Skip to content
Biscotti CMP
FeaturesPricing🔍 Cookie Check♿ Accessibility📦 DownloadsDocumentationBlog
Login
Home›Terms of Service

Terms and Conditions

At a glance

  • The terms that apply when you use Biscotti.
  • Contract formation, pricing and payment conditions.
  • Cancellation, liability and your consumer rights.

General Terms and Conditions (GTC) of Campcruisers GmbH for Biscotti CMP

Status: April 15, 2026

Preamble

Welcome to Biscotti CMP — the comprehensive Consent Management and Legal Compliance Platform by Campcruisers GmbH. We support website operators, agencies, companies, and freelancers in technically and organizationally implementing the requirements of the General Data Protection Regulation (GDPR), the Telecommunications-Digital Services Data Protection Act (TDDDG), the California Consumer Privacy Act (CCPA), the Lei Geral de Proteção de Dados (LGPD), and other international data protection laws in over 186 jurisdictions.

Biscotti CMP unifies under one platform: a configurable consent banner with jurisdiction-dependent display, an AI-powered cookie scanner with automatic categorization according to IAB TCF 2.3, a Legal Suite for AI-based generation and automatic updating of legal texts, a lawyer marketplace for brokering legal services, agency and white-label functions with client management, a WordPress plugin, a REST API, webhooks, A/B testing, consent analytics, a review rewards program, team management, and a knowledge base on data protection requirements in over 186 jurisdictions.

Transparency, fairness, and a partnership approach at eye level are our top priorities. These General Terms and Conditions (GTC) form the legal basis for the use of our Software-as-a-Service (SaaS) solution and define the mutual rights and obligations clearly and understandably. Should you have any questions, our support team is always available to assist you.

Provider Identification (according to § 5 DDG)

Your contractual partner for all services related to Biscotti CMP is:

Campcruisers GmbH
Berliner Str. 21 B
14612 Falkensee
Germany

Represented by:
Daniel Bosch (Managing Director / CEO)
Philipp André Marschall (Authorized Signatory)

Contact:

Phone:+49 3322 50703301
Fax:+49 3322 50703302
Email (General):info@biscotti-cmp.com
Email (Customer Service):support@biscotti-cmp.com
Email (Data Protection):datenschutz@biscotti-cmp.com
Website:www.biscotti-cmp.com
App Access:app.biscotti-cmp.com

Customer Service Business Hours: Monday to Friday from 10:00 AM to 5:00 PM (CET/CEST)

Registration Data:

Registry Court:Amtsgericht Potsdam
Registration Number:HRB 40180 P
VAT ID No. according to § 27a UStG:DE368000447

§ 1 Scope and Definitions

1.1 Scope

These General Terms and Conditions (GTC) apply to all contracts for the use of the Software-as-a-Service solution "Biscotti CMP" and all associated services (in particular lawyer marketplace, newsletter, review rewards program, WordPress plugin, API access), which are concluded between Campcruisers GmbH (hereinafter "Provider", "we" or "us") and the customers (hereinafter "Customer" or "you") via the website www.biscotti-cmp.com, the app at app.biscotti-cmp.com, the WordPress plugin or via third-party platforms (e.g., earlybird.so). The GTC apply to both consumers and entrepreneurs within the meaning of §§ 13, 14 BGB.

1.2 Deviating Conditions

Deviating, conflicting, or supplementary General Terms and Conditions of the Customer shall only become part of the contract if and to the extent that we have expressly agreed to their validity in text form (§ 126b BGB). This requirement of consent applies in any case, for example, even if we perform the service without reservation in knowledge of the Customer's GTC.

1.3 Definitions

For the purposes of these GTC, the following definitions apply:

Consumer is any natural person who concludes a legal transaction for purposes that are predominantly neither attributable to their commercial nor their independent professional activity (§ 13 BGB).

Entrepreneur is a natural or legal person or a partnership with legal capacity who, when concluding a legal transaction, acts in the exercise of their commercial or independent professional activity (§ 14 BGB).

SaaS (Software-as-a-Service) refers to the provision of the Biscotti CMP software for use via the internet. The Customer does not acquire ownership of the software, but a temporary right of use.

Session refers to a single page view by a website visitor, during which the Biscotti-CMP-Widget (biscotti.min.js) is loaded and sends a ping to the Biscotti infrastructure. Automated accesses by bots, crawlers, and scrapers are identified by the integrated bot detection and are not counted as sessions (cf. § 3.5).

Consent Banner refers to the consent banner integrated on the Customer's website, through which website visitors can make their consent decisions in accordance with § 25 TDDDG and Art. 6 Abs. 1 lit. a DSGVO.

Legal Suite refers to the integrated collection of AI-powered tools for generating legal texts (e.g., impressum, privacy policy, GTC, DPA).

Dashboard refers to the web-based user interface at app.biscotti-cmp.com, through which the Customer configures and manages the platform.

Account refers to the Customer's user account, which includes all associated websites, configurations, consent data, and billing information.

Sub-Account refers to a sub-account managed by an agency for an agency's end customer.

LTD-Plan (Lifetime Deal) refers to a plan acquired through a one-time payment, granting an unlimited right of use, subject to the provisions in § 4.6 and § 11.

Credit Pack refers to an additionally purchasable contingent of Sessions, which is consumed when the plan limit is exceeded.

Lawyer Marketplace refers to the mediation platform integrated into Biscotti CMP, through which customers can utilize legal services from independent lawyers registered on the platform.

Mandate refers to the assignment brokered via the Lawyer Marketplace between a customer and a lawyer.

Jurisdiction refers to a legal area (state, federal state, region) for which specific data protection requirements apply and which influences the display of the Consent Banner.

IAB TCF (Transparency & Consent Framework) refers to the technical standard developed by the Interactive Advertising Bureau (IAB) Europe for managing consents in digital advertising, currently in version 2.3.

GVL (Global Vendor List) refers to the list of registered vendors maintained by IAB Europe within the TCF framework.

§ 2 Conclusion of Contract

2.1 Non-binding Offer

The presentation and promotion of our services on our websites do not constitute a binding offer to conclude a contract, but an invitation to submit an offer (invitatio ad offerendum).

2.2 Order Process and Conclusion of Contract

The Customer can choose from the various subscription plans (§ 3.4). By clicking the button that completes the order process (e.g., "Order with obligation to pay" or "Subscribe"), the Customer submits a legally binding offer regarding the selected plan. Before submitting the order, the Customer can change and view the data at any time, as well as identify and correct input errors.

The contract is only concluded when we declare acceptance of the offer by means of an order confirmation via email or activate access to the software (Dashboard) immediately after checkout. The contract text will be stored by us in compliance with data protection regulations and sent to the Customer along with these GTC via email.

For the free FREE plan, the contract is concluded upon completion of registration and activation of the account.

2.3 Redemption of Lifetime Deal Licenses (LTD)

Customers who have purchased a Lifetime Deal license key via third-party platforms (e.g., earlybird.so) can activate it via the "Redeem License Key" endpoint in the Dashboard or during registration. Each license key can be redeemed only once. Upon redemption, the account is automatically assigned to the corresponding LTD plan. The GTC valid at the time of redemption apply. Special provisions in § 4.6 apply to LTD plans.

2.4 Self-Supply Reservation

The conclusion of the contract is subject to the correct and timely self-supply by our suppliers (in particular server and AI infrastructure providers). This only applies if we are not responsible for the non-delivery. The Customer will be informed immediately about the unavailability of the service. Any consideration already provided will be refunded immediately.

§ 3 Registration and Account Management

3.1 Registration Requirements

(1) The use of Biscotti CMP requires the creation of a user account. Registration is only permitted for natural persons of legal age and full legal capacity (§§ 2, 104 ff. BGB) as well as duly represented legal entities and partnerships. By registering, the Customer assures that they have reached the age of 18 and are fully legally capable or authorized to represent the legal entity.

(2) Each natural or legal person may only create one account, unless sub-accounts are created within the scope of the Agency plan.

3.2 Registration Process and Double-Opt-In

(1) The following mandatory information is required for registration: email address and password. Optionally, company name, first name, and last name can be provided. The account language is automatically detected from the browser language or can be manually selected from 42 available languages.

(2) After submitting the registration form, the Customer receives a verification email to the specified email address (double opt-in procedure). The verification link contained in the email is valid for 24 hours. If the email address is not verified within this period, the account remains, but with limited functionality. A new verification email can be sent at any time.

