Privacy Policy

This Privacy Policy informs you about the processing of your personal data when using Empcora. We attach the greatest importance to the protection of your data and strictly adhere to the requirements of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG).

Scope

This Privacy Policy applies to all domains within the Empcora brand family:

• empcora.de
• empcora.com
• empcora.eu
• empco-pruefung.de
• empco-konform.de
• greenwashing-check.de
• greenwashing-pruefen.de
• greenclaim-guard.de

All spoke domains are operated by the same controller (see Section 1) and redirect to the main domain empcora.de. The following information pursuant to Art. 13 GDPR applies equally to each of these domains.

1. Controller

The controller within the meaning of Art. 4 No. 7 GDPR is:

Marcel Schlüter IT-Services
Empcora
Kollwitzstraße 76
10435 Berlin
Deutschland
E-mail: [email protected]

1a. Data Protection Officer

As a sole trader, we are not required to appoint a Data Protection Officer under § 38 BDSG. For any data protection concerns, please contact the controller directly at the address above.

2. Purposes of Processing

We process your personal data for the following purposes:

• Provision of the SaaS service: registration, authentication, management of account and organisation, carrying out compliance scans
• Payment processing: billing for paid plans via Stripe
• AI-assisted analysis: reformulation of advertising claims using the Claude API (Anthropic)
• E-mail communication: confirmations, scan results, password reset, invoices, support
• Processing contact enquiries: responding to your enquiries submitted via the contact form or by e-mail
• Logging and security: abuse prevention, error diagnosis, protection against attacks
• Fulfilment of legal obligations: retention of invoices pursuant to § 147 AO (10 years)

3. Legal Bases

The processing of your personal data is carried out on the following legal bases:

• Art. 6(1)(b) GDPR (performance of a contract and pre-contractual measures): provision of the SaaS service, payment processing, AI analysis as a contractually agreed service, e-mail dispatch for contractual purposes, handling of contact enquiries with a pre-contractual connection
• Art. 6(1)(c) GDPR (legal obligation): retention of tax-relevant documents pursuant to § 147 AO and § 14b UStG
• Art. 6(1)(f) GDPR (legitimate interests): logging for abuse prevention and IT security, crawler requests for the provision of the scanning service, handling of general contact enquiries without a pre-contractual connection
• Art. 6(1)(a) GDPR (consent): voluntary newsletter sign-ups (where offered), optional marketing communications
• § 25(2) No. 2 TDDDG (strictly technically necessary): storage of and access to information on the user's terminal device in the context of technically necessary cookies (authentication, bot protection, security checks) — see Section 8

4. Categories of Data

We process the following categories of personal data:

• Master data: name, e-mail address, company name, and where applicable postal address for paid plans
• Login and authentication data: bcrypt hash of the password (cost factor 12), JWT authentication token, session cookie
• Usage data: scanned domains and URLs, identified claims, scan results, compliance score, AI reformulations
• Communication data: contents of the contact form (name, e-mail, subject, message), support correspondence
• Payment data: Stripe customer ID, Stripe subscription ID, invoice number, invoice amount, payment status. Credit card or SEPA data is processed exclusively by Stripe and is not accessible to us.
• Third-party scan data: publicly accessible content of the website you have specified (meta tags, texts, advertising claims). Scanned websites may incidentally contain personal data of third parties (e.g. employee names on team pages, imprint data). The complete raw HTML of the scanned pages is discarded immediately after the analysis is complete and is not stored permanently. Only the identified advertising claims ("claims"), their assessment and a reference to the source URL are stored persistently — these records are retained for 24 months from the date of the scan for reproducibility and comparison scans, and are then automatically deleted. No enrichment with additional third-party data takes place.
• Log file data: IP address, timestamp, user agent, referrer, requested URL, HTTP status code

5. Retention Periods

We store your data only for as long as necessary for the respective purposes or as required by law:

