is part of the booked plan).

Categories of Processed Data transmitted to Google Gemini:

  • Customer's company data (company name, legal form, address, contact details)
  • Names of authorized representatives (managing directors, authorized signatories)
  • Register data (register court, register number, VAT ID No.)
  • Industry-specific information and business category
  • Description of processing activities
  • Individual information entered by the customer for the document type
  • Jurisdiction information

AI Provider: Google Gemini (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Processing takes place via the Google Gemini API within the EU/EEA. According to Google Cloud data protection policies, input data is not used for training AI models.

Transparency Notice according to EU AI Act (Regulation (EU) 2024/1689): The AI simulates various legal expert roles (e.g., "Specialist Lawyer for IT Law") to optimize text quality. This is expressly not a review by real lawyers. AI-generated content is marked as such.

Recipients: Google Gemini (AI processing), Google Cloud Platform (hosting, storage of generated texts).

Storage Duration: Generated legal texts are stored for the duration of the contractual relationship. With Google Gemini, input data is not stored beyond processing, in accordance with Google Cloud Terms of Service.

7.2 Bring Your Own Key (BYOK)

Purpose: Customers can optionally store their own API-Keys for AI providers (Google Gemini, OpenAI, Anthropic Claude, Ollama) to process text generation via their own account with the respective AI provider.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Customer's API-Key (stored encrypted with AES-256-GCM)

Note: When using your own API-Key, the processing of input data by the respective AI provider is under the customer's responsibility. The data protection policies of the respective provider apply.

Recipients: The AI provider chosen by the customer.

Storage Duration: The encrypted API-Key is stored for the duration of the contractual relationship and deleted upon account deletion.

8. Legal Sync — Legal Change Monitoring

Purpose: Automated monitoring of legal changes in over 186 jurisdictions. In case of relevant changes, affected legal texts of the customer are automatically marked as requiring an update. In plans with "Auto-Update" function, affected texts can be automatically regenerated.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — Legal Sync is part of the booked plan).

Categories of Processed Data:

  • Jurisdiction assignment of customer websites
  • Assignment of generated legal texts to jurisdictions
  • Time and type of detected legal change
  • Update status (current, needs update, automatically updated)

Technical Implementation: A daily automated process (Cron-Job, 03:00 UTC) checks for legal changes and compares them with customer documents.

Recipients: Google Cloud Platform (hosting), Google Gemini (for automatic regeneration of legal texts), Resend (notification emails).

Storage Duration: Change logs are stored for the duration of the contractual relationship.

9. Policy-Audit — Website Scraping and AI Analysis

9.1 Automated Compliance Audits

Purpose: Automated weekly review of customer websites for data protection risks. This includes detecting new cookies since the last scan, checking for consent issues, and AI-powered analysis of the customer's existing legal texts (Privacy Policy, Impressum). The result is displayed as a Health-Score (A–F).

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — the compliance audit function is part of the platform).

Categories of Processed Data:

  • Domain and URL of the audited website
  • Scraped content of the customer's Privacy Policy and Impressum
  • Results of the AI analysis (identified gaps, outdated references, missing services)
  • Health-Score and compliance report
  • Time of the audit

Technical Implementation: Playwright (headless browser, self-hosted on GCP) scrapes the publicly accessible legal texts of the customer's website. The scraped texts are then analyzed via the Google Gemini API.

Recipients: Google Cloud Platform (hosting), Google Gemini (AI analysis), Resend (notification emails for identified issues).

Storage Duration: Audit results and compliance reports are stored for the duration of the contractual relationship.

10. Lawyer Marketplace

10.1 Mediation of Legal Services

Purpose: Mediation of legal services between customers and independent lawyers registered on the platform. Campcruisers GmbH acts exclusively as an intermediary and does not itself become a party to the client-lawyer relationship (cf. § 14 AGB).

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — use of the lawyer marketplace).

10.2 Lawyer Registration

Categories of Processed Data:

  • Lawyer's contact details (name, email, phone, law firm address)
  • Professional qualifications and areas of expertise
  • Verification documents (max. 10 MB, PDF/JPEG/PNG)
  • Verification status (PENDING_APPROVAL, APPROVED, REJECTED)
  • Availabilities (weekly time slots, blocked dates, time zone)
  • Profile picture and profile description
  • Stripe Connect Account data (for payouts)

10.3 Mandate Data

Categories of Processed Data:

  • Quote requests and quotes (description, price, validity period)
  • Mandate status (QUOTE_REQUESTED, QUOTE_SENT, PAYMENT_PENDING, IN_REVIEW, COMPLETED, QUOTE_REJECTED, QUOTE_EXPIRED, CANCELLED, DISPUTED)
  • Messages between client and lawyer
  • Payment information (amount, platform commission, payout amount)

10.4 Video Consultation (Twilio)

Purpose: Provision of video consultations between clients and lawyers.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Video consultation metadata (time, duration, participants)
  • Twilio room ID and access token

Recipients: Twilio Ireland Limited, Dublin, Ireland (provision of video infrastructure).

