Privacy Policy

1. Controller

Gosign GmbH
Hallerstraße 8
20146 Hamburg, Germany

Email: web26 [at] gosign.de

Data Protection Officer

A data protection officer is currently not appointed. Fewer than 20 employees are regularly involved in the automated processing of personal data (§ 38(1) BDSG). For questions regarding data protection, please contact the address stated above.

2. Overview

This website does not set any cookies. Neither first-party nor third-party. No external trackers, no Google Analytics, no Matomo, no Facebook Pixel, no LinkedIn Insight Tag, and no Google Tag Manager are used.

No cookie banner is required as no consent-dependent tracking takes place.

3. Hosting and Content Delivery

This website is served via Cloudflare Pages. Cloudflare acts as a data processor under Art. 28 GDPR. A Data Processing Addendum (DPA) with Standard Contractual Clauses (SCCs) is in place.

When delivering web pages, Cloudflare technically processes the IP address of the requesting device. Depending on the service, this processing may also take place outside the EU and is secured via the EU-US Data Privacy Framework as well as DPA/SCCs.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and performant website delivery).

4. Web Analytics

We use Cloudflare Web Analytics. This service is cookie-free and does not collect personal data. No individual users are identified or tracked. Only aggregated access data is collected (page views, referrer, country, device category).

Consent is not required as no tracking within the meaning of the ePrivacy Directive takes place.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in analysing website usage in aggregated, anonymous form).

5. Contact Form and Email Contact

When you contact us via the contact form or by email, your details (e.g. name, email address, message text) are processed for the purpose of handling your inquiry and for any follow-up questions. This data is processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR).

Technical Processing via Cloudflare (Without Intermediate Storage)

To ensure secure and fast transmission of your form data, we use Cloudflare Workers technology from Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA for routing. Cloudflare acts exclusively as a technical intermediary. Your form data is not stored in a database by Cloudflare but is processed in memory and forwarded in real time via an encrypted connection (TCP socket) to our email server. Once the data has been transmitted, it does not remain on Cloudflare's servers.

Email Hosting via Google Workspace (EU Hosting)

For receiving, storing, and sending our emails, we use Google Workspace from Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. We have configured Google Workspace so that our email data is physically stored on servers within the European Union (EU).

Data Processing Agreements and Third-Country Transfers

We have entered into data processing agreements (DPAs) pursuant to Art. 28 GDPR with both Cloudflare and Google. As both providers are part of US corporations, a theoretical data transfer to the USA during maintenance, routing (Cloudflare), or support cases cannot be 100 % excluded. For such cases, the providers rely on the adequacy decision of the EU Commission (EU-US Data Privacy Framework) as well as Standard Contractual Clauses to ensure an adequate level of data protection.

Retention Period

The data you enter in the contact form remains in our email inbox until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g. after your inquiry has been fully processed). Mandatory statutory provisions, in particular commercial and tax retention periods (up to 10 years under § 257 HGB and § 147 AO), remain unaffected.

6. Appointment Booking

For appointment booking, we use Google Calendar Appointment Scheduling (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When you click the booking link, you are redirected to calendar.google.com. No script is loaded and no cookie is set on our website by the booking link.

When using the booking service, your data (name, email address, selected appointment) is processed by Google. Google's Privacy Policy applies.

Legal basis: Art. 6(1)(b) GDPR (implementation of pre-contractual measures at your request). Booking a consultation appointment serves to initiate a business relationship.

7. Fonts

All fonts used on this website are locally embedded (self-hosted). No external font services (e.g. Google Fonts) are loaded. No connection to third parties is established when loading fonts.

8. Maps and Videos

This website does not embed external map services (e.g. Google Maps) or external video services (e.g. YouTube). Where maps or videos are displayed, this is done via static images or self-hosted content.

9. No Additional Third Parties

This website does not load resources from third parties not mentioned in this privacy policy. In particular, the following are not used:

  • Google Tag Manager
  • Facebook Pixel
  • LinkedIn Insight Tag
  • HubSpot, Salesforce, or other CRM trackers
  • Hotjar, Mouseflow, or other session recording tools
  • Matomo or other self-hosted analytics tools

10. SSL/TLS Encryption

This website uses SSL/TLS encryption for security purposes. An encrypted connection is indicated by "https://" in your browser's address bar.