(3) Upon completion of registration, the account is automatically assigned to the free FREE plan.

3.3 Password Requirements and Account Security

(1) The password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one digit.

(2) The Customer is obliged to keep their password secret and protect it from third-party access. The disclosure of access data to third parties is prohibited, unless this occurs within the scope of team management (§ 18) or agency functions (§ 15).

(3) The Customer is liable for all activities carried out using their access data, unless they prove that the use occurred without their fault by an unauthorized third party.

(4) In case of suspicion of unauthorized access to the account, the Customer is obliged to inform us immediately at support@biscotti-cmp.com and to change their password immediately.

3.4 Password Reset

The Customer can request an email with a time-limited reset link via the "Forgot password" function. The new password must comply with the requirements of § 3.3 Abs. 1.

3.5 Account Deletion

(1) The Customer can initiate the deletion of their account at any time via the Dashboard or by email to support@biscotti-cmp.com.

(2) Upon account deletion, all personal data, website configurations, consent logs, scan results, and generated legal texts are irrevocably deleted, subject to statutory retention obligations (§ 147 AO, §§ 238, 257 HGB). Invoices and accounting data are retained for 10 years.

(3) Before deletion, the Customer is obliged to back up their data using the export function (§ 11.4).

§ 4 Service Description and Plans

4.1 Core Functions of Biscotti CMP

Biscotti CMP is a comprehensive Consent Management and Legal Compliance Platform that includes the following core functions:

(a) Consent Banner and Consent Management
A configurable consent banner for obtaining, managing, and documenting consent decisions of website visitors in accordance with § 25 TDDDG, Art. 6 Abs. 1 lit. a DSGVO, and international data protection laws. The banner supports jurisdiction-dependent display (e.g., Opt-In for GDPR, Opt-Out for CCPA) based on the visitor's GeoIP detection. Supported consent frameworks include: GDPR, CCPA/CPRA, LGPD, Google Consent Mode v2, IAB TCF 2.3, and Global Privacy Control (GPC).

(b) Cookie Scanner
An automated scanner that searches websites for cookies, local storage entries, and third-party trackers, compares them with the IAB Global Vendor List (GVL), and automatically categorizes them using AI (Essential, Functional, Analytics, Marketing). The scanner uses Playwright for JavaScript-rendered pages.

(c) Legal Suite — AI Legal Text Generator
An integrated tool for AI-based generation of legal texts, based on Google Gemini. Depending on the plan, the Legal Suite can generate the following document types: impressum, privacy policy, cookie policy, GTC (B2B and B2C), right of withdrawal instructions, DPA, shipping and return conditions, terms of use, disclaimer, NDA, DSA information, and over 30 other document types.

(d) Legal Sync — Automatic Legal Text Updates
An automated system for monitoring legal changes in over 186 jurisdictions. In case of relevant changes, affected legal texts are automatically marked as requiring an update and can be automatically regenerated upon request (only in plans with "Auto-Update" function).

(e) Compliance Audit and Policy Review
Automated weekly compliance audits of customer websites, including the detection of new cookies, checking for consent issues, and analysis of existing legal texts (privacy policy, impressum) using AI-powered scraping and evaluation (Health Score A–F).

(f) Jurisdiction Knowledge Base
A comprehensive knowledge base with compliance information for over 186 jurisdictions and 69 business categories, including compliance checklists and legal requirements.

(g) Consent Analytics and A/B Testing
Statistical evaluations of consent rates, banner interactions, and conversion tracking. A/B testing allows comparing different banner variants with configurable traffic distribution.

(h) Lawyer Marketplace
A mediation platform for legal services (cf. § 14 of these GTC).

(i) Agency and White-Label Functions
Client management with sub-accounts, custom domain (CNAME), own transactional emails, and full white-label branding (cf. § 15 of these GTC).

(j) WordPress Plugin
A WordPress plugin for simplified integration of Biscotti CMP (cf. § 21 of these GTC).

(k) REST API and Webhooks
Programmatic access to the platform via a REST API and event-based notifications via webhooks (cf. § 19 of these GTC).

(l) Newsletter
A newsletter service with information on product updates, data protection law, and compliance topics (cf. § 16 of these GTC).

(m) Review Rewards Program
A rewards program for customer reviews on external platforms (cf. § 17 of these GTC).

4.2 IMPORTANT DISCLAIMER for AI-generated content

(1) Campcruisers GmbH is a software company and not a law firm. We do not provide legal or tax advice within the meaning of the Legal Services Act (RDG).

(2) The legal texts generated by the Legal Suite are based exclusively on the individual input of the customer and automated AI processes (Google Gemini). The AI simulates various legal expert roles (e.g., "Specialist Lawyer for IT Law") to optimize text quality. This is expressly NOT a review by real lawyers.

(3) We expressly assume no warranty, guarantee, or liability for the legal accuracy, completeness, topicality, or protection against warnings of the generated legal texts. The use of the texts is at the customer's own risk. We strongly recommend having the generated documents reviewed by a qualified lawyer before productive use. The integrated lawyer marketplace (§ 14) is also available for this purpose.

(4) The transparency obligations of Regulation (EU) 2024/1689 (EU AI Act) are observed. We label AI-generated content accordingly and inform the customer about the use of AI systems.

4.3 Consent Data and Retention

(1) Consent decisions of website visitors are stored by default for 18 months. The Customer can individually configure the retention period in the website settings.

(2) Consent data is stored pseudonymized. IP addresses are processed exclusively for jurisdiction detection and then anonymized (IP hash). No raw IP addresses are permanently stored.

(3) Website visitors can view their stored consent data via a public Consent-Lookup page by entering their Consent-ID (Art. 15 DSGVO). This function is limited to 10 requests per minute per IP address.

4.4 Subscription Plans (Tariffs)

We offer the following plans, the exact scope of which results from the current service description on our website and the following provisions:

(a) Regular Subscription Plans (monthly or annually)

FREE (Free):

  • Up to 5,000 Sessions/month, 1 Website
  • Consent Frameworks: GDPR, Google Consent Mode v2
  • Scanner: monthly, AI categorization, Smart Auto-Block
  • Legal Suite: Impressum, Privacy Policy, Cookie Policy (max. 3 generations per document/month)
  • Analytics: Basic statistics
  • Branding: Biscotti branding visible in the banner
  • Support: Community
  • No API access, no agency functions
  • Note: This plan serves as an unlimited trial period.

STARTER:

  • Up to 15,000 Sessions/month, 3 Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2
  • Scanner: weekly, AI categorization, Smart Auto-Block
  • Legal Suite: Impressum, Privacy Policy, Cookie Policy, GTC, Right of Withdrawal Instructions, Shipping and Return Conditions (max. 3 generations per document/month)
  • Analytics: Basic statistics
  • Branding: no Biscotti branding
  • Support: Community, Email
  • No API access, no agency functions

GROWTH:

  • Up to 60,000 Sessions/month, 10 Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2, IAB TCF 2.3
  • Scanner: daily, AI categorization, Smart Auto-Block
  • Legal Suite: all Starter documents plus DPA, unlimited generations, Legal Auto-Update
  • Analytics: Basic statistics, Consent Analytics, A/B Testing
  • Branding: White-Label (no Biscotti branding, own branding possible)
  • Support: Community, Email
  • No API access, no agency functions

BUSINESS:

  • Up to 500,000 Sessions/month, 20 Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2, IAB TCF 2.3
  • Scanner: hourly, AI categorization, Smart Auto-Block
  • Legal Suite: over 40 document types, unlimited generations, Legal Auto-Update, DSA information
  • Analytics: Basic statistics, Consent Analytics, A/B Testing, Conversion Tracking
  • Branding: White-Label with own company logo
  • Support: Community, Email, Priority Support
  • REST API access
  • No agency functions

AGENCY:

  • Up to 2,000,000 Sessions/month, 50 Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2, IAB TCF 2.3
  • Scanner: Real-time (every 15 minutes), AI categorization, Smart Auto-Block
  • Legal Suite: over 40 document types, unlimited generations, Legal Auto-Update, DSA information
  • Analytics: Basic statistics, Consent Analytics, A/B Testing, Conversion Tracking
  • Branding: White-Label Pro (own domain/CNAME, own emails, own logo)
  • Support: Community, Email, Priority Support, Dedicated Support
  • REST API access
  • Agency Functions: up to 25 Sub-Accounts, Reseller Dashboard, Test Domains, Proxy Token Access

ENTERPRISE:

  • Unlimited Sessions, unlimited Websites, unlimited Sub-Accounts
  • All functions of the Agency plan
  • Dedicated Support with personal contact person
  • Individual agreement (SLA, scope of functions, prices) by arrangement
  • Contact via sales@biscotti-cmp.com required

(b) Lifetime-Deal Plans (LTD) — One-time Payment

LTD plans are exclusively distributed via authorized third-party platforms (e.g., earlybird.so) and activated by redeeming a license key. These are one-time payments that grant an unlimited right of use (cf. § 4.6).

