Privacy Policy
Stan na: July 2026
1. Data Controller
AfterCost – Firat Günenc
Herzogenauracherstr. 38, 90431 Nuremberg
Germany
Email: datenschutz@aftercost.de
2. Types of Data Processed and Purposes
Account Data
- Email address, name, company details (company name, VAT ID)
- Purpose: Contract performance, account creation, communication
Business Data from the Kaufland Account
- Products, revenues, costs, orders, returns
- No end-customer data (buyer names and addresses are not stored)
- Purpose: Calculation of contribution margins, profit analysis
Usage and Meta Data
- Server logs, IP addresses, browser type, timestamps
- Purpose: Security, error analysis, abuse prevention
3. Legal Basis
- Art. 6(1)(b) GDPR – Contract performance (account creation, data processing during use)
- Art. 6(1)(f) GDPR – Legitimate interest (server logs, security, error analysis)
- Art. 6(1)(a) GDPR – Consent (newsletter, optional analytics)
4. Recipients / Processors
We use the following service providers as data processors:
| Provider | Purpose | Location | Legal Basis |
|---|---|---|---|
| Supabase Inc. | Database, Authentication | EU (Frankfurt) | DPA, EU data center |
| Vercel Inc. | Hosting, CDN | EU (Frankfurt) | DPA, EU data center |
| Stripe Inc. | Payment processing | Ireland/USA | DPA, EU-US DPF |
| Resend | Transactional emails | USA (Processing: EU region Ireland) | EU-US DPF, SCC |
| Sentry | Error monitoring | USA/EU | EU-US DPF, SCC |
| Hetzner Online GmbH | API server (VPS) | DE (Nuremberg) | DPA, ISO 27001 |
| Cloudflare Inc. | DNS, CDN, email routing, bot protection (Turnstile) | USA/EU | DPA, EU-US DPF, SCC |
| Axiom Inc. | Log aggregation | USA | DPA, EU-US DPF |
Where data is transferred to the USA, this is done on the basis of the EU-US Data Privacy Framework (adequacy decision by the EU Commission, Art. 45 GDPR). Additionally, Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR have been concluded. You may request a copy of the safeguards at: datenschutz@aftercost.de
5. Security Measures
- TLS 1.2+ for all connections, AES-256 encryption at rest
- Row-Level Security (RLS) at database level, JWT-based authentication
- Multi-factor authentication (MFA) for admin access
- Automatic daily backups with point-in-time recovery
6. Retention Periods and Deletion
- Kaufland business data: Fully deleted 30 days after cancellation
- Sync logs: Automatically deleted after 90 days
- Account deletion: 14-day revocation period, then irreversible deletion
- Legal retention: Invoice data 8 years (German Tax Code), bookkeeping data 10 years (German Commercial Code)
- Feedback messages and screenshots: Automatically deleted after 24 months, or immediately upon account deletion (see Section 16)
7. Data Subject Rights
You have the following rights regarding your personal data:
- Access to stored data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
To exercise your rights, contact: datenschutz@aftercost.de
If you have given consent to processing, you may revoke this consent at any time with effect for the future. The lawfulness of processing carried out prior to revocation remains unaffected.
8. Right to Object (Art. 21 GDPR)
Where we process your data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds that override your interests.
Object by email to: datenschutz@aftercost.de
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. Competent authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de
10. Website and Web Analytics
Our website automatically collects server logs with each request (IP address, timestamp, requested URL, HTTP status code, transferred data size, referrer URL, browser type).
We do not use Google Analytics and set no tracking cookies. Only technically necessary cookies for authentication (Supabase auth session) are set.
For reach measurement, we use Vercel Web Analytics (Vercel Inc.). Vercel Web Analytics works without cookies and without cross-device identifiers: page views, referrer source, country, and browser/device type are captured in aggregated form. A non-reversible, daily-rotating hash is used to distinguish visits within a session; the IP address is not stored. A data processing agreement with EU Standard Contractual Clauses is in place with Vercel. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reach measurement and service improvement).
Additionally, we collect our own usage events (first-party analytics) on our own servers in the EU (Supabase, Frankfurt): visited page, referrer domain, UTM campaign parameters if applicable, rough device class (mobile/tablet/desktop), browser language setting, approximate country of origin (derived by our hosting provider Vercel from the IP address — the IP address itself is neither stored by us nor passed to analytics, only the two-letter country code), and product-related events (e.g., demo start, founding application submission). No cookies are set, no IP addresses are stored, and no cross-device profiles are created; events from non-logged-in visitors cannot be attributed to any person. For logged-in users, events are attributed to the account (contract performance and product improvement). In the non-binding live demo, we chain events of the same demo session via a transient session identifier (hash of the already technically required login session) to analyze click paths within the demo — re-identification across sessions or attribution to a person is not possible. Raw data is automatically deleted after 13 months. Legal basis: Art. 6(1)(f) GDPR (legitimate interest) or Art. 6(1)(b) GDPR for logged-in users.
