Privacy Policy

Last updated: February 3, 2026

1. Controller

The controller responsible for data processing on this website is:

kidsbert GmbH Hegestieg 20 20249 Hamburg Germany

Email: hello@kidsbert.de

Authorized representatives: Anke Reincke, Dr. Philine Bieling

Commercial Register: District Court Hamburg, HRB 196015

2. Data Protection Officer

Due to the company size, the appointment of a data protection officer is not required. For data protection inquiries, please contact: hello@kidsbert.de

3. General Information on Data Processing

3.1 Scope of Processing Personal Data

We process personal data of our users only to the extent necessary for providing a functional website and our content and services. The processing of personal data of our users regularly takes place only with the user's consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.

3.2 Legal Bases for Processing Personal Data

3.3 Data Deletion and Storage Duration

Personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may continue if provided for by European or national legislation (e.g., tax retention periods of 10 years).

4. Hosting and Infrastructure

4.1 Vercel (Website Hosting)

Our website is hosted by Vercel Inc.

Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA Processed Data: IP address, date and time of access, transferred data volume, referrer URL, browser type and version, operating system Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in secure and efficient hosting) Privacy Policy: https://vercel.com/legal/privacy-policy Standard Contractual Clauses: Vercel uses EU Standard Contractual Clauses for data transfers to the USA

4.2 Neon (Database)

We use the PostgreSQL database from Neon to store user data.

Provider: Neon Inc., 535 Mission St, San Francisco, CA 94105, USA Processed Data: All user data stored in the database (account data, offers, etc.) Legal Basis: Art. 6(1)(b) GDPR (contract performance) Privacy Policy: https://neon.tech/privacy-policy Data Location: EU (Frankfurt)

4.3 Amazon Web Services S3 (File Storage)

Uploaded files (images, documents) are stored on Amazon Web Services.

Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg Processed Data: Uploaded files (images of offers, profile pictures) Legal Basis: Art. 6(1)(b) GDPR (contract performance) Privacy Policy: https://aws.amazon.com/privacy/ Data Location: EU (Frankfurt, eu-central-1)

5. Website Provision and Log Files

5.1 Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the accessing computer system.

The following data is collected:

• IP address of the user
• Date and time of access
• Pages accessed
• Websites from which the user's system reached our website (referrer)
• Browser type and version
• Operating system used
• Amount of data transferred

5.2 Purpose and Legal Basis

The temporary storage of the IP address by the system is necessary to deliver the website to the user's computer. Storage in log files ensures the functionality of the website and the security of our systems.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

5.3 Storage Duration

Server log files are deleted after 30 days at the latest.

6. Registration and User Account

6.1 Description and Scope of Data Processing

On our platform, we offer users the opportunity to register by providing personal data.

Data collected during registration:

• Name
• Email address
• Password (stored encrypted)

Additionally for provider registration:

• Company name/provider name
• Address
• Contact details (email, phone, website)
• Provider description

Automatically collected data:

• IP address at registration
• Date and time of registration
• Consent to terms and privacy policy (timestamp)

6.2 Legal Basis

Legal Basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (contract performance)

6.3 Purpose of Data Processing

Registration is required for:

• Creating and managing offers (for providers)
• Saving favorites
• Using personalized features
• Communication via the platform

6.4 Storage Duration

Data is deleted when the user account is deleted. Legal retention obligations (e.g., for billing data: 10 years) remain unaffected.

7. Offers and Content

7.1 Published Offers

Providers can publish offers on the platform with the following data:

• Title and description of the offer
• Images
• Location data (address, coordinates)
• Prices and age information
• Contact information
• Opening hours and availability

This data is publicly displayed on the platform and visible to all users.

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

7.2 QR Codes and Tracking

QR codes can be generated for offers. When scanning a QR code, the following data is stored:

• Time of scan
• User agent (browser information)
• User ID (if logged in)

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in statistics)

7.3 Provider Analytics (Privacy-First)

We provide providers with anonymized statistics about their offers. The following data is collected without cookies and in a privacy-friendly manner:

Anonymous Visitors (all users):

• Page views and time spent
• Scroll depth (how far the page was scrolled)
• Device type (Mobile/Tablet/Desktop), browser and operating system
• Referrer domain (where the visitor came from)
• UTM parameters for campaign tracking
• Anonymized visitor hash (rotated daily, not traceable)

Important: No IP addresses are stored. The visitor hash is created from IP and user agent and renewed daily, making long-term tracking impossible.

Logged-in Users (optional, upon registration): When you are logged in while visiting an offer, the following additional data may be used for aggregated statistics:

• City of residence - if specified in profile
• Children's ages - if specified in profile

This data is only shared with providers in aggregated form (e.g., "30% of visitors have children aged 3-5"). Individual users are not identifiable.