LTD STARTER:

  • Up to 100,000 Sessions/month, unlimited Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2
  • Scanner: weekly
  • Legal Suite: over 40 document types (max. 3 generations per document/month)
  • Analytics: Basic statistics
  • Branding: own logo, no full White-Label
  • Support: Community, Email
  • No API access, no agency functions

LTD GROWTH:

  • Up to 250,000 Sessions/month, unlimited Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2, IAB TCF 2.3
  • Scanner: daily
  • Legal Suite: over 40 document types, unlimited generations
  • Analytics: Basic statistics, Consent Analytics, A/B Testing
  • Branding: full White-Label with own logo
  • Support: Community, Email
  • No API access, no agency functions

LTD BUSINESS:

  • Up to 1,000,000 Sessions/month, unlimited Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2, IAB TCF 2.3
  • Scanner: hourly
  • Legal Suite: over 40 document types, unlimited generations
  • Analytics: Basic statistics, Consent Analytics, A/B Testing, Conversion Tracking
  • Branding: full White-Label with own logo
  • Support: Community, Email, Priority Support
  • REST API access
  • No agency functions

LTD AGENCY:

  • Up to 5,000,000 Sessions/month, unlimited Websites
  • Consent Frameworks: GDPR, CCPA, LGPD, Google Consent Mode v2, IAB TCF 2.3
  • Scanner: Real-time (every 15 minutes)
  • Legal Suite: over 40 document types, unlimited generations
  • Analytics: Basic statistics, Consent Analytics, A/B Testing, Conversion Tracking
  • Branding: White-Label Pro (own domain/CNAME, own emails, own logo)
  • Support: Community, Email, Priority Support, Dedicated Support
  • REST API access
  • Agency Functions: up to 50 Sub-Accounts, Reseller Dashboard, Test Domains

4.5 Session-based Billing

4.5.1 Definition and Counting of Sessions

(1) A "Session" is counted when the Biscotti-CMP-Widget (biscotti.min.js) is loaded on a Customer's website and sends an HTTP ping to the /api/v1/ping endpoint of the Biscotti infrastructure.

(2) The integrated bot detection analyzes each access based on the following criteria: User-Agent analysis, header analysis (e.g., missing Accept-Language headers), detection of headless browsers, and IP-based rate-limiting. Accesses identified as automated (bot) are not counted as Sessions and are not charged.

(3) Sessions are assigned to the billing month in which they occur. For agencies, Sessions are aggregated across all Sub-Accounts.

4.5.2 Session Limits and Escalation

The plans are tied to monthly Session limits. The following escalation model applies when approaching or exceeding the limit:

  • 80 % (Warning): Notification via email and Dashboard alert.
  • 100 % (Limit Reached): Notification via email and alert. From this point, purchased Credits are consumed, if available.
  • 110 % (Last Warning): Notification via email and alert that the banner will be deactivated shortly.
  • 120 % (Banner Blocked): The Consent Banner is deactivated (no longer displayed), if no Credits are left.

4.5.3 Credit Packs

Customers can purchase additional Session contingents in the form of Credit Packs. A Credit Pack includes 1,000,000 additional Sessions. Credits are automatically consumed when the regular plan limit is exceeded (between 100 % and 120 %). Unused Credits do not expire and are non-refundable.

4.5.4 Rollover of Unused Sessions

Unused Sessions from one billing month do not expire immediately. 50 % of unused Sessions are carried over to the following month. This rollover is capped at a maximum of 50 % of the regular plan limit. Example: Growth plan with a 60,000 limit – if only 40,000 are used, 10,000 (50 % of 20,000) are carried over to the next month, so up to 70,000 Sessions are available in the following month.

4.6 Special Provisions for LTD Plans (Lifetime Deals)

(1) LTD plans grant an unlimited right of use for the functionality of the respective plan available at the time of redemption. We reserve the right to expand the scope of functions as part of the platform's development, but not to significantly restrict it.

(2) LTD plans are not subject to automatic renewal and no recurring payment obligation.

(3) The Session limits of the LTD plans apply per calendar month. Exceeding the limit is possible by purchasing Credit Packs.

(4) For LTD plans, the termination provisions in § 11 apply accordingly, whereby termination by the Customer is possible at any time without notice. A refund of the purchase price is excluded after redemption of the license key (cf. § 10.2).

4.7 Scan Contingents

The number of manually triggerable scans per day and domain is limited depending on the plan:

  • FREE: 2 scans/day/domain
  • STARTER: 3 scans/day/domain
  • GROWTH / BUSINESS: 5 scans/day/domain
  • AGENCY: 20 scans/day/domain
  • ENTERPRISE: unlimited

Additionally, a burst limit of a maximum of 1 scan per minute per domain applies. Automatically scheduled scans (according to the plan's scan frequency) are performed independently of these contingents.

4.8 Public Cookie Checker

A free, public Cookie Checker is available on the marketing website, which can be used without registration. This is limited to 3 scans per day per IP address and offers a restricted range of functions compared to the full scanner in the Dashboard.

§ 5 Prices and Payment Terms

5.1 Prices and Taxes

(1) All prices stated on the website include the respective valid statutory value-added tax (gross prices), provided the Customer is a consumer.

(2) For entrepreneurs (B2B), tax calculation is as follows:

  • German customers: 19 % VAT
  • EU customers with valid VAT ID: Reverse-Charge procedure (0 % VAT, tax liability transfers to the customer)
  • EU customers without VAT ID (B2C): VAT of the destination country according to OSS procedure (One-Stop-Shop)
  • Third-country customers: not taxable (0 % VAT)

(3) The entry of a complete billing address is mandatory for paid plans.

5.2 Due Date and Billing Period

(1) The remuneration for paid subscription plans is due immediately upon checkout. Payment processing is handled by the payment service provider Stripe (Stripe Payments Europe, Limited, Dublin, Ireland) in subscription mode.

(2) The subscription automatically renews monthly or annually, depending on the chosen term, unless terminated in due time (§ 11).

(3) For LTD plans, payment is made once via the respective third-party platform. Payment processing is subject to the terms of the third-party platform.

5.3 Payment Methods

We accept the following payment methods, whose availability may vary depending on the registration location and payment service provider:

  • Credit Cards: Visa, Mastercard, American Express, JCB, Discover, UnionPay, Cartes Bancaires
  • SEPA Direct Debit
  • PayPal, Apple Pay, Google Pay, Amazon Pay, Link (Stripe), Samsung Pay
  • Sofortüberweisung / Klarna Pay Now, Klarna Invoice
  • Local Payment Methods: iDEAL, Bancontact, EPS, Przelewy24, Multibanco, BLIK, ACH Direct Debit, BECS Direct Debit

5.4 Invoicing (ZUGFeRD)

(1) Invoices are created electronically in ZUGFeRD format (PDF with embedded XML according to EN 16931) and sent to the Customer by email and made available for download in the Dashboard.

(2) Invoices are provided with a sequential invoice number in the format INV-YYMM-XXXXX. Customer numbers are assigned in the format CUS-YYMM-XXXXX.

(3) For payment by invoice (if offered in individual cases), the payment term is 14 days from the invoice date.

5.5 Default

(1) If the Customer defaults on payment, the statutory default interest rates apply (§ 288 BGB): for consumers 5 percentage points, for entrepreneurs 9 percentage points above the respective base interest rate.

(2) No dunning fees are charged. The right to claim further damages caused by default remains reserved.

(3) In case of payment default of more than 14 days, we are entitled to temporarily block access to the platform until outstanding payments are settled. The Consent Banner remains active during the blocking period to avoid jeopardizing the Customer's GDPR compliance.

5.6 Price Changes

(1) We reserve the right to adjust prices for our subscriptions with a notice period of at least 30 days to the next billing period (§ 315 BGB). The Customer will be informed about this via email.