11. Error Analysis (Sentry)
For detecting and fixing technical errors, we use Sentry. The following data is captured:
- Stack traces (technical error messages)
- Browser and operating system
- URL visited at the time of the error
No cookies are set by Sentry. Error reports are automatically deleted after 90 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error resolution).
12. Kaufland Connection
The connection to Kaufland uses an API-key-based interface. AfterCost exclusively retrieves business data (products, orders, revenues) from your seller account.
No end-customer data is stored. Names, addresses, and contact details of buyers are neither retrieved nor persisted in our database.
13. Cookie Overview
| Name | Provider | Purpose | Duration | Consent |
|---|---|---|---|---|
| sb-* | Supabase | Authentication | Session | Not required |
| aftercost-demo-* | AfterCost | Demo mode | Session | Not required |
| aftercost_ref | AfterCost | Partner referral attribution | 30 days | Not required |
All cookies used are technically necessary and do not require consent pursuant to § 25(2) TDDDG.
The aftercost_ref cookie is only set when you visit our site via a partner referral link (aftercost.de/ref/...). It contains only the referral code (no personal data) and serves to attribute a subsequent registration to the referring partner.
14. Automated Decision-Making
No profiling or automated decision-making within the meaning of Art. 22 GDPR takes place. All calculated metrics (contribution margins, margins) serve informational purposes only and have no legal effect on third parties.
15. Founding Member Application
On aftercost.de/founding, you can apply for our Founding Member program. We process the data you provide: name, email address, and optionally your Kaufland marketplaces, a free-text description of your current profit overview, and — if available — visit origin parameters (UTM parameters).
Purposes: Managing your application, personal outreach, and email communication regarding AfterCost: the Founding program, the beta/launch, and product news and offers for Kaufland sellers. No sharing with third parties; you can unsubscribe at any time.
Legal basis: Your consent (Art. 6(1)(a) GDPR), given via the checkbox in the form, as well as pre-contractual measures (Art. 6(1)(b) GDPR). To verify your email address, we use a double opt-in procedure: you receive a confirmation link (valid for 48 hours); the time of consent and the consent text version are logged as proof.
Invitation and account creation: If we accept you into the Founding program, we send you a personal invitation email with a one-time link (valid for 7 days), through which you create your user account and set your own password (Art. 6(1)(b) GDPR — contract initiation/performance). The account is permanently linked to the email address of your application; the time of your registration is stored with your application. From account creation onward, the sections of this policy regarding dashboard usage also apply.
Service provider: Emails are sent via Resend (EU region Ireland, see Section 4). To protect against automated bot requests, we use Cloudflare Turnstile; your IP address is transmitted to Cloudflare (Art. 6(1)(f) GDPR — legitimate interest in abuse prevention).
Retention and revocation: We store your application data for the duration of the Founding program. You may revoke your consent at any time informally (an email to info@aftercost.de suffices) — we will then promptly delete your application. The lawfulness of processing carried out prior to revocation remains unaffected.
Automatic waitlist registration: By confirming your Founding application, you are automatically added to our waitlist (see Section 20). If your application is not accepted, we will reach out once AfterCost is available for all merchants and keep you posted on AfterCost. You may revoke your waitlist registration separately at any time (email to info@aftercost.de or unsubscribe link).
15a. Partner Application
On aftercost.de/partner, you can apply as a partner (reseller or agency). We process: name, email address, company name, partner type, and optionally website, description, and Kaufland experience, as well as UTM parameters if applicable.
Purposes: Managing your application, personal outreach, invitation to the partner program. No sharing with third parties.
Legal basis: Consent (Art. 6(1)(a) GDPR) via checkbox as well as pre-contractual measures (Art. 6(1)(b) GDPR). Double opt-in as with the Founding application (Section 15).
Invitation and account creation: After acceptance, you receive an invitation email with a one-time link (valid for 7 days). The partner account is created with your partner type (reseller or agency). From account creation onward, the Partner Terms of Service (aftercost.de/partner-agb) additionally apply.
Service provider and retention: As per Section 15.