10.5 Reviews

Purpose: Enabling clients to rate lawyers for quality assurance.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in quality assurance and transparency).

Categories of Processed Data:

  • Rating (stars, free text)
  • Time of rating
  • Assignment to the mandate

Recipients for the entire Lawyer Marketplace: Stripe Connect (payment processing), Twilio (video consultation), Google Cloud Platform (hosting), Resend (notifications).

Storage Duration: Mandate data is stored for the duration of the contractual relationship, but at least for the duration of statutory retention obligations (10 years for invoice data). Reviews remain visible for the duration of the lawyer's registration. Unaccepted quotes automatically expire after 7 days.

11. Agency and White-Label Functions

11.1 Sub-Account Management

Purpose: Enabling agencies to manage end-customer accounts (sub-accounts) within the scope of the Agency plan.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Email addresses and contact details of sub-account holders (agency's end customers)
  • Invitation data (email, time)
  • Proxy token access logs (time, agency user, sub-account)
  • Website configurations and consent data of sub-accounts

Recipients: Google Cloud Platform (hosting), Resend (invitation emails).

Storage Duration: For the duration of the contractual relationship between the agency and Campcruisers GmbH.

11.2 Custom Domain (CNAME)

Purpose: Provision of a custom domain for the agency's dashboard.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Agency's domain name
  • DNS verification data
  • SSL/TLS certificate data (automatically provided via Let's Encrypt)

Recipients: Let's Encrypt (SSL certificate issuance — only domain names, no personal data of natural persons are transmitted), Google Cloud Platform (hosting, Traefik routing).

11.3 Custom Transaction Emails

Purpose: Enabling the sending of transaction emails under the agency's branding via its own email provider.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • API-Keys of the agency's email provider (stored encrypted with AES-256-GCM)
  • Email sender data (name, email address)
  • Supported providers: Resend, SendGrid, Mailjet, Mailchimp/Mandrill, Maileroo, Gmail SMTP, Custom SMTP

Note: When using your own email provider, email sending is under the data protection responsibility of the agency.

Storage Duration: Encrypted API-Keys are stored for the duration of the contractual relationship.

12. Newsletter

12.1 Newsletter Subscription

Purpose: Sending information on product updates, data protection law, compliance topics, and news about Biscotti CMP.

Legal Basis: Art. 6 Abs. 1 lit. a DSGVO (consent — the newsletter is only sent after explicit consent via the double opt-in procedure).

Categories of Processed Data:

  • Email address
  • Time of registration and double opt-in confirmation
  • Unsubscribe status

Double Opt-In Procedure: After entering your email address, you will receive a confirmation email with a verification link. Only after clicking this link will your email address be added to the newsletter distribution list.

Recipients: Resend (sending of newsletter emails and confirmation email).

Unsubscription: You can unsubscribe from the newsletter at any time. Each newsletter email contains an unsubscribe link. Alternatively, you can unsubscribe by email to datenschutz@biscotti-cmp.com.

Storage Duration: Your email address will be stored until you unsubscribe from the newsletter. After unsubscription, the email address will be immediately deleted from the distribution list. To document the given consent, the time of registration and confirmation will be retained for 3 years after unsubscription (legitimate interest in the provability of consent, Art. 6 Abs. 1 lit. f DSGVO).

13. Review Rewards Program

Purpose: Rewarding customers who submit reviews about Biscotti CMP on external review platforms with bonus sessions and a temporary plan upgrade.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance — participation in the program is voluntary and constitutes an additional contractual service).

Categories of Processed Data:

  • Account data of the participating customer
  • Review platform (OMR Reviews, Capterra, G2, Google Business, WordPress.org, Trustpilot, SourceForge, Facebook, earlybird.so)
  • Link to the submitted review
  • Approval status (by admin review)
  • Reward data (15,000 bonus sessions, 1 month plan upgrade)

Recipients: Google Cloud Platform (hosting).

Storage Duration: Reward data is stored for the duration of the contractual relationship. Bonus sessions expire after 6 months (regular plans) or are valid indefinitely (LTD plans).