(2) The new price will only apply after the end of the current billing period. If the Customer does not agree with the price change, they can terminate the subscription in due time at the end of the current period.

(3) Price changes do not apply to LTD plans, as these are covered by a one-time payment.

§ 6 Delivery and Service Provision

6.1 Provision of Digital Content

Our service is delivered exclusively digitally by granting access to the SaaS platform (Dashboard) and providing the banner code (JavaScript snippet) for integration on the Customer's website. Partial deliveries (e.g., gradual activation of features) are permissible, provided they are reasonable for the Customer.

6.2 Service Level Agreement (SLA) and Availability

(1) We guarantee a system availability of 99 % on an annual average. "Available" means that the system responds to requests in less than 5 seconds.

(2) Excluded from the availability calculation are:

  • Planned and pre-announced (at least 48 hours) maintenance windows
  • Emergency maintenance work to fix critical security vulnerabilities (announcement as early as possible, at least via Dashboard notification)
  • Downtimes due to force majeure (§ 25)
  • Failures of external service providers (§ 24) that are beyond our control

(3) For the Enterprise plan, individual SLA agreements with extended availability guarantees and SLA credits can be made.

6.3 Updates and Support

(1) Regular updates (bug fixes, security updates, and feature enhancements) are included in all plans and are provided automatically.

(2) Customer service usually responds within 24 hours (business days). Shorter response times apply for Priority and Dedicated Support.

(3) Complaints are processed via an internal escalation process.

§ 7 Rights of Use and Retention of Title

7.1 Scope of License

(1) Upon full payment of the due remuneration (or for LTD plans: upon redemption of the license key), we grant the Customer a non-exclusive, non-transferable, and non-sublicensable right to use the Biscotti CMP software as intended within the booked plan limits for the duration of the contract.

(2) The right of use includes access to the Dashboard, integration of the banner code on the Customer's registered websites, use of the Legal Suite, the Scanner, and all other functions included in the booked plan.

(3) Sublicensing is only permitted to Sub-Accounts within the scope of the Agency functions (§ 15).

7.2 Prohibited Actions

The Customer is expressly prohibited from:

(a) Decompiling, disassembling, or reverse engineering the software, unless this is mandatorily permitted by law according to § 69e UrhG.

(b) Using automated scripts, bots, or scraping tools to systematically extract or copy data from the IAB Vendor Database, the Jurisdiction Knowledge Base, or other parts of our software.

(c) Using the software for unlawful purposes, in particular for the distribution of spam, malware, or illegal content.

(d) Manipulating or circumventing the Session counting by technical measures.

(e) Using the software in a way that impairs the stability, security, or availability of the platform for other customers.

(f) Disclosing access data to unauthorized third parties or creating multiple accounts for the same natural or legal person (except within the scope of agency functions).

(g) Using the software in violation of applicable export control and sanction regulations (in particular EU regulations, US OFAC sanctions) or granting access to persons in sanctioned countries.

7.3 Fair-Use-Policy

The use of the platform is subject to a Fair-Use-Policy, the current version of which can be viewed at biscotti-cmp.com/de/fair-use. In case of violations of the Fair-Use-Policy, we are entitled to temporarily suspend the account after prior warning or to terminate the contract extraordinarily.

7.4 Retention of Title

Until full payment of all current and future claims arising from the contract, we reserve the full right to revoke the granted rights of use to the digital content (§ 449 BGB analog).

§ 8 Warranty and Liability for Defects

8.1 Statutory Warranty for Consumers (B2C)

For consumers, the statutory warranty rights according to §§ 327 ff. BGB (contracts for digital products) apply. We warrant that the software, when used as intended, will have the agreed quality and will be maintained in a contractual condition during the contract term (obligation to update according to § 327f BGB).

8.2 Special Provisions for Entrepreneurs (B2B)

(1) For entrepreneurs, warranty claims are primarily limited to rectification of defects (subsequent performance). If the rectification fails after a reasonable period or after two attempts, the Customer may reduce the price or terminate the contract.

(2) The no-fault liability for damages (§ 536a BGB) for defects existing at the time of contract conclusion is excluded.

(3) Entrepreneurs are subject to an immediate duty to give notice of defects analogous to § 377 HGB: Obvious defects of the software or the provided codes must be reported immediately, but no later than within 14 days after provision, in text form. In case of violation of the duty to inspect and give notice of defects, the service shall be deemed approved with regard to the defect concerned.

§ 9 Limitation of Liability

9.1 Unlimited Liability

We are liable without limitation:

  • for intent and gross negligence,
  • for damages resulting from injury to life, body, or health,
  • upon assumption of an express guarantee,
  • for fraudulently concealed defects,
  • for claims under the Product Liability Act (ProdHaftG).

9.2 Limited Liability for Slight Negligence

In the event of slightly negligent breach of essential contractual obligations (cardinal obligations), our liability is limited to the contract-typical, foreseeable damage. Essential contractual obligations are those whose fulfillment enables the proper execution of the contract in the first place and on whose compliance the contractual partner may regularly rely. Otherwise, liability for slight negligence is excluded.

9.3 Maximum Liability (B2B)

Towards entrepreneurs, liability – with the exception of the cases in § 9.1 – is limited in amount to the remuneration paid by the Customer in the last 12 months prior to the damage-causing event, but at least 500 EUR. For LTD plans, liability is limited to the one-time purchase price paid.

9.4 Exclusion of Liability for Indirect Damages (B2B)

Towards entrepreneurs, liability for indirect damages, in particular for lost profits, production downtime, data loss (unless avoidable by backups), or reputational damage, is excluded in cases of slight negligence.

9.5 Exclusion of Liability for AI-generated Legal Texts

As set out in § 4.2, any liability for the content and legal accuracy of the legal texts generated by AI (impressum, GTC, DPA, privacy policy, etc.) is completely excluded, to the extent legally permissible. The Customer is solely responsible for the legal review of the texts published on their website.

9.6 Exclusion of Liability for the Lawyer Marketplace

(1) We are not liable for the legal services brokered via the Lawyer Marketplace (§ 14). The contract for the legal service is concluded exclusively between the Customer and the respective lawyer. We are neither a party to this contract nor an auxiliary agent of the lawyer.

(2) We are not liable for the quality, accuracy, completeness, or timeliness of the legal advice or other legal services.

(3) Our liability is limited to the proper technical provision of the mediation platform and payment processing via Stripe Connect.

9.7 Exclusion of Liability for the Knowledge Base

The information contained in the Jurisdiction Knowledge Base is for general information purposes only and does not constitute legal advice. We assume no liability for the accuracy, completeness, or topicality of the content.

9.8 Compliance Responsibility

(1) The Customer, as the controller within the meaning of Art. 4 Nr. 7 DSGVO, is solely responsible for the data protection compliance of their website. Biscotti CMP merely provides technical tools to support compliance.

(2) We do not guarantee that the use of Biscotti CMP ensures full compliance with all applicable data protection laws. The configuration of the Consent Banner, the selection of consent categories, and the integration on the website are the responsibility of the Customer.

§ 10 Set-off and Retention Rights

The customer is only entitled to a right of set-off if their counterclaims have been legally established, are undisputed, or have been acknowledged by us. The customer is only entitled to exercise a right of retention insofar as their counterclaim is based on the same contractual relationship. Exception for consumers: Consumers are entitled to set off any due counterclaim.

§ 11 Right of Withdrawal for Consumers (B2C)

If you are a consumer within the meaning of § 13 BGB, you generally have a statutory right of withdrawal.

Instructions on Withdrawal

Right of Withdrawal

You have the right to withdraw from this contract within fourteen days without giving any reason. The withdrawal period is fourteen days from the day of the conclusion of the contract.

To exercise your right of withdrawal, you must inform us (Campcruisers GmbH, Berliner Str. 21 B, 14612 Falkensee, Telephone: +49 3322 50703301, Email: info@biscotti-cmp.com) of your decision to withdraw from this contract by means of a clear statement (e.g., a letter sent by post or email). You may use the attached model withdrawal form, but it is not obligatory.

To meet the withdrawal deadline, it is sufficient for you to send your communication concerning your exercise of the right of withdrawal before the withdrawal period has expired.

Consequences of Withdrawal

If you withdraw from this contract, we shall reimburse to you all payments received from you, without undue delay and in any event not later than fourteen days from the day on which we are informed about your decision to withdraw from this contract. We will carry out such reimbursement using the same means of payment as you used for the initial transaction, unless you have expressly agreed otherwise; in no event will you incur any fees as a result of such reimbursement.