Interaction Tracking: We anonymously track which actions visitors perform on offer pages:

• Clicks on contact options (phone, email, website)
• Adding/removing favorites
• Sharing offers
• Booking requests

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest of providers in statistics to improve their offers)

Right to Object: Although we do not use cookies and anonymize statistical data, the collection of this data may, under current case law, constitute the processing of personal data in certain circumstances. You therefore have the right to object to this data processing at any time. You can contact us at hello@kidsbert.de or use the corresponding option in your account settings.

7.4 Voluntary Profile Data

You can optionally provide the following additional information in your profile:

• Address (street, city, postal code, country)
• Information about your children (name, date of birth/age, gender)

This data is used for:

• Personalized offer recommendations
• Aggregated, anonymous statistics for providers

Legal Basis: Art. 6(1)(a) GDPR (consent through voluntary disclosure)

You can view, modify or delete this data at any time in your profile settings.

8. AI-Powered Features (OpenAI)

8.1 Description

We use AI services from OpenAI for:

• Assistance with form completion
• Personalized recommendations for users
• Improvement of search results

8.2 Processed Data

When using AI features, the following data is transmitted to OpenAI:

• Form inputs (as required for AI assistance)
• Search terms
• Preferences for recommendations

Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA Privacy Policy: https://openai.com/privacy/ Legal Basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest in improved user experience)

8.3 Data Transfer to the USA

OpenAI processes your data, among other locations, in the USA. We would like to point out that the European Court of Justice currently considers the level of data protection there to be inadequate. This may entail potential risks for the security and legal compliance of data processing.

To nevertheless ensure the protection of your information, OpenAI uses the so-called Standard Contractual Clauses pursuant to Art. 46(2) and (3) GDPR for transfers to third countries outside the European Economic Area – particularly the USA. These template clauses provided by the EU Commission (Standard Contractual Clauses – SCC) are intended to ensure that European data protection standards are maintained even when data is stored or managed in countries such as the USA.

By concluding these clauses, which are based on Commission Implementing Decision (EU) 2021/914 of June 4, 2021, OpenAI commits to maintaining the European level of protection. You can view the relevant decision and the clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

8.4 Note

AI features are optional. For further details, please refer to OpenAI's official privacy policy at https://openai.com/policies/privacy-policy.

9. Cookies and Consent

9.1 What are Cookies?

Cookies are small text files stored in the internet browser or by the internet browser on the user's computer system.

9.2 Cookies Used

Technically necessary cookies (without consent):

Analytics cookies (only with consent):

9.3 Legal Basis

• Technically necessary cookies: Art. 6(1)(f) GDPR (legitimate interest)
• Analytics cookies: Art. 6(1)(a) GDPR (consent)

9.4 Objection and Revocation

You can change your cookie settings at any time via our cookie banner or delete cookies in your browser.

10. Google Analytics

10.1 Description

We use Google Analytics to analyze user behavior on our website. Google Analytics is only activated if you have given your consent via our cookie banner.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

10.2 Processed Data

• IP address (anonymized)
• Pages visited
• Time spent
• Device and browser information
• Approximate location (city level)

10.3 IP Anonymization

We have activated IP anonymization. Your IP address will be truncated by Google within EU member states before being transmitted to Google servers in the USA.

10.4 Legal Basis

Legal Basis: Art. 6(1)(a) GDPR (consent)

10.5 Revocation

You can revoke your consent at any time via our cookie banner.

Privacy Policy: https://policies.google.com/privacy Opt-Out: https://tools.google.com/dlpage/gaoptout

11. Email Communication

11.1 Email Sending (Amazon SES)

We use Amazon Simple Email Service (SES) for sending emails.

Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg Data Location: EU

11.2 Types of Emails

We send the following emails:

Transactional emails (without separate consent):

• Registration confirmation
• Password reset
• Payment confirmations
• Offer notifications

Newsletter (only with double opt-in):

• Information about new offers and features

11.3 Newsletter and Double Opt-In

For newsletter delivery, we use the double opt-in procedure:

1. You enter your email address
2. You receive a confirmation email with a link
3. Only after clicking the confirmation link will you be added to the mailing list

We store:

• Email address
• Time of registration
• IP address at registration
• Time of confirmation
• IP address at confirmation

Legal Basis: Art. 6(1)(a) GDPR (consent)

11.4 Unsubscribe

You can unsubscribe from the newsletter at any time via:

• The unsubscribe link in every email
• Email to hello@kidsbert.de

12. Payment Processing (Stripe)

12.1 Description

We use Stripe for payment processing.

Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland

12.2 Processed Data

For payments, the following data is transmitted to Stripe:

• Name
• Email address
• Payment information (credit card, SEPA, etc.)
• Billing address (if required)
• Purchase amount

12.3 Legal Basis

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Privacy Policy: https://stripe.com/privacy

13. Contact Form

13.1 Description

When you use our contact form, the following data is processed:

• Name
• Email address
• Message

13.2 Legal Basis and Purpose

The data is used exclusively to process your inquiry.

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries)

13.3 Storage Duration

Data is deleted as soon as the inquiry has been conclusively processed, unless legal retention obligations prevent this.

14. Google Maps

14.1 Description and Purpose

On this website, we use Google Maps. This allows us to display interactive maps directly on the website and enables you to conveniently use the map function to view offer locations.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Legal Basis: Art. 6(1)(a) GDPR (consent). The integration of Google Maps only occurs after your explicit consent.

14.2 Processed Data and Data Processing by Google

By visiting the website, Google receives information that you have accessed the corresponding subpage of our website. In addition, basic data such as IP address and timestamp are transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists.

If you are logged into Google, your data will be directly associated with your account. If you do not wish the association with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for purposes of advertising, market research, and/or demand-oriented design of its website. Such an evaluation takes place in particular (even for users who are not logged in) to provide demand-oriented advertising and to inform other users of the social network about your activities on our website.

14.3 Right to Object

You have the right to object to the creation of these user profiles, whereby you must contact Google directly to exercise this right.

14.4 Data Transfer to the USA

The collected information is stored on Google servers, including in the USA. For these cases, the provider has, according to its own statements, imposed a standard on itself that corresponds to the former EU-US Privacy Shield and has committed to complying with applicable data protection laws in international data transfers. We have also concluded so-called Standard Data Protection Clauses with Google, the purpose of which is to maintain an adequate level of data protection in third countries.

14.5 Further Information

For more information about the purpose and scope of data collection and processing by Google, please refer to the provider's privacy policy. There you will also find further information about your rights and settings options to protect your privacy: https://www.google.com/intl/en/policies/privacy

15. Cloudinary (Image Conversion)

15.1 Description

We use Cloudinary for image format conversion. When you upload images in HEIC format (e.g., from iPhones) and local conversion is not possible, these images are temporarily transferred to Cloudinary, converted to JPEG format, and then automatically deleted from Cloudinary servers.

Provider: Cloudinary Ltd., 3400 Central Expressway, Suite 110, Santa Clara, CA 95051, USA

15.2 Processed Data

• Uploaded image files (temporary, deleted after conversion)
• IP address (through server call)

15.3 Legal Basis

Legal Basis: Art. 6(1)(b) GDPR (contract performance - enabling image uploads)

15.4 Data Transfer

Cloudinary processes data in the USA. The transfer is based on EU Standard Contractual Clauses (SCCs).

Privacy Policy: https://cloudinary.com/privacy

16. Data Processors

We use the following data processors:

The data processors used provide Data Processing Agreements (DPAs) that are intended to comply with the requirements of Art. 28 GDPR.

17. Data Transfer to Third Countries

Some of our service providers are located outside the EU/EEA (particularly the USA). Data transfer is based on:

• EU Standard Contractual Clauses (Art. 46(2)(c) GDPR)
• EU Commission adequacy decision (where available)

18. Rights of the Data Subject

You have the following rights regarding your personal data:

18.1 Right of Access (Art. 15 GDPR)

You can request information about your personal data stored by us.

18.2 Right to Rectification (Art. 16 GDPR)

You have the right to have incorrect data corrected.

18.3 Right to Erasure (Art. 17 GDPR)

You can request the deletion of your data, provided no legal retention obligations prevent this.

18.4 Right to Restriction of Processing (Art. 18 GDPR)

Under certain conditions, you can request the restriction of processing of your data.

18.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format.

18.6 Right to Object (Art. 21 GDPR)

You can object to the processing of your data at any time if the processing is based on Art. 6(1)(f) GDPR.

18.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You can withdraw consent given at any time with effect for the future.

18.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority.

Competent Supervisory Authority: The Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Str. 22, 7th floor 20459 Hamburg https://datenschutz-hamburg.de

19. Data Security

We use SSL/TLS encryption for all data transfers. All passwords are stored encrypted. We employ appropriate technical and organizational measures to protect your data from unauthorized access.

20. Updates and Changes to this Privacy Policy

This privacy policy is currently valid (as of February 3, 2026).

Due to the further development of our website and offerings or due to changed legal requirements, it may become necessary to change this privacy policy. The current privacy policy can be accessed at any time at https://kidsbert.de/en/legal/privacy-policy.

---

Contact for Data Protection Inquiries: kidsbert GmbH Email: hello@kidsbert.de