14. Payment Processing (Stripe)

14.1 Subscription Payments

Purpose: Processing payments for paid subscription plans, credit packs, and other paid services.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Billing address (name/company, street, postal code, city, country)
  • VAT ID No. (for B2B customers)
  • Payment method (credit card, SEPA direct debit, PayPal, Apple Pay, Google Pay etc.)
  • Payment history and invoices
  • Stripe Customer-ID and Subscription-ID
Important Note: Credit card data is tokenized directly with Stripe and not stored in plain text on our servers. We do not have access to full credit card numbers.

Recipients: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe is certified under the EU-US Data Privacy Framework.

Storage Duration: Invoices and accounting data are retained for 10 years (§ 147 AO, §§ 238, 257 HGB). Payment methods are stored with Stripe for the duration of the subscription.

14.2 Stripe Connect (Lawyer Marketplace)

Purpose: Processing payments between clients and lawyers via the lawyer marketplace and payouts to lawyers.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance).

Categories of Processed Data:

  • Stripe Connect Express Account data of the lawyers
  • Payment amounts, platform commission, payout amounts
  • Checkout session data

Recipients: Stripe Payments Europe, Ltd., Dublin, Ireland.

Storage Duration: According to retention obligations for invoice data (10 years).

14.3 ZUGFeRD Invoices

Purpose: Creation and provision of invoices in ZUGFeRD format (PDF with embedded XML according to EN 16931).

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (contract performance) in conjunction with Art. 6 Abs. 1 lit. c DSGVO (legal obligation — invoicing obligations under UStG, HGB).

Categories of Processed Data:

  • Billing address, customer number (CUS-JJMM-XXXXX), invoice number (INV-JJMM-XXXXX)
  • Service description, amounts, tax rates

Recipients: Resend (sending of invoice by email), Google Cloud Platform (hosting).

Storage Duration: 10 years (§ 147 AO, §§ 238, 257 HGB).

15. GeoIP Detection

Purpose: IP-based determination of the country or jurisdiction of the website visitor for dynamic display of legally compliant banner variants (e.g., Opt-In for DSGVO countries, Opt-Out for CCPA countries, Notice-Only for countries without specific cookie legislation).

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in the legally compliant display of the Consent Banner according to the applicable jurisdiction of the website visitor).

Categories of data processed:

  • IP address of the website visitor (transmitted to ip-api.com for country detection)
  • Determined country code

Technical Implementation: The IP address is transmitted to the service ip-api.com (headquarters: Lithuania, EU). The result (country code) is cached for 1 hour (Redis) to avoid repeated queries. After country detection, the IP address is anonymized into a cryptographic hash (IP hash). Raw IP addresses are not permanently stored.

Recipients: ip-api.com (ip-api, Lithuania — GeoIP service), Google Cloud Platform (Hosting, Redis cache).

Storage Duration: The GeoIP result is stored in the cache for 1 hour. Raw IP addresses are immediately anonymized after country detection. The IP hash is stored as part of the consent data for the configured retention period (standard: 18 months).

16. Bot Detection

Purpose: Distinction between human website visitors and automated accesses (bots, crawlers, scrapers) for correct session counting. Automated accesses are not counted as sessions and are not charged.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in correct billing and protection of the platform against misuse).

Categories of data processed:

  • User-Agent string
  • HTTP headers (e.g., Accept-Language, Accept-Encoding)
  • Characteristics of headless browsers
  • IP address (for IP-based rate-limiting, not permanently stored)

Technical Implementation: Bot detection analyzes each access based on user-agent analysis, header analysis (e.g., missing Accept-Language headers), detection of headless browsers, and IP-based rate-limiting. The analysis is performed in real-time on our servers.

Recipients: Google Cloud Platform (Hosting).

Storage Duration: Analysis results are not permanently stored. The result (Bot: yes/no) is included in the session count.

16.1 Cloudflare Turnstile (Bot Protection for Login/Registration)

Purpose: Protection of login and registration forms against automated bot attacks.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in protecting the platform against misuse and automated attacks).

Categories of data processed:

  • IP address
  • Browser information
  • Interaction data with the Turnstile widget

Recipients: Cloudflare Germany GmbH, Rosental 7, 80331 Munich, Germany. Cloudflare is certified under the EU-US Data Privacy Framework. Additional protection is provided by Standard Contractual Clauses (SCCs).

Storage Duration: Cloudflare stores the data according to its own data protection regulations. No additional data from Turnstile is stored on our servers.

17. Session Tracking

Purpose: Counting sessions for tariff-based billing. A session is counted when the Biscotti CMP widget (biscotti.min.js) is loaded on a customer's website and sends an HTTP ping to the /api/v1/ping endpoint.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (performance of contract — session-based billing is the basis of the tariff model).