11.1 Premature Expiration of the Right of Withdrawal (Digital Content)

Important notice according to § 356 Abs. 5 BGB i.V.m. § 312g Abs. 2 Nr. 13 BGB:
The right of withdrawal expires prematurely in the case of a contract for the supply of digital content not on a tangible medium (such as our SaaS software) if we have commenced with the performance of the contract after you have expressly agreed that we begin with the performance of the contract before the expiry of the withdrawal period, and you have confirmed your knowledge that by your consent, you lose your right of withdrawal with the commencement of the performance of the contract.

11.2 No Right of Withdrawal for LTD Plans

For Lifetime Deal (LTD) plans acquired via third-party platforms and activated by redeeming a license key, the right of withdrawal expires upon redemption of the license key and immediate provision of the digital content, provided the customer has previously expressly agreed that contract performance begins immediately and has confirmed their knowledge of losing the right of withdrawal. For the acquisition of the license key on the third-party platform, the withdrawal provisions of the respective third-party platform apply.

§ 12 Term, Termination and Data Handling

12.1 Contract Term and Renewal

(1) The minimum term of the contract depends on the billing period chosen by the customer at checkout (monthly or annually), but is a maximum of 24 months.

(2) The subscription automatically renews for the respective booked period (for annual subscriptions, a maximum of one additional year), unless it is terminated in due time.

(3) For annual subscriptions, we inform the customer 30 days before the automatic renewal via email.

(4) LTD plans have an indefinite term (cf. § 4.6).

(5) The FREE plan has no minimum term and can be terminated at any time.

12.2 Notice Period and Termination Methods

(1) The notice period is 1 day before the end of the respective billing period. Termination means that the plan continues until the end of the already paid period.

(2) Terminations can be made as follows:

  • Via the customer portal in the dashboard (self-service)
  • Via the easily accessible button "Terminate contracts here" on our website according to § 312k BGB (termination button)
  • In text form (e.g., via email to support@biscotti-cmp.com)

(3) A termination can be revoked before the end of the period (resume function).

(4) In the event of a downgrade, the current plan remains active until the end of the period, after which the automatic change occurs. Upgrades take effect immediately with pro-rata billing (proration).

12.3 Extraordinary Termination

The right to extraordinary termination for good cause remains unaffected for both parties (§ 314 BGB). A good cause exists in particular if:

  • the customer is in default of payment of more than two monthly amounts despite a reminder,
  • the customer repeatedly or seriously violates these GTC,
  • insolvency proceedings are opened against the assets of a party or the opening is rejected due to lack of assets,
  • the platform is unavailable for more than 3 months due to force majeure (§ 25).

12.4 Data Handling upon Termination / Downgrade

(1) Upon termination becoming effective, the account will be downgraded to the free FREE plan. A 30-day grace period applies:

  • Day 1–30: The customer can still access the dashboard and export their data.
  • Day 23: Automatic email warning that data will be deleted in 7 days.
  • Day 30: Usage data (websites, scans, consent logs, session logs, A/B tests, legal entities, generated legal texts) will be irrevocably deleted. The account will be anonymized.

(2) Invoices and accounting data will be stored for 10 years in accordance with § 147 AO and §§ 238, 257 HGB.

12.5 Data Portability (Art. 20 GDPR)

The customer can request an export of their data in machine-readable CSV format via the dashboard at any time. The export includes account master data, website configurations, invoices, and up to 10,000 consent records. For more extensive exports, the customer can contact support.

12.6 Responsibility for Backups

(1) The principle of shared responsibility applies. During the active subscription, we ensure the availability and backups of consent data. Backups are created daily and secured in encrypted form on S3-compatible storage (AWS S3 / MinIO). Integrity is ensured by SHA-256 checksums.

(2) During the 30-day termination phase, the customer is obliged to export their data. After deletion, the customer bears sole responsibility for the burden of proof of consents (Art. 7 Abs. 1 DSGVO).

12.7 Data Migration

We support the customer to a reasonable extent with migration to another Consent Management Provider, particularly by providing export functions (§ 12.5). Further migration assistance can be individually agreed upon within the scope of the Enterprise plan.

§ 13 Confidentiality (B2B only)

(1) Both contracting parties undertake to treat all confidential information of the respective other contracting party obtained during contract initiation and execution as confidential indefinitely (even beyond the end of the contract for at least 3 years) and to use it only for the purposes of contract execution.

(2) Confidential information includes, in particular, trade secrets within the meaning of § 2 GeschGehG, technical documentation, customer data, pricing structures, and business strategies.

(3) Excluded are information that:

  • were already publicly known at the time of disclosure or become publicly known thereafter without fault of the receiving party,
  • were already lawfully known to the receiving party prior to disclosure,
  • were independently developed by the receiving party,
  • were lawfully received from a third party without an obligation of confidentiality.

(4) Disclosure to vicarious agents is only permissible if they are subject to a comparable confidentiality obligation.

§ 14 Attorney Marketplace

14.1 Intermediary Role of Campcruisers GmbH

(1) Campcruisers GmbH operates an attorney marketplace via Biscotti CMP, which facilitates the mediation of legal services between clients and independent attorneys registered on the platform.

(2) Campcruisers GmbH acts exclusively as an intermediary (platform operator) and is NOT a party to the client-attorney relationship established between the client and the attorney. The contract for legal services is concluded exclusively between the client and the respective attorney. Campcruisers GmbH is neither a contractual partner of the mandate agreement nor a vicarious agent of the attorney.

(3) Campcruisers GmbH does not provide legal advice or legal services within the meaning of the Legal Services Act (RDG). The mediation of attorneys via the platform does not constitute a recommendation or quality guarantee.

14.2 Attorney Registration and Verification

(1) Attorneys can register on the platform via a multi-stage registration process. Registration includes providing contact details, professional qualifications, areas of expertise, and uploading verification documents (e.g., bar admission, max. 10 MB, PDF/JPEG/PNG).

(2) Registrations are reviewed by us. We reserve the right to reject registrations without stating reasons. The registration status goes through the phases: PENDING_APPROVAL → APPROVED or REJECTED.

(3) We do not guarantee the accuracy of the qualifications and admissions provided by attorneys. Verification is carried out to the best of our knowledge and belief, but does not replace independent verification by the client.

14.3 Mandate Lifecycle

(1) The typical process of a mandate mediated via the attorney marketplace includes the following phases:

  • Quote Request (QUOTE_REQUESTED): The client describes their concern and requests a quote.
  • Quote (QUOTE_SENT): The attorney creates a quote with a service description and price.
  • Payment (PAYMENT_PENDING): The client accepts the quote and makes the payment.
  • Processing (IN_REVIEW): The attorney processes the mandate.
  • Completion (COMPLETED): The mandate is completed.

(2) Other possible statuses: QUOTE_REJECTED (quote rejected), QUOTE_EXPIRED (quote expired after 7 days), CANCELLED (cancelled), DISPUTED (disputed case).

(3) In the event of a dispute (DISPUTED), we endeavor to mediate between the parties, but are not obliged to do so. The legal dispute is the responsibility of the parties to the mandate agreement.

14.4 Payment Processing via Stripe Connect

(1) Payment processing for mandate orders is handled via Stripe Connect (Stripe Payments Europe, Limited, Dublin, Ireland). Attorneys are paid via Stripe Connect Express Accounts.

(2) Campcruisers GmbH charges a platform commission on the mandate amount. The amount of the commission is transparently displayed in the dashboard and can be configured in the system settings.

(3) Payout to the attorney occurs after deduction of the platform commission and Stripe fees in accordance with the Stripe Connect terms.

(4) The Stripe Connected Account Agreement and the Stripe Terms of Service apply additionally for the use of Stripe Connect.

14.5 Video Consultation

(1) The attorney marketplace offers the possibility of video consultation between clients and attorneys. Video consultation is provided via the Twilio service (Twilio Ireland Limited, Dublin, Ireland).

(2) The costs for video consultation are determined by the attorney (per minute or flat fee) and are included in the quote.

(3) Video consultations can be recorded, provided both parties agree. The recording is stored encrypted and deleted after completion of the mandate in accordance with applicable retention periods.

14.6 Rating System

(1) Clients can rate attorneys after completion of a mandate. Ratings must be truthful and objective.

