Privacy Policy

    Last updated: 1 October 2025

    We appreciate your visit to our website and your interest in our company, products and services. Protecting your privacy when using our webpages is important to us. Please read the following information carefully.

    1. Controller

    Salty Lemon GmbH

    Feldbrunnenstraße 9, 20148 Hamburg, Germany

    Email: hello@gosalty.ai

    ("we", "us", "our")

    2. Principles; Legal Bases; Retention

    We process personal data only insofar as necessary to operate this website, handle your inquiries, manage beta sign-ups and provide our content and services.

    • Consent (Art. 6(1)(a) GDPR) where required (e.g., optional marketing emails).
    • Contract / pre-contract (Art. 6(1)(b) GDPR) (e.g., responding to your requests, managing beta participation).
    • Legitimate interests (Art. 6(1)(f) GDPR) (e.g., site security, basic analytics).

    We delete or restrict personal data once the purpose ceases to apply and statutory retention periods (if any) expire. Personal data is disclosed to public authorities only where required by law. Our staff are bound by confidentiality.

    3. Server Log Files

    When you access our website, our systems automatically collect:

    • Browser type/version, operating system, internet service provider,
    • IP address, date/time of access,
    • Referrer URL and pages visited.

    Temporary storage of the IP is necessary to deliver the website; this is our legitimate interest (Art. 6(1)(f) GDPR). Log data is not merged with other personal data and is deleted when no longer needed for security and diagnostics.

    4. Contact via Form or Email

    If you contact us via a form or hello@gosalty.ai, we process the data you provide (e.g., name, email, message) and technical metadata (IP address, timestamp, page URL at submission) to handle your request and prevent misuse.

    Legal bases: Art. 6(1)(a) GDPR (consent) and/or Art. 6(1)(b) GDPR (pre-contractual steps), plus Art. 6(1)(f) GDPR (security).

    We delete the data when the conversation is clearly concluded; technical metadata is deleted within seven days unless needed for security.

    5. Beta Signup (Email + Phone) via Supabase

    For the GoSalty beta, we collect email and phone (required), and optionally your favorite spot and skill level. Submission is processed by our website and stored in our Supabase project as our data processor. We use this data to invite you to the beta, manage participation, and send essential service messages. Marketing emails (if any) are sent only with your consent.

    Processor: Supabase (hosted Postgres + auth/storage). Supabase provides a Data Processing Addendum (DPA) and documentation for GDPR compliance.

    Regions / data residency: We deploy our Supabase project in an EU region where available (e.g., Frankfurt, Dublin, London). Regional hosting options are documented by Supabase; region changes require a migration.

    Edge functions: Where used, we configure regional execution to align with our database region.

    International transfers: If processing involves transfers outside the EEA (e.g., to the U.S. by Supabase or its subprocessors), we rely on the EU-U.S. Data Privacy Framework (DPF) where the recipient participates; otherwise, on Standard Contractual Clauses (SCCs) and supplementary measures (see Supabase DPA/TIA).

    You can request deletion of your beta data at any time (see Section 12).

    6. Cookies

    We use necessary cookies to provide core functionality. Where we use additional cookies (e.g., for performance/analytics), we request your consent via our banner, and you can withdraw consent at any time. You can also control cookies via your browser settings; disabling cookies may limit some functions.

    Legal bases: Art. 6(1)(f) GDPR (strictly necessary), Art. 6(1)(a) GDPR (analytics/marketing).

    7. Analytics and Advertising (Configurable)

    We aim to keep tracking lightweight and privacy-preserving. If we use Google services (Analytics, Ads/Conversion, Remarketing, AdSense) in the future, they may set cookies and process usage data. We will only activate such services with your prior consent via the cookie banner and will honor your choices.

    Transfers to the U.S. For Google services, the EU-U.S. DPF adequacy decision applies where Google participates; otherwise we use SCCs.

    You can withdraw consent and/or use the vendor tools and browser settings to limit tracking as described in the providers' privacy pages.

    8. Social Plugins (Shariff/Two-Click)

    Our site may use "two-click" or Shariff-style integrations for Meta (Facebook/Instagram) sharing/like features so that no personal data is transmitted until you actively click. Meta indicates DPF participation for EU-U.S. transfers.

    9. Blog and Comments (If Enabled)

    If commenting is enabled, we publish your comment with your chosen username (we recommend a pseudonym). Required: username and email; optional fields are voluntary. We store your IP for up to seven days to address potential legal claims. You can subscribe to comment notifications via double opt-in and unsubscribe anytime via the link in those emails.

    Legal bases: Art. 6(1)(b) and (f) GDPR.

    10. SCHUFA (Only for Leasing/Credit Scenarios)

    For certain contractual relationships (e.g., equipment leasing), we may transmit data to SCHUFA Holding AG for credit checks and to manage risks (Art. 6(1)(b) and (f) GDPR; statutory obligations). This does not apply to visiting our marketing website or joining the GoSalty beta.

    11. Other Disclosures to Third Parties

    We disclose personal data to third parties only if required by law, necessary to perform a contract (e.g., hosting, support, communications), or based on your consent. All processors receive only the information necessary for their tasks and are contractually bound to GDPR-compliant processing.

    12. Your Rights

    You have the rights of access, rectification, erasure, restriction, portability, and to object (Arts. 15–21 GDPR). Where processing is based on consent, you may withdraw consent at any time with effect for the future.

    Contact for privacy requests:

    Salty Lemon GmbH, Feldbrunnenstraße 9, 20148 Hamburg, Germany

    Email: hello@gosalty.ai

    If you object to processing that is necessary for the provision and operation of the website, some functions may no longer be available. You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or place of the alleged infringement.

    13. International Transfers

    Where data is transferred to countries outside the EEA, we use recognized safeguards such as:

    • the EU-U.S. Data Privacy Framework (where the recipient is certified), and/or
    • Standard Contractual Clauses with supplementary measures.

    The DPF adequacy decision took effect in July 2023 and was upheld by the EU General Court on 3 September 2025 (case T-553/23), providing additional legal certainty for EU-U.S. transfers.

    14. Newsletter (If Enabled)

    If you subscribe to our newsletter, we use the double-opt-in process. Required: your email address (other fields optional). You can unsubscribe at any time via the link in every newsletter or by emailing hello@gosalty.ai.

    Legal basis: Art. 6(1)(a) GDPR (consent).

    15. Data Security

    We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, considering the state of the art and the risks involved.

    16. Changes to this Policy

    We may update this Privacy Policy from time to time to reflect changes in law, technologies, or our services. The "Last updated" date shows the latest revision.