Categories of data processed:

  • Session counter (aggregated per website and billing month)
  • Time of ping
  • Bot detection result (cf. Section 16)

Technical Implementation: Redis is used as an in-memory database for session tracking and caching. Redis is self-hosted on the Google Cloud Platform (europe-west4, Netherlands). No data is transmitted to third parties.

Recipients: Google Cloud Platform (Hosting, Redis).

Storage Duration: Session counters are stored for the respective billing month. Historical session data is retained for the duration of the contractual relationship for billing traceability.

18. Backups

Purpose: Regular backup of consent logs, banner configurations, website configurations, and database data to ensure recoverability in the event of data loss.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in data security and recoverability according to Art. 32 Abs. 1 lit. c DSGVO).

Categories of data processed:

  • All data stored in the database (consent logs, configurations, account data, legal texts, scan results)
  • Banner configurations

Technical Implementation:

  • Daily automatic backups of the PostgreSQL database
  • Daily automatic backups of banner configurations and website configurations
  • Storage on self-hosted MinIO storage within the GCP
  • Server-side encryption with AES-256
  • Integrity check using SHA-256 checksums
  • Regular recovery tests

Recipients: MinIO (self-hosted on the Google Cloud Platform).

Storage Duration: Backups are retained for a rolling period. Upon account deletion, backup data is deleted after the 30-day grace period and the next backup rotation cycle.

19. Hosting and Infrastructure

19.1 Google Cloud Platform (GCP)

Purpose: Hosting of the entire Biscotti CMP infrastructure, including web servers, database, application logic, and all associated services.

Legal Basis: Art. 6 Abs. 1 lit. b DSGVO (performance of contract) in conjunction with Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in a reliable and secure infrastructure).

Data Center Location: Google Cloud Platform, region europe-west4 (Eemshaven, Netherlands, European Union).

Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.

Technical Architecture:

  • Containerized application (Docker)
  • Traefik as reverse proxy and load balancer
  • PostgreSQL as relational database (self-hosted on GCP)
  • Redis as in-memory database for session tracking and caching (self-hosted on GCP)
  • Playwright as headless browser for website scanning (self-hosted on GCP)
  • MinIO as S3-compatible object storage for backups (self-hosted on GCP)
Note: PostgreSQL, Redis, Playwright, and MinIO are self-hosted on the Google Cloud Platform and do not constitute independent sub-processors, as no data is transmitted to third parties.

19.2 Server Log Files

Purpose: Technical provision of the website and ensuring system stability.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in technical provision and security).

Categories of data processed:

  • IP address (anonymized)
  • Date and time of access
  • Page/endpoint accessed
  • HTTP status code
  • Amount of data transferred
  • Referrer URL
  • Browser type and version
  • Operating system

Storage Duration: Server log files are stored for a maximum of 30 days and then automatically deleted.

20. Cookies and Local Storage on biscotti-cmp.com

20.1 Our Own Use of Biscotti CMP

To manage the necessary consents on our own website (biscotti-cmp.com), we use our own product „Biscotti CMP".

20.2 Technically Necessary Cookies

Purpose: Ensuring the functionality of the website and the dashboard.

Legal Basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in technical functionality) in conjunction with § 25 Abs. 2 Nr. 2 TDDDG (technically necessary cookies are exempt from the consent requirement).

Technically necessary cookies used:

  • Session cookie (JWT token for authentication, validity: 7 days)
  • Consent cookie (storage of the visitor's consent decision on biscotti-cmp.com)
  • Language preference cookie

20.3 Analytics Cookies (only with consent)

Purpose: Statistical evaluation of the use of our website to improve our offering.

Legal Basis: Art. 6 Abs. 1 lit. a DSGVO (consent) in conjunction with § 25 Abs. 1 TDDDG.

Google Analytics 4: We use Google Analytics 4 for statistical evaluation exclusively with your consent. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data processing takes place in the EU. IP anonymization is activated.

20.4 Detailed Cookie Information

Detailed information on all cookies used on biscotti-cmp.com, including name, purpose, provider, storage duration, and type, can be found in our separate Cookie Policy.