(2) We reserve the right to remove ratings that violate applicable law, are offensive, or contain obviously untrue factual claims.

(3) Attorneys have the right to respond to ratings.

14.7 Liability in the Attorney Marketplace

(1) The liability of Campcruisers GmbH in connection with the attorney marketplace is limited to the proper technical provision of the platform and the payment infrastructure.

(2) The respective attorney is solely liable for the quality, accuracy, and completeness of the legal services. The attorney's professional liability insurance is not subject to this contract.

(3) The general limitations of liability in § 9 apply additionally.

§ 15 Agency and White-Label Features

15.1 Prerequisites

The agency and white-label features are exclusively available to customers with an AGENCY, LTD_AGENCY, or ENTERPRISE plan.

15.2 Sub-Account Management

(1) Agencies can create and manage sub-accounts for their end customers. The maximum number of sub-accounts depends on the booked plan:

  • AGENCY: up to 25 sub-accounts
  • LTD_AGENCY: up to 50 sub-accounts
  • ENTERPRISE: unlimited

(2) Sub-accounts receive the AGENCY_CLIENT plan type with its own range of functions (daily scan, consent analytics, A/B testing, over 40 document types in the Legal Suite, unlimited domains).

(3) Sub-account holders are invited via email. The agency can access the dashboards of its sub-accounts via a proxy token to make configurations on behalf of the end customer.

(4) Sessions are aggregated across all sub-accounts of the agency and counted against the session limit of the agency plan. The agency is responsible for complying with the session limit.

15.3 Custom Domain (CNAME)

(1) Agencies can configure their own domain for the dashboard (e.g., app.my-agency.de instead of app.biscotti-cmp.com). This requires setting up a CNAME DNS entry.

(2) The DNS configuration is automatically verified. After successful verification, an SSL certificate is automatically provisioned and renewed via Let's Encrypt.

(3) Routing is done via Traefik. The agency is responsible for the correct DNS configuration.

15.4 Custom Transaction Emails

(1) Agencies can configure their own email provider for sending transactional emails to their end customers. Supported providers: Resend, SendGrid, Mailjet, Mailchimp/Mandrill, Maileroo, Gmail SMTP, Custom SMTP.

(2) API keys and SMTP access data are stored encrypted (AES-256-GCM).

(3) Emails are sent under the agency's branding. The agency is responsible for complying with email compliance (in particular § 7 UWG, CAN-SPAM Act).

15.5 White-Label Branding

(1) Agencies can operate the dashboard and the consent banner entirely under their own branding. This includes: own brand name, own logo, own colors, custom CSS for the banner, hiding the "Powered by Biscotti" notice and the footer.

(2) White-label branding extends to all touchpoints with the agency's end customers, including the dashboard, emails, and consent banner.

15.6 Agency Responsibility

(1) The agency remains the sole contractual partner in relation to Campcruisers GmbH and is responsible for compliance with these GTC by its sub-account holders.

(2) The agency is obliged to conclude its own contracts with its end customers (including data processing agreements in accordance with Art. 28 DSGVO), insofar as it acts as a data processor for its end customers.

(3) The agency is liable to Campcruisers GmbH for violations of these GTC by its sub-account holders.

§ 16 Newsletter

16.1 Registration and Double Opt-In

(1) The customer can subscribe to the Biscotti CMP newsletter to receive information on product updates, data protection law, compliance topics, and offers.

(2) Registration takes place via the double opt-in procedure: After entering the email address, the customer receives a confirmation email with a verification link. Only after clicking on the verification link does the registration become effective.

(3) The legal basis for sending the newsletter is the customer's consent in accordance with Art. 6 Abs. 1 lit. a DSGVO in conjunction with § 7 Abs. 2 Nr. 3 UWG.

16.2 Unsubscription

The customer can unsubscribe from the newsletter at any time. Every newsletter email contains an unsubscribe link. Unsubscription takes effect immediately.

16.3 Data Protection

Further information on the processing of personal data in connection with the newsletter can be found in our Privacy Policy.

§ 17 Review Rewards Program

17.1 Program Description

(1) As part of the Review Rewards Program, customers can receive rewards for submitting reviews on external platforms.

(2) Supported platforms: OMR Reviews, Capterra, G2, Google Business, WordPress.org, Trustpilot, SourceForge, Facebook, earlybird.so.

17.2 Reward

(1) For each verified review, the customer receives: 15,000 bonus sessions and a one-month plan upgrade to the next higher plan.

(2) The reward has a validity period of 6 months (for regular subscription plans) or is valid indefinitely (for LTD plans).

17.3 Conditions

(1) The review must be authentic and truthful. Fake or misleading reviews are prohibited and will lead to exclusion from the program.

(2) Each review is checked by us (admin approval process). We reserve the right to reject reviews that do not comply with the terms of participation.

(3) A maximum of one review per customer is eligible per platform.

(4) There is no legal entitlement to participate in the Review Rewards Program. We reserve the right to change or discontinue the program at any time.

§ 18 Team Management

18.1 Multi-User Access

(1) The account owner can invite additional users (team members) via email through the Team Management in the dashboard to access the account together.

(2) Team members receive access to the dashboard with the roles and permissions assigned by the account owner (Role-Based Access Control — RBAC).

18.2 Account Owner's Responsibility

(1) The account owner is responsible for all actions of their team members within the account.

(2) The account owner is obliged to immediately remove team members who leave the account and revoke their access.

(3) The sharing of access data between team members is prohibited. Each team member must have their own access data.

§ 19 API Access and Webhooks

19.1 API Access

(1) Customers with a BUSINESS, AGENCY, LTD_BUSINESS, LTD_AGENCY, or ENTERPRISE plan receive access to the Biscotti CMP REST API.

(2) Access is provided via API keys, which can be generated in the dashboard. API keys have the format bsc_* and are bound to the respective account.

(3) API keys must be treated confidentially and must not be passed on to unauthorized third parties. The customer is liable for all actions performed via their API key.

(4) API keys can be revoked and regenerated in the dashboard at any time.

19.2 Rate Limiting

(1) The API is subject to a rate limit of 600 requests per minute per API key.

(2) If the rate limit is exceeded, further requests will be answered with the HTTP status code 429 (Too Many Requests).

(3) We reserve the right to temporarily reduce the rate limit or block API access in case of abusive use.

19.3 Webhooks

(1) Customers can configure Webhook URLs to receive event-based notifications in real-time (e.g., for new consent decisions, scan results, or limit warnings).

(2) The customer is responsible for the availability and security of their Webhook endpoints. We assume no liability for failed Webhook deliveries due to problems on the customer's side.

(3) Webhook payloads are transmitted via HTTPS. The customer is obliged to configure HTTPS endpoints exclusively.

19.4 Responsibility and Liability

(1) The customer is responsible for the proper use of the API and compliance with the API documentation.

(2) We are not liable for damages resulting from faulty API integrations by the customer.

(3) We reserve the right to change the API specification as part of ongoing development. Significant changes will be announced with a lead time of at least 30 days.

§ 20 Automated Processing Procedures

20.1 Overview

Biscotti CMP carries out various automated background processes as part of its contractual service provision. The customer is hereby informed about these processes and agrees to their execution upon conclusion of the contract.

20.2 Cookie Scans and Website Analysis

(1) Biscotti CMP automatically scans the customer's websites at the frequency corresponding to the plan (monthly to real-time) for cookies, local storage entries, and third-party trackers. The scan is performed using Playwright (headless browser) and simulates a regular website visit.

(2) The scan results are matched with the IAB Global Vendor List (GVL) and the internal cookie resolver database and automatically categorized using AI.

20.3 Policy Audit and Legal Text Analysis

(1) Biscotti CMP can automatically retrieve (scrape) the legal texts (privacy policy, imprint) published on the customer's website and check them for completeness, topicality, and consistency using AI. The result is displayed as a Health Score (A–F) in the dashboard.

(2) By using Biscotti CMP, the customer expressly agrees that their website will be automatically retrieved and analyzed for this purpose.

20.4 Weekly Compliance Audits

Biscotti CMP conducts weekly automated compliance audits that detect new cookies since the last scan, identify consent issues, and create automatic alerts in the dashboard.

20.5 Legal Sync — Legislative Change Monitoring

(1) The Legal Sync system daily monitors (cron job at 03:00 UTC) legislative changes in over 186 jurisdictions.

(2) In the event of relevant changes, affected legal texts of the customer are automatically marked as requiring an update. In plans with an "Auto-Update" function, legal texts can be automatically regenerated.