• Account and master data: until deletion of your account, followed by anonymisation or deletion within 30 days
• Scan results: 24 months from the date of the scan, followed by automatic deletion
• Invoices and tax-relevant documents: 10 years pursuant to § 147 AO and § 14b UStG
• Log files: 30 days for abuse prevention, then automatic deletion
• Contact enquiries: until your enquiry has been fully resolved, then deleted unless statutory retention obligations apply
• Authentication cookie: role-dependent — 24 hours from login for regular users (roles user, support), 7 days for administrators (role admin). The associated refresh token expires in any case after 7 days. On logout, both cookies are deleted immediately.
• Cloudflare security cookies: __cf_bm 30 minutes, _cfuvid session, cf_clearance up to 30 days (see Section 8b)

6. Data Processors and Recipients

We use carefully selected data processors with whom we have concluded data processing agreements pursuant to Art. 28 GDPR. The following service providers process personal data on our behalf:

Databases (PostgreSQL, Redis) are operated exclusively on our servers at Hetzner in Germany. No transfer to third parties not listed here takes place.

6a. Data Processing as a Processor

To the extent that you as a user have domains scanned whose content includes personal data of third parties (e.g. managing directors' names in the imprint, employee names on team pages, contact details), we become a data processor within the meaning of Art. 28 GDPR and you are the controller. In this processing we use the following sub-processors, some of which are based in the USA (third-country transfer on the basis of EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR): Anthropic PBC (USA, AI reformulation), Cloudflare Inc. (USA, CDN/WAF) and Hetzner Online GmbH (Germany, hosting). Your obligations as controller under Art. 28(2) and Art. 44 et seq. GDPR remain unaffected. A corresponding data processing agreement (DPA) including a sub-processor list is available on request — please contact us via our contact form.

7. Third-Country Transfers

Your personal data is only transferred to third countries outside the EEA to the extent necessary for the provision of our services. In concrete terms, a third-country transfer to the USA takes place in the following cases:

• Anthropic PBC (USA): Transmission of claim texts to the Claude API for AI-assisted reformulation. Only text snippets without any personal reference are transmitted. Processing takes place with the "disable training" flag activated, so your data is not used for training the models.
• Cloudflare Inc. (USA): Routing of web requests, DNS resolution, protection against attacks.
• Stripe Payments Europe Ltd. (US parent): During payment processing, a technical data transfer to the US parent company may occur.

Each transfer is carried out on the basis of the EU Commission's Standard Contractual Clauses (SCCs pursuant to Art. 46(2)(c) GDPR) and supplementary technical and organisational measures. A copy of the respective SCCs will be provided on request.

7a. Transfer Impact Assessment (TIA)

In light of the Schrems II ruling of the CJEU (C-311/18), we have carried out a Transfer Impact Assessment (TIA) for each US third-country transfer and reach the following conclusion:

• Anthropic PBC: Only advertising texts without any personal reference (e.g. "produced climate-neutrally") are transmitted to the API. Anthropic publishes government request transparency reports. The "disable training" flag prevents the use of the data for model training. The risk from US government access (FISA 702) is minimised by the absence of any personal reference.
• Cloudflare Inc.: Cloudflare operates EU data centres and offers the "Data Localisation Suite", which keeps IP addresses and connection data primarily within the EU. A transient US transit may occur for backbone routing. SCCs are concluded.
• Stripe Payments Europe Ltd.: The contracting party is the Irish Stripe subsidiary with EU servers. A transfer to the US parent Stripe Inc. occurs only in narrowly defined cases (anti-money laundering, government enquiries). Stripe is PCI-DSS certified; cardholder data is not stored by us.

The full TIA documentation is available on written request.

8. Cookies

We use exclusively technically necessary cookies. They are strictly required for the operation of login, the payment process and protection against automated attacks (§ 25(2) No. 2 TDDDG):

8a. Own Cookies

• empcora_token · Domain: empcora.de · Lifetime: 24 hours for regular users (roles user, support), 7 days for administrators · HttpOnly, SameSite=Lax · Purpose: authentication of logged-in users by means of a signed JSON Web Token (JWT). Content: exclusively the user ID (no plain-text personal reference, no e-mail, no name). In addition, there is an empcora_refresh cookie with a 7-day lifetime for silent session renewal without re-entering a password.