16. In-App Feedback
In the dashboard (app.aftercost.de), you can send us concerns, bug reports, and improvement suggestions via the feedback button. We process: your message text, the dashboard page where the feedback originated, your account association (for the response thread), and — only if you attach it yourself — a screenshot of your current dashboard view. The screenshot may show your own business data (e.g., revenues); before sending, you see in a preview exactly what will be transmitted and can choose the image area or remove the image.
Purposes and legal basis: Processing your concern and product improvement (Art. 6(1)(b) GDPR — contract performance or pre-contractual measures — and (f) — legitimate interest in service improvement). If we respond to your feedback, we notify you by email (sent via Resend, EU region Ireland, see Section 4).
Storage and deletion: Feedback messages and screenshots are transmitted encrypted and stored exclusively in the EU (Supabase, Frankfurt region; screenshots in a private, non-publicly accessible storage area). They are automatically deleted after 24 months, or immediately upon account deletion. Via the data access request (Section 7), you can also obtain your feedback data.
17. Data Access for Quality Assurance and Support
As part of quality assurance, troubleshooting, and service improvement, the AfterCost team may view your dashboard in a read-only mode. We see the same data you see: revenues, costs, orders, returns, and contribution margins. In this mode, we cannot make any changes to your data. Your Kaufland credentials (API keys) are stored encrypted and are not displayed in spectator mode.
Purpose and legal basis: Ensuring the correct functioning of the service (in particular calculations, data import, synchronization) as part of contract performance (Art. 6(1)(b) GDPR) and legitimate interest in quality assurance (Art. 6(1)(f) GDPR). The legal basis derives from the Terms of Service accepted at registration (Quality Assurance section).
Logging: Every access in spectator mode is recorded in an immutable log (timestamp, accessed page, admin identifier). These log entries cannot be deleted or modified. You can view in your settings whether and when your dashboard was accessed.
18. Contact Form
Via the contact form (aftercost.de/kontakt), you can send us a message. We process: your name, email address, subject, and message text.
Purpose and legal basis: Processing your inquiry (Art. 6(1)(b) GDPR — pre-contractual measures — and (f) — legitimate interest in communication with interested parties).
Storage: Contact inquiries are not stored in a database. They are exclusively forwarded as email to our team and are subject to regular email retention.
19. Agency Access / Data Sharing with Authorized Third Parties
As a user, you can grant a read-only access to your dashboard to an e-commerce agency you have engaged via your settings. The agency then sees the same business data as you: revenues, costs, orders, returns, and contribution margins. Changes to your data are technically excluded. Your Kaufland API keys are encrypted and are not displayed.
Legal basis and roles: As the account holder, you are the controller (Art. 4(7) GDPR) and independently decide whether and which agency you grant access to. AfterCost implements this decision technically as your processor (instruction pursuant to Art. 28(3) GDPR). The agency is an independent controller for the data it views — a separate contractual relationship exists between you and your agency that does not concern AfterCost. The legal basis from AfterCost's perspective is contract performance (Art. 6(1)(b) GDPR — provision of the platform function) in conjunction with your instruction.
Recipients: Third parties authorized by the account holder (e.g., e-commerce agencies). AfterCost does not proactively share data with agencies — access occurs exclusively upon your explicit approval.
Approval and revocation: Approval is given via an in-app confirmation (no separate GDPR consent required, as the legal basis is contract performance). You can revoke access at any time in your settings with immediate effect. After revocation, the agency has no further access — there is no delay and no cache.
Logging: Every agency access is documented in an immutable log (timestamp, accessing agency, accessed areas). You can view this log under Settings → Agency Access. Legal basis for logging: Art. 6(1)(f) GDPR (legitimate interest in traceability and security).
Retention of access logs: 12 months after the last documented access, unless statutory retention obligations require longer storage.
20. Waitlist
On aftercost.de, you can join our waitlist with your email address. We process only your email address.
Purposes: Notification about the beta/launch of AfterCost and email updates regarding AfterCost (product news and offers for Kaufland sellers). No sharing with third parties.
Legal basis: Your consent (Art. 6(1)(a) GDPR). To verify your email address, we use a double opt-in procedure: you receive a confirmation link; only after confirmation are you added to the waitlist.
Service provider: Emails are sent via Resend (EU region Ireland, see Section 4).
Retention and revocation: We store your entry until you unsubscribe or the waitlist has served its purpose. You may revoke your consent at any time informally (email to info@aftercost.de or unsubscribe link) — we will then promptly delete your entry. The lawfulness of processing carried out prior to revocation remains unaffected.