(3) The customer is informed about relevant legislative changes via email and dashboard notification.

20.6 Session Limit Monitoring

Automatic monitoring of session limits is continuous. Upon reaching the thresholds (80%, 100%, 110%, 120%), email notifications and dashboard alerts are automatically triggered (cf. § 4.5.2).

20.7 Bot Detection

The integrated bot detection automatically analyzes every incoming session ping based on user-agent analysis, header analysis, headless browser detection, and IP-based rate limiting. Accesses identified as bots are not counted as sessions (cf. § 4.5.1).

20.8 GeoIP Detection

(1) For jurisdiction-dependent display of the consent banner, the website visitor's IP address is processed via the ip-api.com service or, alternatively, via Cloudflare/Vercel headers for country detection.

(2) The result of the GeoIP detection is cached for 1 hour per IP address. The IP address is not permanently stored after country detection.

§ 21 WordPress Plugin

21.1 License and Distribution

(1) The WordPress plugin "Biscotti CMP" is provided under the GNU General Public License v2 (GPL v2) or a later version. The source code is included in the plugin.

(2) The plugin is installed via the customer's WordPress dashboard and connects to the Biscotti CMP API via a cloud-bridge architecture.

(3) Upon activation of the plugin, a Biscotti CMP account is automatically created (if not already existing) and linked to the WordPress installation.

21.2 Scope of Functions

(1) The plugin enables the integration of the consent banner, the management of website settings, and the inclusion of generated legal texts via WordPress shortcodes:

  • [biscotti_privacy_policy] — Privacy Policy
  • [biscotti_cookie_policy] — Cookie Policy
  • [biscotti_imprint] — Imprint
  • [biscotti_dpa] — Data Processing Agreement
  • [biscotti_banner] — Consent Banner

(2) The plugin supports automatic updates via the WordPress update mechanism.

21.3 Customer's Responsibility

(1) The customer is responsible for the compatibility of the plugin with their WordPress installation (theme, other plugins).

(2) We recommend making a backup of the WordPress installation before installing or updating the plugin.

(3) The GPL v2 license allows modification of the plugin's source code. We do not provide warranty or support services for modified versions.

§ 22 Own AI Provider Keys (BYOK — Bring Your Own Key)

22.1 Function Description

(1) Customers can store their own API keys for AI providers to use the Legal Suite and other AI-powered functions with their own AI quota.

(2) Supported AI providers: Google Gemini, OpenAI, Anthropic (Claude), Ollama (Self-Hosted).

(3) The API keys are stored encrypted (AES-256-GCM) in our database.

22.2 Responsibility and Liability

(1) The customer is responsible for the costs incurred by using their own AI provider key. We have no influence on the pricing of the AI providers.

(2) The customer is responsible for complying with the terms of use of the respective AI provider.

(3) We assume no liability for the availability, quality, or data protection compliance of external AI providers. In particular, when using AI providers based outside the EU/EEA, a third-country transfer of personal data may occur, for which the customer, as the controller, bears data protection responsibility.

(4) If no own key is stored, the platform key (Google Gemini) will be used.

§ 23 Intellectual Property in Generated Content

23.1 AI-Generated Legal Texts

(1) The legal texts generated by the Legal Suite are created based on customer input and using AI models. The copyright protectability of AI-generated texts is disputed under applicable German law (§§ 2, 7 UrhG), as a personal intellectual creation may be lacking.

(2) Regardless of the copyright classification, we grant the customer an unlimited, non-exclusive right of use to the generated texts. The customer may freely use, edit, and publish the texts for their own purposes (publication on their website, use in business transactions).

(3) Passing on the generated texts to third parties for the purpose of commercial redistribution (e.g., sale as a template) is not permitted without our prior consent.

23.2 Scan Results and Consent Data

(1) The scan results generated by the cookie scanner are available to the customer for free use.

(2) The consent data (consent decisions of website visitors) are personal data for which the customer, as the controller within the meaning of the DSGVO, bears data protection responsibility.

23.3 Platform and Software

All rights to the Biscotti CMP software, including the source code, user interface, databases, algorithms, and documentation, remain with Campcruisers GmbH. The customer acquires exclusively the right of use described in § 7.1.

§ 24 External Service Providers and Sub-Processors

24.1 Overview

To provide the contractual services, we use the following external service providers:

Service ProviderContracting Party & LocationPurposeProcessing Location
StripeStripe Payments Europe, Ltd., Dublin, IrlandPayment processing, subscription managementEU/EEA
Stripe ConnectStripe Payments Europe, Ltd., Dublin, IrlandPayment processing legal marketplaceEU/EEA
ResendResend, Inc., San Francisco, USA (secured by SCCs and EU-US DPF)Transactional emails (standard provider)USA/EU
Google GeminiGoogle Ireland Limited, Dublin, IrlandAI text generation (Legal Suite)EU/EEA
Google Cloud Platform (GCP)Google Cloud EMEA Limited, Dublin, IrlandHosting, server infrastructure, databaseEU (Netherlands, europe-west4)
TwilioTwilio Ireland Limited, Dublin, IrlandVideo consultation (legal marketplace)EU/EEA
PlaywrightMicrosoft Corporation (Open Source)Website scanning (headless browser)Local on our servers
IAB EuropeIAB Europe, Brüssel, BelgienGlobal Vendor List (TCF 2.3)EU
PostgreSQLOpen Source (self-hosted)DatabaseEU (GCP Netherlands)
RedisOpen Source (self-hosted)Session tracking, cachingEU (GCP Netherlands)
ip-api.comip-api, LitauenGeoIP detection (country detection)EU
Let's EncryptInternet Security Research Group (ISRG), USASSL certificates for Custom DomainsGlobal
AWS S3 / MinIOAmazon Web Services EMEA SARL, Luxemburg / MinIO (self-hosted)Backup storage (consent logs, banner configurations)EU
Cloudflare TurnstileCloudflare Germany GmbH, München, DeutschlandBot protection, CAPTCHAGlobal

24.2 Third-Country Transfer

Insofar as service providers process personal data outside the EU/EEA (especially Resend, Let's Encrypt), we ensure that the requirements of Art. 44 et seq. DSGVO are met. This is done through:

  • Adequacy decision of the EU Commission (e.g., EU-US Data Privacy Framework),
  • Standard Contractual Clauses (SCCs) of the EU Commission,
  • supplementary technical and organizational measures (e.g., encryption).

24.3 Changes to External Service Providers

We reserve the right to change external service providers or engage new service providers if this is necessary for the provision of services and the level of data protection is not reduced. Significant changes will be communicated to the customer by email with a lead time of 30 days. The customer may object to the change within 14 days for an important data protection reason. In the event of a justified objection, the customer has an extraordinary right of termination.

§ 25 Force Majeure

(1) Neither party shall be liable for the non-fulfillment of its obligations if this is due to unforeseeable, unavoidable events beyond its control. These include, in particular, natural disasters, war, terrorism, official orders, cyberattacks on critical infrastructure, power outages, failures of telecommunication networks, as well as epidemics and pandemics.

(2) The affected party is released from the obligation to perform for the duration of the disruption and must inform the other party immediately.

(3) If the disruption lasts longer than 3 months, each party is entitled to extraordinary termination.

§ 26 Content Moderation and Digital Services Act (DSA)

Insofar as the customer uploads or publishes their own content (e.g., own logos, individual legal texts, banner texts, reviews) via our platform, we act as a hosting service provider within the meaning of Regulation (EU) 2022/2065 (Digital Services Act — DSA).

26.1 Notice and Action Mechanism (Art. 16 DSA)

Individuals or entities can report the presence of specific information that they consider to be illegal content to us via an in-app form or by email to support@biscotti-cmp.com. We undertake to generally respond to such reports within 72 hours and to review appropriate measures (e.g., blocking of content).

26.2 Appeal Mechanism and Statement of Reasons

(1) If we remove content or block access to it, we will provide the affected customer with a clear and specific statement of reasons in accordance with Art. 17 DSA.

(2) The customer has the right to appeal moderation decisions via our internal complaint management system (Art. 20 DSA).

26.3 Transparency

We publish an annual transparency report in accordance with Art. 15 DSA, provided we meet the thresholds for reporting obligations.

§ 27 Data Protection and Data Processing

27.1 Data Protection

(1) We process the customer's personal data in accordance with the DSGVO, the BDSG, and the TDDDG. Details can be found in our Privacy Policy.