8b. Cookies by Cloudflare (Security/Bot Protection)

Cloudflare protects our infrastructure against automated attacks (DDoS, bots, scraping). For this purpose, the following cookies are set on the domain with every page load — all classified as "strictly necessary":

• __cf_bm · Cloudflare · Lifetime: 30 minutes · Purpose: bot management, distinguishing between human and automated requests. Sets an anonymous bot score, no personal reference.
• cf_clearance · Cloudflare · Lifetime: up to 30 days · Purpose: stores the result of a completed security check (e.g. CAPTCHA for suspicious traffic) so that the user does not have to pass the check again on every page load. Set only when a security check is activated.
• _cfuvid · Cloudflare · Lifetime: session · Purpose: binding to rate-limit rules, prevents circumvention of protection by changing cookies. No advertising or tracking purpose.

The legal basis for these cookies is § 25(2) No. 2 TDDDG (strictly necessary for the telemedia service requested by the user) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in protection against attacks).

8c. Cookies During the Payment Process (Stripe)

Note on Stripe cookies: When transitioning to the Stripe Checkout page (payment process), Stripe sets its own cookies on checkout.stripe.com for fraud prevention and session management. These cookies are technically required for payment processing. Stripe's privacy notices can be found at: stripe.com/de/privacy.

No tracking, analytics or marketing cookies are set on our pages. A consent banner is therefore not required (§ 25(2) No. 2 TDDDG).

8d. Reach Measurement with Umami (self-hosted, cookie-free)

For the statistical analysis of website usage, we use the open-source software Umami, operated entirely on our own infrastructure in Germany (Hetzner Online GmbH). No data is transmitted to third parties.

Umami operates without cookies: no cookies are set and no information is stored in or read from the user's terminal device. Consequently, no consent is required under § 25 TDDDG.

Only aggregated, non-identifying data is collected: pages visited (path), referrer domain, approximate country of origin, browser and device type, date and time. The IP address is processed transiently and not stored permanently. Any visitor identifier is derived server-side from the IP address and browser fingerprint, hashed, and rotated daily — there is no persistent or cross-device tracking.

Legal basis: legitimate interest in privacy-friendly, anonymous reach measurement (Art. 6(1)(f) GDPR).

Browser Do Not Track signals are respected; if DNT is enabled, no measurement takes place.

9. Log Files

The following data is recorded in log files each time our website is accessed:

• IP address
• Date and time of the request
• User agent (browser, operating system)
• Referrer URL
• Requested URL and HTTP status code

The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in abuse prevention, error diagnosis and IT security. Logs are automatically deleted after 30 days.

10. Crawler Data

When you enter a URL for a compliance check, our crawler retrieves the publicly accessible website and analyses its content (meta tags, texts, advertising claims). In doing so, we observe the following principles:

• We crawl only publicly accessible areas of the domain you have specified
• We respect robots.txt and crawl delays
• We do not circumvent authentication or paywalls
• As a user, you warrant that you are authorised to crawl the specified domain (ownership, mandate or similar)
• Scanned pages may incidentally contain personal data of third parties (mandatory imprint information, managing directors'/proprietors' names, team/employee profiles, contact details). This data is processed exclusively for the purpose of carrying out the scan you have commissioned, is not enriched and — insofar as it constitutes raw HTML — is discarded immediately after the analysis is complete. Identified claims are stored for 24 months (Section 5). The data protection responsibility towards the affected third parties lies with you as the user (controller) pursuant to Art. 4 No. 7 GDPR; we act as a data processor in this regard (see Section 6a).

11. Contact Form

When you use our contact form, we process the data you have entered (name, e-mail, subject, message, optional telephone number) in order to respond to your enquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in handling your enquiry).

To protect against spam bots, we use a honeypot field and IP-based rate limiting (max. 3 requests per hour per IP). Your enquiries are stored until they have been fully resolved and are then deleted, unless statutory retention obligations apply.

12. Newsletter

We send a newsletter approximately once a month with EmpCo updates, BGH/OLG rulings and compliance notices. Sending takes place exclusively following express consent via the double opt-in procedure (confirmation of registration via a link in a separate confirmation e-mail).

• Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 7(2) No. 3 UWG.
• Data processed: e-mail address, confirmation status (pending / active / unsubscribed), DOI token (valid for 24 h), permanent unsubscribe token, sign-up source, IP hash (SHA-256 truncated, for spam protection, not reversible to the IP), user agent (max. 200 characters), timestamp.
• Purpose: sending the newsletter; proof of consent (Art. 7(1) GDPR); spam/abuse protection.
• Retention period: Active subscriptions indefinitely (until unsubscription). After unsubscription, the status "unsubscribed" with timestamp is stored for at least 12 months as proof of the exercise of the right of withdrawal; thereafter anonymisation or deletion occurs. Unconfirmed DOI requests are automatically discarded after token expiry (24 h).
• Withdrawal (Art. 7(3) GDPR): You may withdraw your consent at any time and without giving reasons — either via the personal unsubscribe link contained in every newsletter e-mail, or by e-mail to [email protected]. The withdrawal takes effect immediately; e-mails already sent are not affected.
• Sending service: Sending takes place via our own mail server (Mailcow, hosted in Germany). No transmission to third parties or to third countries.

13. Payment Processing via Stripe

For the processing of paid plans, we use the payment service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Stripe is a PCI-DSS certified payment service provider.

During payment, your payment details (credit card number, IBAN etc.) are transmitted directly to Stripe and processed exclusively there. We have no access to your card details or IBAN. We store only the Stripe customer ID, subscription ID, invoice number and payment status assigned by Stripe.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Stripe's privacy policy can be found at: https://stripe.com/de/privacy

14. AI Analysis via Anthropic Claude API

For the AI-assisted reformulation of problematic advertising claims, we use the Claude API of Anthropic PBC, San Francisco, USA. Only the following are transmitted:

• the advertising text to be reformulated (e.g. "climate-neutral", "sustainable")
• the context of the advertising claim (e.g. industry, page type)

Only the advertising claim and a brief professional context (industry, page type) are transmitted. We do not actively transmit master or contact data (no e-mail, no account ID, no IP address, no name). To the extent that an advertising text may contain the proper name of a natural person (e.g. a proprietor's or managing director's name in a slogan), an indirect personal reference within the meaning of Art. 4 No. 1 GDPR cannot be entirely excluded — in such cases, the transmission is carried out on the basis of the DPA pursuant to Art. 28 GDPR and the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). The "disable training" flag is activated so that your texts are not used for training the Claude models. To the extent that you as a user scan advertising texts of third parties, Empcora acts as a data processor (see Section 6a) and Anthropic as a sub-processor.

Anthropic's privacy policy: https://www.anthropic.com/legal/privacy

No automated individual decision-making (Art. 22 GDPR): Neither the algorithmic compliance assessment (traffic-light status RED/YELLOW/GREEN, score A to F, compliance badge) nor the AI-assisted reformulation constitutes automated decision-making in individual cases within the meaning of Art. 22(1) GDPR.

Reasoning: (i) The assessments have no legal effect on the user or third parties — they are technical indications based on publicly available legal sources. (ii) A score or reformulation does not give rise to any automatic sanctions, restrictions or other similarly significant impairments; in particular, the compliance badge does not produce any external effect with legal binding force. (iii) The final decision on the use of an advertising claim or a reformulation suggestion lies exclusively with the user; human review — ideally by a qualified lawyer — remains necessary.

In this regard, we also refer to the RDG notice in § 1(5) of the Terms and Conditions and to the clarification regarding the nature of tool results in § 10 of the Terms and Conditions (compliance assessment: nature, limitations and disclaimer of liability).

Right to involve a person: Should you nevertheless perceive an assessment as a similarly significant impairment, you may contact [email protected] at any time. We will review your case manually and inform you of the result in writing (Art. 22(3) GDPR).