21. External Service Providers / Recipients

To provide our services, we use the following external service providers. This list corresponds to § 24 of our GTC and § 7 of our DPA:

No.Service ProviderContracting Party and LocationPurpose of ProcessingLocation of ProcessingLegal Basis
1StripeStripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, IrelandPayment processing, subscription managementEU/EEAArt. 6 Abs. 1 lit. b DSGVO
2Stripe ConnectStripe Payments Europe, Ltd., Dublin, IrelandPayment processing lawyer marketplace (payout to lawyers)EU/EEAArt. 6 Abs. 1 lit. b DSGVO
3ResendResend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USATransactional emails (verification, password reset, invoices, notifications, newsletter)USA/EU (AWS eu-west-1)Art. 6 Abs. 1 lit. b DSGVO / Art. 6 Abs. 1 lit. a DSGVO (Newsletter)
4Google GeminiGoogle Ireland Limited, Gordon House, Barrow Street, Dublin 4, IrelandAI text generation (Legal Suite), AI-powered cookie categorization, policy analysisEU/EEAArt. 6 Abs. 1 lit. b DSGVO
5Google Cloud Platform (GCP)Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, IrelandHosting, server infrastructure, database (PostgreSQL), container orchestration (Docker/Traefik), Redis, Playwright, MinIOEU (Netherlands, europe-west4)Art. 6 Abs. 1 lit. b DSGVO
6TwilioTwilio Ireland Limited, Dublin, IrelandVideo consultation in the lawyer marketplace (room creation, token generation)EU/EEAArt. 6 Abs. 1 lit. b DSGVO
7ip-api.comip-api, LithuaniaGeoIP detection for jurisdiction determination of website visitorsEUArt. 6 Abs. 1 lit. f DSGVO
8Let's EncryptInternet Security Research Group (ISRG), San Francisco, USAAutomatic provision of SSL/TLS certificates for Custom Domains (Agency tariff)GlobalArt. 6 Abs. 1 lit. f DSGVO
9Cloudflare TurnstileCloudflare Germany GmbH, Rosental 7, 80331 München, DeutschlandBot protection, CAPTCHA verification for login and registrationGlobalArt. 6 Abs. 1 lit. f DSGVO
10Google Analytics 4Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, IrlandStatistical evaluation of the use of biscotti-cmp.com (only with consent)EUArt. 6 Abs. 1 lit. a DSGVO
11IAB EuropeIAB Europe, Brussels, BelgiumGlobal Vendor List (GVL) for IAB TCF 2.3EUArt. 6 Abs. 1 lit. b DSGVO

Self-hosted technologies (no independent sub-processors):

  • PostgreSQL (Open Source) — Relational database, self-hosted on GCP (europe-west4)
  • Redis (Open Source) — In-memory database for session tracking and caching, self-hosted on GCP (europe-west4)
  • Playwright (Open Source, Microsoft) — Headless browser for website scanning, self-hosted on GCP (europe-west4)
  • MinIO (Open Source) — S3-compatible object storage for backups, self-hosted on GCP (europe-west4)

For these technologies, no data is transmitted to third parties. They are part of the GCP infrastructure mentioned under No. 5.

22. Third Country Transfer

22.1 Principle

The processing of personal data generally takes place within the European Union (EU) or the European Economic Area (EEA). The primary infrastructure (Google Cloud Platform, europe-west4) is located in the Netherlands.

22.2 Transfers to Third Countries

Insofar as processing by external service providers takes place outside the EU/EEA, we ensure that the special requirements of Art. 44 et seq. DSGVO are met:

(a) Resend (USA):

  • Secured by the current Standard Contractual Clauses (SCCs) of the EU Commission pursuant to Implementing Decision (EU) 2021/914
  • Additional security through the EU-US Data Privacy Framework (DPF) pursuant to the EU Commission's adequacy decision of July 10, 2023
  • Supplementary technical measures: TLS encryption of all email transmissions
  • Data processing takes place on AWS servers in the EU (eu-west-1 region)

(b) Let's Encrypt (USA):

  • Communication with Let's Encrypt is limited to the automated issuance of SSL/TLS certificates via the ACME protocol
  • Only domain names are transmitted — no personal data of natural persons

(c) Cloudflare Turnstile (Global):

  • Secured by the Standard Contractual Clauses (SCCs) of the EU Commission
  • Additional security through the EU-US Data Privacy Framework
  • Processing is limited to bot detection during login and registration processes

22.3 Transfer Impact Assessment

For each third country transfer, we conduct a Transfer Impact Assessment (TIA) to ensure that the level of data protection in the third country is essentially equivalent to that in the EU. We make the results of the TIA available upon request.

22.4 Changes in Legal Situation

Should an adequacy decision of the EU Commission be revoked or a third country transfer be prohibited by a supervisory authority or a court, we will inform you immediately and take appropriate alternative protective measures or cease the affected processing.