(2) The customer agrees that we may send them transactional emails (e.g., invoices, notifications, limit warnings, security notices) to the email address stored in the account. These emails are necessary for the performance of the contract and are not advertising within the meaning of § 7 UWG.

27.2 Data Processing Agreement (DPA) as an Integral Part

(1) Insofar as we process personal data of the customer's website visitors on behalf of the customer within the scope of providing Biscotti CMP (e.g., IP addresses for jurisdiction detection, consent logs, cookie scan results), we act as a data processor in accordance with Art. 28 DSGVO.

(2) The Data Processing Agreement (DPA) in accordance with Art. 28 DSGVO is an integral part of these GTC. The DPA automatically becomes effective with electronic consent upon registration or upon first use of the service after the entry into force of this provision. The contract is concluded in electronic form in accordance with Art. 28 Abs. 9 DSGVO.

(3) The current version of the DPA can be viewed and downloaded at any time in the customer dashboard under "Account" as well as on our website at biscotti-cmp.com/de/avv.

(4) The consent to the DPA is logged with a timestamp and the customer's IP address and can be tracked at any time in the dashboard and in the administration area.

(5) Changes to the DPA will be communicated to the customer by email. § 30.2 of these GTC applies accordingly.

27.3 Competent Supervisory Authority

The data protection supervisory authority responsible for Campcruisers GmbH is: The State Commissioner for Data Protection and for the Right to Access Files Brandenburg, Stahnsdorfer Damm 77, 14532 Kleinmachnow.

§ 28 Dispute Resolution

28.1 EU Dispute Resolution Platform

The European Commission provides a platform for online dispute resolution (ODR), which you can find at the following link: https://ec.europa.eu/consumers/odr/.

28.2 Consumer Arbitration (§ 36 VSBG)

We are neither obliged nor willing to participate in dispute resolution proceedings before a consumer arbitration board. We prefer to clarify any concerns in direct communication with our customers via our internal support.

§ 29 Electronic Communication

(1) The customer agrees that communication within the contractual relationship will primarily take place electronically (email, dashboard notifications).

(2) The customer is obliged to keep the email address stored in the account up to date. Notifications sent to the stored email address are deemed to have been received if they are retrievable under normal circumstances.

(3) For legally relevant declarations (e.g., termination, objection to GTC changes), text form (§ 126b BGB) is sufficient, unless otherwise specified in these GTC.

§ 30 Final Provisions

30.1 Severability Clause

Should individual provisions of these GTC be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions. In place of the invalid provision, the relevant statutory provisions shall apply. Between entrepreneurs, the following also applies: The parties undertake to replace the invalid provision with a valid regulation that comes closest to the economic purpose of the invalid provision.

30.2 Amendments to the GTC

(1) We reserve the right to amend these GTC if there is a valid reason. Valid reasons include, in particular:

  • Changes in the legal situation (e.g., new laws, court decisions),
  • technical development of the platform (e.g., new functions, change in system architecture),
  • changes in market conditions or business models,
  • closing of regulatory gaps.

(2) Customers will be informed of changes by email. The amended GTC will be communicated to the customer in text form and made available for inspection in the dashboard.

(3) For entrepreneurs (B2B): If the customer does not object in text form within 4 weeks after receipt of the notification of change, the changes shall be deemed accepted. The significance of silence will be specifically pointed out in the notification of change. In case of objection, both parties have an extraordinary right of termination.

(4) For consumers (B2C): Material changes to the GTC require the express consent of the consumer. Consent can be given electronically (e.g., by confirmation in the dashboard). If the consumer does not agree to the amended GTC, the previous GTC shall remain in force. In this case, we reserve the right to terminate with reasonable notice.

30.3 Written Form Clause (B2B only)

Amendments and supplements to this contract require text form (§ 126b BGB). This also applies to the waiver of this text form clause. No verbal collateral agreements exist.

30.4 Assignment

(1) We are entitled to transfer rights and obligations under this contract, in whole or in part, to third parties. The customer will be informed of this in advance.

(2) In the event of a contract transfer by a third party, the customer has an extraordinary right of termination with a notice period of 30 days from knowledge of the transfer.

(3) The customer may assign rights and obligations under this contract to third parties only with our prior consent in text form.

30.5 Contract Language and Applicable Law

(1) The contract language is German. Translations of these GTC into other languages are for informational purposes only; in case of doubt, the German version shall prevail.

(2) The law of the Federal Republic of Germany applies. The application of the UN Convention on Contracts for the International Sale of Goods (CISG) is expressly excluded.

(3) For consumers, this choice of law applies only insofar as the protection granted by mandatory provisions of the law of the state in which the consumer has their habitual residence is not withdrawn (Art. 6 Abs. 2 Rom-I-VO).

30.6 Place of Jurisdiction (B2B only)

The place of jurisdiction for all disputes arising from or in connection with this contractual relationship is Falkensee, provided that the contracting party is a merchant, a legal entity under public law, or a special fund under public law (§ 38 ZPO). For consumers, the statutory places of jurisdiction apply.

30.7 Export Control and Sanctions

(1) The customer undertakes not to use the software in violation of applicable export control and sanctions regulations, in particular the regulations of the European Union and the regulations of the US Office of Foreign Assets Control (OFAC).

(2) The customer warrants that they are not resident in a country subject to a comprehensive embargo and are not listed on a sanctions list.

30.8 Completeness

These GTC, together with the Data Processing Agreement (DPA), the Privacy Policy, and the Fair Use Policy, constitute the complete agreement between the parties regarding the use of Biscotti CMP. They supersede all previous oral or written agreements on this subject.

Appendix: Sample Withdrawal Form

(If you wish to withdraw from the contract, please fill out this form and send it back.)

To:
Campcruisers GmbH
Berliner Str. 21 B
14612 Falkensee
Deutschland
E-Mail: info@biscotti-cmp.com

I/We (*) hereby withdraw from the contract concluded by me/us (*) for the provision of the following service:

  • Biscotti CMP — Plan: _______________
  • Ordered on (*) / received on (*): _______________
  • Name of consumer(s): _______________
  • Address of consumer(s): _______________
  • Email address of the account: _______________

Date: _______________

Signature of consumer(s) (only when communicating on paper): _______________

(*) Delete as appropriate.

List of Referenced Legal Provisions

AbbreviationFull Designation
BGBGerman Civil Code
DSGVORegulation (EU) 2016/679 (General Data Protection Regulation)
BDSGFederal Data Protection Act
DDGDigital Services Act (German)
TDDDGTelecommunications-Digital Services Data Protection Act
UrhGCopyright Act
UWGAct Against Unfair Competition
UStGValue Added Tax Act
AOFiscal Code
HGBCommercial Code
GeschGehGTrade Secrets Act
RDGLegal Services Act
ProdHaftGProduct Liability Act
VSBGConsumer Dispute Resolution Act
ZPOCode of Civil Procedure
DSARegulation (EU) 2022/2065 (Digital Services Act)
EU AI ActRegulation (EU) 2024/1689 (AI Regulation)
CCPA/CPRACalifornia Consumer Privacy Act / California Privacy Rights Act
LGPDLei Geral de Proteção de Dados (Brazil)
CISGUN Sales Law (United Nations Convention on Contracts for the International Sale of Goods)
Rom-I-VORegulation (EC) No. 593/2008 (Law Applicable to Contractual Obligations)
SCCsStandard Contractual Clauses of the EU Commission (Standard Contractual Clauses)
EU-US DPFEU-US Data Privacy Framework
IAB TCFIAB Transparency & Consent Framework
GPCGlobal Privacy Control
GPL v2GNU General Public License Version 2
ZUGFeRDCentral User Guide of the Forum for Electronic Invoicing Germany

Status: April 15, 2026 — Campcruisers GmbH, Berliner Str. 21 B, 14612 Falkensee

This document is a translation of the German original. In case of any discrepancies, the German version shall prevail. The German version is the only legally binding version.
This document is a translation of the German original. In case of any discrepancies, the German version shall prevail. The German version is the only legally binding version.
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

🏢 About UsFeaturesPricingDocumentation🔍 Cookie Check📦 Downloads📚 Privacy & Consent Knowledge Base📝 Blog📖 Cookie Consent & Privacy Glossary🌍 Jurisdictions♿ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
© 2026 Biscotti – A service of Campcruisers GmbH🍪 Change cookie settings