11. Server Log Files

The hosting provider (Cloudflare) collects access data in server log files for technical reasons. These may include: page accessed, time, data volume, referrer URL, IP address, browser, and operating system. Log files are stored by Cloudflare for a maximum of 72 hours and are not merged with other data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring technical operations and detecting attacks).

12. Artificial Intelligence and Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. No AI systems are used on this website for the automated processing of personal data of website visitors.

AI-Assisted Content Creation

Gosign uses AI-assisted tools (large language models, image generation) for the creation and editing of website content, graphics, and diagrams. These tools do not process personal data of website visitors. All outputs are editorially reviewed and approved.

AI in Client Projects

Gosign develops and operates AI infrastructure for enterprise clients (AI Agents, Document Intelligence, workflow automation). The processing of personal data in client projects is governed by separate data processing agreements (DPAs) pursuant to Art. 28 GDPR and is not covered by this privacy policy.

13. International Data Protection Standards

Gosign serves clients worldwide and recognises data protection rights under the respectively applicable local laws. The GDPR remains the primary data protection law as Gosign GmbH is headquartered in Germany and data processing takes place in the EU. Below are supplementary notes for users in specific jurisdictions.

United Kingdom

For users in the United Kingdom, the UK GDPR in conjunction with the Data Protection Act 2018 applies. The rights largely correspond to those under the EU GDPR. Competent supervisory authority: Information Commissioner's Office (ICO), Wilmslow, Cheshire, UK.

United States

For users residing in California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) apply additionally. This includes the right to know the categories of data collected, the right to deletion, and the right to opt out of the sale of personal data. Gosign does not sell personal data and does not share it with third parties for advertising purposes. For users in other US states with their own privacy laws (Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others), comparable rights are recognised.

Switzerland

For users in Switzerland, the revised Federal Act on Data Protection (revDSG/nDSG), in effect since 1 September 2023, applies. It grants rights comparable to the GDPR. Competent supervisory authority: Federal Data Protection and Information Commissioner (FDPIC/EDÖB), Bern.

Canada

For users in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies. Gosign recognises the PIPEDA principles, in particular consent, purpose limitation, access, and rectification. Competent supervisory authority: Office of the Privacy Commissioner of Canada (OPC), Gatineau, QC.

Brazil

For users in Brazil, the Lei Geral de Proteção de Dados (LGPD, Lei n.º 13.709/2018) applies additionally. The LGPD grants Brazilian users comprehensive rights, including access, rectification, anonymisation, erasure, data portability, and objection. These rights are fully recognised by us. Competent supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD), Brasília, DF.

India

For users in India, the Digital Personal Data Protection Act (DPDP Act, 2023) applies. Gosign recognises the rights of Indian users, in particular access, rectification, erasure, and the right to lodge a complaint. Competent supervisory authority: Data Protection Board of India (DPBI), New Delhi.

Japan

For users in Japan, the Act on the Protection of Personal Information (APPI) applies. The EU Commission has granted Japan an adequate level of data protection. Gosign recognises the APPI rights, in particular access, rectification, erasure, and cessation of use. Competent supervisory authority: Personal Information Protection Commission (PPC), Tokyo.

South Africa

For users in South Africa, the Protection of Personal Information Act (POPIA) applies. Gosign recognises the POPIA rights, in particular access, rectification, erasure, and objection to direct marketing. Competent supervisory authority: Information Regulator, Johannesburg.

All other jurisdictions

For users in countries with their own data protection laws not explicitly mentioned here, Gosign recognises the respectively applicable local data protection rights insofar as they relate to processing via this website. Your rights to access, rectification, and erasure are guaranteed in every case.

14. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR): You may request information about the data we process.
  • Rectification (Art. 16 GDPR): You may request correction of inaccurate data.
  • Erasure (Art. 17 GDPR): You may request deletion of your data, provided no statutory retention obligations apply.
  • Restriction (Art. 18 GDPR): You may request restriction of processing.
  • Data Portability (Art. 20 GDPR): You may request your data in a machine-readable format.
  • Objection (Art. 21 GDPR): You may object to processing based on Art. 6(1)(f) GDPR at any time.
  • Withdrawal of Consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

To exercise your rights, an informal message to the address stated above is sufficient.

15. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is the supervisory authority of the federal state in which you reside, or the authority responsible for the controller:

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22
20459 Hamburg, Germany

16. Currency

This privacy policy is currently valid. Last updated: February 2026.

We reserve the right to amend this privacy policy to adapt it to changed legal requirements or changes to the service.