2.1 Performance of Contract (Article 6(1)(b))

• • Creating and maintaining your account
• • Processing transactions and payments
• • Delivering purchased services and backlink placements
• • Providing customer support and troubleshooting
• • Sending transaction confirmations and invoices

2.2 Legitimate Interests (Article 6(1)(f))

• • Improving and optimizing our services based on usage analytics
• • Detecting and preventing fraud, abuse, and unauthorized access
• • Marketplace quality assurance and seller/publisher verification
• • Understanding user behavior to enhance platform features
• • Monitoring compliance with our Terms of Service

2.3 Explicit Consent (Article 7)

• • Marketing communications and newsletters (opt-in)
• • Promotional campaigns and special offers
• • Non-essential cookie placement
• • Third-party data sharing (where applicable)

2.4 Legal Obligation (Article 6(1)(c))

• • Compliance with German tax and accounting requirements
• • Anti-money laundering (AML) and Know Your Customer (KYC) verification
• • Responding to legal requests from authorities
• • Fulfilling data retention obligations

Technical Safeguards:

• • Encryption in Transit: All data transmission secured with TLS 1.2+ encryption (HTTPS)
• • Encryption at Rest: Sensitive data encrypted with industry-standard algorithms
• • Database Security: Regular security audits and penetration testing
• • Access Control: Role-based access control (RBAC) with multi-factor authentication (MFA)

Organizational Measures:

• • Staff Training: All employees receive mandatory data protection and GDPR training
• • Data Processing Agreements: Binding DPAs with all third-party processors
• • Incident Response: 72-hour data breach notification protocol (GDPR Article 33)
• • Privacy by Design: Data minimization principles applied to all services

Infrastructure Location:

Our website and infrastructure are hosted on servers located in the United States. This means your personal data may be transferred to and processed in the US. We have implemented Standard Contractual Clauses (SCCs) and appropriate technical safeguards to ensure GDPR-compliant protection of your data during international transfer and storage.

Right of Access (Article 15)

You have the right to request access to your personal data and receive a copy in a structured, commonly used, and machine-readable format (portability). This includes information about the purposes of processing, recipients, and retention periods.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. We will update your information without undue delay and inform affected third parties where applicable.

Right to Erasure (Article 17 - "Right to Be Forgotten")

You may request deletion of your personal data under certain circumstances, including when data is no longer necessary, consent is withdrawn, or processing is unlawful. Exception: We may retain data if legally required or necessary for contract performance.

Right to Restrict Processing (Article 18)

You can request limitation of processing (rather than deletion) while we verify accuracy or legality of processing. During restriction, we only store data; we do not actively process it.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance. We will provide this within 30 days in formats such as JSON, CSV, or XML.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including direct marketing. Upon receipt, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7(3))

If processing relies on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. You can manage cookie preferences or unsubscribe from marketing communications via your account settings.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making (including profiling) that significantly affects you. If we introduce such processing in the future, you will have the right to obtain human intervention, express your point of view, and challenge the decision.

Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection authority if you believe our processing violates GDPR. The competent authority for Germany is the Bundesbeauftragte für Datenschutz und Informationsfreiheit (BfDI).

Data Processors (Third Parties Acting on Our Behalf)

• • Payment Processors: Stripe, PayPal, and other PCI-compliant payment gateways (data: billing information, transaction data)
• • Email Service Providers: For transactional and marketing communications (data: email address, communication content)
• • Analytics Providers: To understand user behavior and improve services (data: device info, browsing patterns - anonymized where possible)
• • API Providers: Ahrefs, Majestic, SimilarWeb (data: website URLs for quality verification)
• • Cloud Infrastructure Providers: For data hosting and backup (data: all personal data encrypted in transit and at rest)

All processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance and restrict their use of data to our instructions only.

Data Controllers (Independent Use)

• • Publishers: Your website URL and approval status may be visible to other marketplace participants for matching purposes
• • Legal Authorities: We may disclose data if legally required (court order, law enforcement request, regulatory compliance)

Marketing & Affiliate Partners

We share aggregated, anonymized data (not personally identifiable) with marketing partners to improve targeted campaigns. You will not be identified from this data.