14a. Audit Report PDF

Upon completion of a paid scan, we generate an audit report in PDF format that is made available for download via the account dashboard and, on request, sent by e-mail to the address stored in your account. The report contains the scanned URL, the identified advertising claims with their assessment, AI reformulation suggestions, and in the footer a creation timestamp and the scan ID for reference. No transmission to third parties takes place; the PDF file is stored together with the scan record for 24 months and then automatically deleted (see Section 5). The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

14b. Greenwashing Check Widget (Embed)

We provide an embeddable mini widget ("Greenwashing Check Widget") that can be embedded by third-party sites via <iframe> using the URL https://empcora.de/embed/widget. When you use this widget, the following privacy notices apply:

• Controller: Marcel Schlüter IT-Services (Empcora), Kollwitzstraße 76, 10435 Berlin (see Section 1).
• Data collected: the URL you enter into the widget and your IP address, which is technically transmitted when the widget is loaded and when a scan is triggered. Communication runs via our tRPC API on empcora.de.
• Purpose: carrying out the greenwashing scan for the URL you have entered and applying an IP-based rate limit to protect against automated abuse (denial-of-service protection).
• Legal basis: Art. 6(1)(b) GDPR (performance of a contract / provision of the scan service requested by the user) and Art. 6(1)(f) GDPR (legitimate interest in protecting our infrastructure against DoS/abuse attacks).
• Retention period: The IP address is retained in a volatile cache for a maximum of 24 hours for rate-limiting purposes and is then automatically discarded. Scan data (entered URL, identified claims, assessment) is stored in accordance with the rules in Section 5 of this Privacy Policy ("scan results", 24 months).
• Third-country transfer: No third-country transfer in connection with the widget use itself. Processing takes place on our servers at Hetzner in Germany; Cloudflare may be used for connectivity as described in Section 16. To the extent that the Claude API from Anthropic is used for AI-assisted claim reformulation, the notices in Section 7 and Section 14 also apply.
• Recipients: No disclosure to third parties beyond the data processors listed in Section 6.
• Right to object and right of access: You may object to the processing of your data at any time and exercise your data subject rights (access, erasure, restriction etc., see Section 17) — please contact [email protected].

Note on embedded widgets on third-party sites: When the widget is embedded on a third party's website, the privacy policy of the respective third-party site operator also applies. The third-party site operator is an independent controller for the data processing on their site (Art. 4 No. 7 GDPR) and is required to inform their users accordingly.

15. Hosting with Hetzner

Our servers, database (PostgreSQL) and cache (Redis) are hosted with Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. The servers are located exclusively in German data centres. A data processing agreement pursuant to Art. 28 GDPR has been concluded with Hetzner.

16. Cloudflare (DNS, CDN, DDoS Protection)

We use Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA for DNS resolution, content delivery, DDoS protection and a web application firewall. Cloudflare processes the IP address and connection data on every access to our website in order to ensure availability and defend against attacks.

The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in protection against abuse and ensuring availability. A DPA and EU Standard Contractual Clauses have been concluded with Cloudflare. Cloudflare's privacy policy: https://www.cloudflare.com/de-de/privacypolicy/

17. Your Rights as a Data Subject

You have the following rights regarding the personal data concerning you:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure ("right to be forgotten", Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR) — withdrawal has effect only for the future
• Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) — see Section 18 for the competent authority

To exercise your rights, please contact [email protected].

17a. Data Export (Art. 20 GDPR)

You have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format. We provide the export as JSON or CSV and will send it on request within seven business days free of charge by e-mail or via the account dashboard. The export covers account master data, domains, scan results, claims, uploaded evidence and PDF reports. The request may be submitted informally to [email protected].

18. Right to Lodge a Complaint with a Supervisory Authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your data infringes the GDPR. The competent authority is the supervisory authority of the federal state in which the controller is resident:

Die Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Telephone: +49 30 13889-0
E-mail: [email protected]
Web: www.datenschutz-berlin.de

Note: The competent supervisory authority is determined by the location of the controller (10435 Berlin). Notwithstanding this, you may also contact the supervisory authority of the Member State of your habitual residence or place of work (Art. 77(1) GDPR).

A list of all German supervisory authorities can be found at: Addresses of the State Data Protection Authorities

19. SSL/TLS Encryption

This website uses SSL or TLS encryption to protect your data and to ensure the transmission of confidential content (e.g. enquiries, login credentials, payment information). You can recognise an encrypted connection by the "https://" in the address bar of your browser.

20. Currency and Amendments to this Privacy Policy

This Privacy Policy is currently valid and dated 15 May 2026. We reserve the right to amend this Privacy Policy in order to keep it in line with current legal requirements or changes to our services. The current version is available at /en/datenschutz.