23. Storage Duration and Deletion Periods

We store personal data only for as long as it is necessary for the respective processing purpose or as statutory retention obligations exist. Below is an overview of the main storage periods:

Data CategoryStorage DurationLegal Basis
Account data (email, name, company)Duration of the contractual relationship + 30 days Grace PeriodArt. 6 Abs. 1 lit. b DSGVO
Password hashDuration of the contractual relationshipArt. 6 Abs. 1 lit. b DSGVO
Consent data of website visitorsStandard: 18 months (configurable by the customer)Art. 6 Abs. 1 lit. c DSGVO
Scan resultsDuration of the contractual relationshipArt. 6 Abs. 1 lit. b DSGVO
Generated legal textsDuration of the contractual relationshipArt. 6 Abs. 1 lit. b DSGVO
Audit logs12 monthsArt. 6 Abs. 1 lit. f DSGVO
Invoices and accounting data10 years§ 147 AO, §§ 238, 257 HGB
Tax-relevant documents10 years§ 147 AO
Commercial law-relevant correspondence6 years§ 257 HGB
Server log files30 daysArt. 6 Abs. 1 lit. f DSGVO
GeoIP cache1 hourArt. 6 Abs. 1 lit. f DSGVO
Verification/reset tokenUntil use or expiry (24 hours)Art. 6 Abs. 1 lit. b DSGVO
Newsletter consent proof3 years after unsubscriptionArt. 6 Abs. 1 lit. f DSGVO
Mandate data (lawyer marketplace)Duration of the contractual relationship, invoice data 10 yearsArt. 6 Abs. 1 lit. b DSGVO
Lawyer ratingsDuration of the lawyer's registrationArt. 6 Abs. 1 lit. f DSGVO
Backup dataRolling period, deletion after account deletion + Grace Period + Rotation CycleArt. 6 Abs. 1 lit. f DSGVO
Compliance reports / Health scoresDuration of the contractual relationshipArt. 6 Abs. 1 lit. b DSGVO

After account deletion, all personal data will be irrevocably and in compliance with data protection regulations deleted from productive systems and backups after the 30-day grace period, subject to the statutory retention obligations mentioned above.

24. Rights of Data Subjects (Art. 15–22 GDPR)

As a data subject, you have the following rights regarding your personal data:

24.1 Right of Access (Art. 15 GDPR)

You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed. If that is the case, you have the right to access the personal data and the information specified in Art. 15 Abs. 1 DSGVO (purposes of processing, categories of personal data, recipients, envisaged storage period, origin of the data, existence of automated decision-making).

Technical Implementation: You can view your account data at any time in the dashboard. Consent data can be downloaded via the export function (CSV). Website visitors can view their stored consent data via the public Consent Lookup page by entering their Consent ID.

24.2 Right to Rectification (Art. 16 GDPR)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.

Technical Implementation: Account data (name, email, company, address) can be corrected at any time in the dashboard.

24.3 Right to Erasure (Art. 17 GDPR)

You have the right to obtain the immediate erasure of your personal data if one of the reasons specified in Art. 17 Abs. 1 DSGVO applies (e.g., data are no longer necessary for the purpose, withdrawal of consent, unlawful processing).

Technical Implementation: You can initiate the deletion of your account at any time via the dashboard or by email to support@biscotti-cmp.com. Upon account deletion, all personal data will be irrevocably deleted, subject to statutory retention obligations (cf. Section 23). Consent data can be deleted by the customer (website operator) via the dashboard functions.

Restrictions: The right to erasure does not apply insofar as processing is necessary for compliance with a legal obligation (e.g., tax and commercial law retention obligations).

24.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to obtain restriction of processing where one of the conditions specified in Art. 18 Abs. 1 DSGVO applies (e.g., contesting the accuracy, unlawful processing, objection pursuant to Art. 21 DSGVO).

Technical Implementation: The restriction of individual data records can be initiated via the dashboard functions or by contacting our support.

24.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right to transmit those data to another controller without hindrance.

Technical Implementation: Biscotti CMP offers extensive data export options in CSV format via the dashboard and the REST-API. Exportable data includes: consent data, website configurations, scan results, legal texts, audit logs, and invoices.

24.6 Right to Object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 Abs. 1 lit. f DSGVO (legitimate interest). We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

24.7 Right to Withdraw Consent (Art. 7 Abs. 3 GDPR)

Where processing is based on your consent (Art. 6 Abs. 1 lit. a DSGVO), you have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Technical Implementation for Website Visitors: The consent banner of the Biscotti CMP offers end-users the function to access and withdraw their settings at any time. Withdrawal is as easy as giving consent.

Technical Implementation for Newsletter: Every newsletter email contains an unsubscribe link.

24.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The supervisory authority responsible for us is:

The State Commissioner for Data Protection and for the Right to Access Files Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow
Telephone: +49 33203 356-0
Email: poststelle@lda.brandenburg.de

However, you can also contact the supervisory authority of your habitual residence or place of work.

