Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) and the German Telecommunications-Telemedia Data Protection Act (TTDSG) is:

Nextras

Owner: Felix Huber
Lebrechtstraße 29
64846 Groß-Zimmern
Germany
Email: legal@nextras.de
Phone: +49 152 3354 8109

A statutory data protection officer is not required. For data protection inquiries, please contact the email address above directly.

As a matter of principle, Nextras processes personal data only to the technically necessary extent or insofar as you have given us your consent. This privacy policy applies to the website nextras.de and — in a separate section — to the mobile and desktop apps of Nextras.

Where personal data is transferred to countries outside the European Economic Area (EEA) (third-country transfer), we ensure an adequate level of data protection through appropriate safeguards pursuant to Art. 46 GDPR (EU Commission Standard Contractual Clauses, “SCC”). Where applicable, we additionally rely on the adequacy decision EU-U.S. Data Privacy Framework (DPF) of 10 July 2023.

This website is hosted by Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA (“Vercel”). When the website is accessed, log data is automatically processed on the server side, in particular:

IP address (anonymised), accessed URL, date and time of access, volume of data transferred, HTTP status code, browser type and version, operating system, referrer URL.

This data is technically necessary to provide the website and is deleted or anonymised after a short time. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the trouble-free operation of the website).

Vercel is certified under the EU-U.S. Data Privacy Framework; a data processing agreement pursuant to Art. 28 GDPR is in place with Vercel. Further information: vercel.com/legal/privacy-policy.

Domain registration, DNS management, and email services are provided by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. In the course of these services, IONOS processes technical connection data (including sender and recipient addresses of emails, timestamps, IP addresses). The legal basis is Art. 6(1)(f) GDPR.

IONOS is based in Germany; data processing takes place predominantly within the EU. A data processing agreement is in place with IONOS. Privacy policy: ionos.de/terms-gtc/datenschutzerklaerung.

To protect the website from malicious traffic (DDoS protection, web application firewall), we use services from Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Where Cloudflare is operated in proxy mode, all traffic is routed through Cloudflare servers. At least the IP address, request URL, HTTP headers, and possibly cookie contents are processed. This processing serves to ensure operation and to ward off attacks. The legal basis is Art. 6(1)(f) GDPR.

Cloudflare is certified under the EU-U.S. Data Privacy Framework. A data processing agreement is in place. Privacy policy: cloudflare.com/privacypolicy.

We use Vercel Web Analytics (provider: Vercel Inc., USA) to evaluate website usage. Vercel Analytics works without cookies and without permanently storing IP addresses. Only aggregated, non-personal metrics are collected (page views, country of origin, browser type, device category, referrer). IP addresses are only temporarily hashed and then discarded.

Since no permanent personal data is stored or linked across devices, consent under § 25 TTDSG is not required for this service. The legal basis for any remaining residual processing is Art. 6(1)(f) GDPR (legitimate interest in anonymous usage analysis to improve the website).

Vercel is certified under the EU-U.S. Data Privacy Framework. Information on Vercel Analytics: vercel.com/docs/analytics/privacy-policy.

We use PostHog (PostHog Inc., 965 Mission St., Suite 650, San Francisco, CA 94103, USA, or — when using the EU cloud — data within the EU) to analyse user behaviour and events on the website. PostHog may use cookies and/or local browser storage and collect information such as pages visited, click events, browser type, operating system, and truncated IP addresses.

Since PostHog uses cookies or comparable technologies to store information on your device, your consent pursuant to § 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR is required. You can grant or refuse your consent at any time via our cookie banner and withdraw consent already given at any time with effect for the future.

Where PostHog is operated via the US cloud, PostHog Inc. is certified under the EU-U.S. Data Privacy Framework; a data processing agreement is in place. Privacy policy: posthog.com/privacy.

On your first visit to the website, a cookie banner is displayed through which you can consent to or reject the use of non-essential cookies and tracking technologies. Technically necessary cookies (e.g., for the operation of the cookie banner itself) are set without consent; the legal basis is § 25(2) TTDSG.

Your consent decision is stored in your browser and can be withdrawn or changed at any time via the cookie settings. The withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Sign-up and double opt-in: If you sign up for our newsletter, we collect your email address. We use the double opt-in procedure: after signing up, you receive a confirmation email with a link that you must click to complete your registration. Only after this confirmation is your email address used for sending. Your consent can be withdrawn at any time with effect for the future.

Purpose and legal basis: The processing of your email address for sending the newsletter is based on your express consent pursuant to Art. 6(1)(a) GDPR. The confirmation email and the log of the sign-up and confirmation process (timestamp, IP address) are stored for the duration of the newsletter subscription and subsequently for the duration of the statutory limitation periods (maximum three years) as proof of consent.