24.9 Contact for Exercising Your Rights

To exercise your rights, please contact:

Email: datenschutz@biscotti-cmp.com
Phone: +49 3322 50703301
Mail: Campcruisers GmbH, Berliner Str. 21 B, 14612 Falkensee, Germany

We will process your request without undue delay, but no later than one month after receipt (Art. 12 Abs. 3 DSGVO). In complex cases or with a large number of requests, this period may be extended by a further two months, about which we will inform you stating the reasons.

25. Automated Decision-Making (Art. 22 GDPR)

25.1 AI Text Generation

Within the Legal Suite, legal texts are generated by Artificial Intelligence (Google Gemini). This text generation constitutes automated processing, but it does not constitute automated decision-making within the meaning of Art. 22 Abs. 1 DSGVO, because:

  • The generated texts do not produce legal effects concerning the data subject or similarly significantly affect them.
  • The texts are merely drafts that must be reviewed, edited, and approved by the customer before use.
  • No decision is based solely on automated processing — the customer always retains full control over the use of the generated texts.

25.2 AI-powered Cookie Categorization

The automatic categorization of cookies by AI (Essential, Functional, Analytics, Marketing) serves as a support function. The customer can manually review and adjust the categorization at any time. It does not constitute automated decision-making within the meaning of Art. 22 DSGVO.

25.3 Bot Detection

Automated bot detection (cf. Section 16) automatically decides whether an access is classified as human or automated. This decision affects session counting and thus billing. Since the decision exclusively concerns the customer (not the website visitor) and the customer can trace the session counting in the dashboard, there is no automated decision-making within the meaning of Art. 22 DSGVO that significantly affects a data subject.

25.4 Compliance Health Score

The automated calculation of the Compliance Health Score (A–F) within the Policy Audit (cf. Section 9) serves as an information and support function. The score has no legal effect and is solely for the customer's information.

25.5 Transparency Notice according to EU AI Act

We use AI systems (Google Gemini) for text generation, cookie categorization, and policy analysis. In accordance with the transparency obligations of Regulation (EU) 2024/1689 (EU AI Act), we point out that:

  • AI-generated content is marked as such.
  • The AI simulates various legal expert roles — it is not a review by actual lawyers.
  • We strongly recommend having AI-generated legal texts reviewed by a qualified lawyer before productive use.

26. Changes to the Privacy Policy

We reserve the right to adapt this privacy policy to changed legal situations, technical developments, or new functionalities of the Biscotti CMP. The current version is always available on our website at biscotti-cmp.com/de/datenschutz.

In the event of significant changes affecting your rights or the nature of data processing, we will inform you by email to the email address stored in your account. We recommend that you regularly review this privacy policy.

27. Competent Supervisory Authority

The data protection supervisory authority responsible for the Campcruisers GmbH is:

The State Commissioner for Data Protection and for the Right to Access Files Brandenburg
Stahnsdorfer Damm 77
14532 Kleinmachnow
Germany
Telephone: +49 33203 356-0
Email: poststelle@lda.brandenburg.de
Website: https://www.lda.brandenburg.de

Data Security

We implement comprehensive technical and organizational security measures in accordance with Art. 32 DSGVO to protect your personal data. These include, in particular:

  • Encryption during transmission: TLS 1.2/1.3 for all data transmissions, HTTPS enforcement (HSTS)
  • Encryption at rest: AES-256 encryption of all databases and storage media on the Google Cloud Platform, AES-256-GCM for sensitive configuration data (API keys, BYOK keys)
  • Pseudonymization: Consent data is linked with pseudonymous Consent IDs, IP addresses are anonymized into IP hashes
  • Access control: Role-based access control (RBAC), principle of least privilege, logical client separation
  • Authentication: JWT-based authentication, Cloudflare Turnstile for protection against bot attacks
  • Backup and recovery: Daily automatic backups with AES-256 encryption and SHA-256 integrity check
  • Audit logging: Comprehensive logging system for all security-relevant actions

The complete technical and organizational measures (TOMs) are documented in § 8 of our Data Processing Agreement (DPA).

Reditus (affiliate tracking)

We operate our own affiliate/referral program and use the Reditus service provided by Reditus B.V., Europalaan 100, 3526 KS Utrecht, Netherlands (operator of the getreditus.com platform). If you reach our website via a referral link (parameter "red" or "refby") and subsequently register, we report the referred registration as well as downstream payment, refund and cancellation events to Reditus on the server side in order to correctly attribute the affiliate commission.

Reditus tracking script and cookies: Only if you have consented to the "Marketing" category is the Reditus tracking script (script.getreditus.com/gr.js) loaded. It may set and read a referral/click identifier (cookie "gr_id") in your browser. In addition, we store the attribution data in our own first-party storage (cookie or local storage "biscotti_reditus_attribution"). Before your consent, the script is not loaded and no identifier is set or read; without marketing consent there is also no server-side transmission to Reditus.

Purpose: Settlement and attribution of affiliate commissions for referred registrations and payments.

Legal basis: For loading the Reditus script and for storing/reading the referral identifier on your device, your consent pursuant to Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR. For the subsequent server-side transmission of the referral and settlement data to Reditus, our legitimate interest in correct commission settlement pursuant to Art. 6 (1) (f) GDPR (documented legitimate interest assessment); this transmission only takes place if marketing consent was given beforehand.

Categories of processed data:

  • Email address and/or internal account ID
  • Payment amount (net), currency and payment interval
  • Affiliate slug (referral identifier), where applicable advocate slug and Reditus click ID (gr_id)

Recipients: Reditus B.V., Netherlands. Reditus processes the referral tracking data on our behalf; the exact allocation of roles and obligations (processing under Art. 28 GDPR) is governed by the data processing agreement concluded with Reditus, which can be requested from us.

Third-country transfer: Processing generally takes place within the EU/EEA. Where Reditus uses sub-processors outside the EU/EEA, the transfer is based on appropriate safeguards pursuant to Art. 44 et seq. GDPR (in particular EU standard contractual clauses).

Retention period: The referral marker stored on the account and the related settlement data are retained for the duration of the contractual relationship and within the statutory retention periods, and are deleted thereafter. The first-party attribution identifier (biscotti_reditus_attribution) is kept for a maximum of 90 days.

Objection and withdrawal: You may object at any time, pursuant to Art. 21 GDPR, to processing based on Art. 6 (1) (f) GDPR, and you may withdraw your marketing consent at any time with effect for the future via our cookie settings.

Only the aforementioned data is transmitted to Reditus. No Stripe customer objects, no payment card or bank account data and no access to our Stripe account are shared. No automated decision-making with legal effect takes place.

Status: April 15, 2026
Campcruisers GmbH
Berliner Str. 21 B, 14612 Falkensee

Reditus (Affiliate Tracking)

Purpose: Processing and settlement of our affiliate/referral program. If you access our website via a partner's (affiliate) referral link and subsequently create an account or make a payment, we report the associated conversion as well as subsequent payment, refund, and cancellation events to our service provider Reditus, so that the commission of the referring partner can be correctly calculated.

Provider: Reditus B.V., Netherlands. The exact legal form and address can be found in the data processing agreement concluded with Reditus.

Categories of data processed:

  • Internal account ID and/or email address
  • Payment amount (net, without VAT), currency, and, if applicable, payment interval
  • Affiliate or advocate slug (identifier of the referring partner) and, if applicable, a technical click identifier (gr_id)

Expressly no Stripe customer objects, no card data, and no access to our Stripe account are transmitted to Reditus.

Legal basis: The client-side setting and reading of the attribution identifier (cookie or local storage) on our website is based exclusively on your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a GDPR. Without marketing consent, the identifier is neither set nor read. The subsequent server-side transmission to Reditus is based on our legitimate interest in correct commission accounting in accordance with Art. 6 (1) lit. f GDPR (with documented balancing of interests) and, where applicable, on the performance of a contract in accordance with Art. 6 (1) lit. b GDPR.

Recipient: Reditus B.V. as a processor in accordance with Art. 28 GDPR.

Third country transfer: Reditus operates in the European Union (Netherlands). Should sub-processors be used outside the EU, we ensure an appropriate transfer mechanism in accordance with Art. 44 et seq. GDPR.

Storage duration: The referral marker and the associated billing data are stored for the duration of the contractual relationship and for the period required for commission accounting and for any refunds or cancellations, and are then deleted in compliance with statutory retention periods.

Data subject rights vis-à-vis Reditus: Please address requests for information (Art. 15 GDPR) and deletion (Art. 17 GDPR) to datenschutz@biscotti-cmp.com; we will forward these to Reditus if necessary.

This privacy policy is a translation of the German original. In case of any discrepancies, the German version shall prevail. The German version is the only legally binding version.
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

🏢 About UsFeaturesPricingDocumentation🔍 Cookie Check📦 Downloads📚 Privacy & Consent Knowledge Base📝 Blog📖 Cookie Consent & Privacy Glossary🌍 Jurisdictions♿ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
© 2026 Biscotti – A service of Campcruisers GmbH🍪 Change cookie settings