Unsubscribing: You can unsubscribe from the newsletter at any time by clicking the unsubscribe link at the end of each newsletter email or by sending us an informal email to legal@nextras.de. After unsubscribing, your email address is deleted from the mailing list; the unsubscribe log is retained for three years.

Processing (Supabase): The newsletter dispatch and the storage of subscriber data take place via Supabase, Inc., 970 Trestle Glen Rd., Oakland, CA 94610, USA. Supabase is certified under the EU-U.S. Data Privacy Framework; a data processing agreement is in place. To secure the data, EU Commission Standard Contractual Clauses (SCC) are used. Privacy policy: supabase.com/privacy.

This section concerns exclusively the mobile and desktop apps of Nextras (e.g., Bitecast). It is to be distinguished from data processing on nextras.de.

App backend (Supabase): For the operation of certain app functions (e.g., user authentication, data storage), we use Supabase, Inc. (USA) as a backend-as-a-service. Depending on the app function, email address, usage, and account data are processed. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and, where applicable, Art. 6(1)(a) GDPR (consent). Supabase is certified under the EU-U.S. Data Privacy Framework.

Map services (OpenStreetMap): Where map material is used in an app, this is done via map tiles from OpenStreetMap (The OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom). When loading map tiles, your IP address is transmitted to the OpenStreetMap servers. The legal basis is Art. 6(1)(f) GDPR. Privacy policy: osmfoundation.org/wiki/Privacy_Policy.

In-app purchases (RevenueCat): In-app purchases are processed exclusively through the Apple App Store or Google Play Store. To manage subscriptions and purchase history, we use RevenueCat, Inc., 633 Tasman St., San Jose, CA 95126, USA. RevenueCat processes pseudonymous purchaser identifiers (App Store / Play Store transaction IDs), subscription status, and product IDs. No linking with personal payment data takes place — this is held exclusively by Apple or Google. The legal basis is Art. 6(1)(b) GDPR. Privacy policy: revenuecat.com/privacy.

More detailed data protection information on the individual apps is provided in the app store listings and in the app-specific privacy notices.

The website contains links to the Apple App Store (Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA) and the Google Play Store (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). When you access these links, the privacy policies of Apple or Google apply. Nextras has no influence over the data processing that takes place there.

The following services process data in the USA or other third countries outside the EEA:

Vercel Inc. (hosting), Cloudflare Inc. (security), PostHog Inc. (analytics, where US cloud), Supabase Inc. (newsletter backend, app backend), RevenueCat Inc. (in-app purchases).

The aforementioned US companies are, where available, certified under the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023). In addition, we conclude EU Commission Standard Contractual Clauses (SCC) (Decision 2021/914) with the respective providers to ensure an adequate level of protection.

Insofar as we obtain consent for processing operations, Art. 6(1)(a) GDPR is the legal basis.

Insofar as the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, Art. 6(1)(b) GDPR serves as the legal basis.

Insofar as processing is necessary to safeguard the legitimate interests of us or third parties and the interests, fundamental rights, and freedoms of the data subject do not override these, Art. 6(1)(f) GDPR serves as the legal basis.

For the use of cookies and similar technologies, permissibility is governed by § 25 TTDSG; non-essential technologies require prior consent (§ 25(1) TTDSG).

Personal data is deleted or blocked as soon as the purpose of storage no longer applies. Beyond that, data may be retained where provided for by European or national legislators:

Server log files: Generally 7–30 days, unless security incidents require longer storage.

Newsletter consent: For the duration of the subscription and subsequently up to three years as proof of consent.

App user data: For the duration of the user account and up to 30 days after deletion of the account; purchase logs until the expiry of the tax retention periods (maximum ten years pursuant to § 147 AO).

You have the following rights vis-à-vis the controller:

Access (Art. 15 GDPR): You may request information about the data stored about you.

Rectification (Art. 16 GDPR): You may request the rectification of inaccurate data.

Erasure (Art. 17 GDPR): You may request the erasure of your personal data, insofar as no statutory retention obligations stand in the way.

Restriction (Art. 18 GDPR): Under certain circumstances, you may request the restriction of processing.

Data portability (Art. 20 GDPR): You may receive your data in a structured, commonly used, and machine-readable format.

Objection (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is based on Art. 6(1)(f) GDPR.

Withdrawal of consent (Art. 7(3) GDPR): Consent given can be withdrawn at any time with effect for the future. The lawfulness of processing carried out until withdrawal remains unaffected.

Please direct corresponding requests to: legal@nextras.de

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).

The competent supervisory authority for Nextras is:
The Hessian Commissioner for Data Protection and Freedom of Information (HBDI)
Postfach 3163, 65021 Wiesbaden
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de
datenschutz.hessen.de

This privacy policy is currently valid and dated June 2026. As our website and offerings develop or due to changed legal requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed at any time on the website at nextras.de/datenschutz.