Privacy Policy
En date du : April 2026
1. Data Controller
AfterCost – Firat Günenc
Herzogenauracherstr. 38, 90431 Nuremberg
Germany
Email: datenschutz@aftercost.de
2. Types of Data Processed and Purposes
Account Data
- Email address, name, company details (company name, VAT ID)
- Purpose: Contract performance, account creation, communication
Business Data from the Kaufland Account
- Products, revenues, costs, orders, returns
- No end-customer data (buyer names and addresses are not stored)
- Purpose: Calculation of contribution margins, profit analysis
Usage and Meta Data
- Server logs, IP addresses, browser type, timestamps
- Purpose: Security, error analysis, abuse prevention
3. Legal Basis
- Art. 6(1)(b) GDPR – Contract performance (account creation, data processing during use)
- Art. 6(1)(f) GDPR – Legitimate interest (server logs, security, error analysis)
- Art. 6(1)(a) GDPR – Consent (newsletter, optional analytics)
4. Recipients / Processors
We use the following service providers as data processors:
| Provider | Purpose | Location | Legal Basis |
|---|---|---|---|
| Supabase Inc. | Database, Authentication | EU (Frankfurt) | DPA, EU data center |
| Vercel Inc. | Hosting, CDN | EU (Frankfurt) | DPA, EU data center |
| Stripe Inc. | Payment processing | Ireland/USA | DPA, EU-US DPF |
| Resend | Transactional emails | USA (Processing: EU region Ireland) | EU-US DPF, SCC |
| Sentry | Error monitoring | USA/EU | EU-US DPF, SCC |
| Hetzner Online GmbH | API server (VPS) | DE (Nuremberg) | DPA, ISO 27001 |
| Cloudflare Inc. | DNS, CDN, email routing, bot protection (Turnstile) | USA/EU | DPA, EU-US DPF, SCC |
| Axiom Inc. | Log aggregation | USA | DPA, EU-US DPF |
Where data is transferred to the USA, this is done on the basis of the EU-US Data Privacy Framework (adequacy decision by the EU Commission, Art. 45 GDPR). Additionally, Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR have been concluded. You may request a copy of the safeguards at: datenschutz@aftercost.de
5. Security Measures
- TLS 1.2+ for all connections, AES-256 encryption at rest
- Row-Level Security (RLS) at database level, JWT-based authentication
- Multi-factor authentication (MFA) for admin access
- Automatic daily backups with point-in-time recovery
6. Retention Periods and Deletion
- Kaufland business data: Fully deleted 30 days after cancellation
- Sync logs: Automatically deleted after 90 days
- Account deletion: 14-day revocation period, then irreversible deletion
- Legal retention: Invoice data 8 years (German Tax Code), bookkeeping data 10 years (German Commercial Code)
- Feedback messages and screenshots: Automatically deleted after 24 months, or immediately upon account deletion (see Section 16)
7. Data Subject Rights
You have the following rights regarding your personal data:
- Access to stored data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
To exercise your rights, contact: datenschutz@aftercost.de
If you have given consent to processing, you may revoke this consent at any time with effect for the future. The lawfulness of processing carried out prior to revocation remains unaffected.
8. Right to Object (Art. 21 GDPR)
Where we process your data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds that override your interests.
Object by email to: datenschutz@aftercost.de
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. Competent authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de
10. Website and Web Analytics
Our website automatically collects server logs with each request (IP address, timestamp, requested URL, HTTP status code, transferred data size, referrer URL, browser type).
We do not use Google Analytics and set no tracking cookies. Only technically necessary cookies for authentication (Supabase auth session) are set.
For reach measurement, we use Vercel Web Analytics (Vercel Inc.). Vercel Web Analytics works without cookies and without cross-device identifiers: page views, referrer source, country, and browser/device type are captured in aggregated form. A non-reversible, daily-rotating hash is used to distinguish visits within a session; the IP address is not stored. A data processing agreement with EU Standard Contractual Clauses is in place with Vercel. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reach measurement and service improvement).
Additionally, we collect our own usage events (first-party analytics) on our own servers in the EU (Supabase, Frankfurt): visited page, referrer domain, UTM campaign parameters if applicable, rough device class (mobile/tablet/desktop), browser language setting, approximate country of origin (derived by our hosting provider Vercel from the IP address — the IP address itself is neither stored by us nor passed to analytics, only the two-letter country code), and product-related events (e.g., demo start, founding application submission). No cookies are set, no IP addresses are stored, and no cross-device profiles are created; events from non-logged-in visitors cannot be attributed to any person. For logged-in users, events are attributed to the account (contract performance and product improvement). In the non-binding live demo, we chain events of the same demo session via a transient session identifier (hash of the already technically required login session) to analyze click paths within the demo — re-identification across sessions or attribution to a person is not possible. Raw data is automatically deleted after 13 months. Legal basis: Art. 6(1)(f) GDPR (legitimate interest) or Art. 6(1)(b) GDPR for logged-in users.
11. Error Analysis (Sentry)
For detecting and fixing technical errors, we use Sentry. The following data is captured:
- Stack traces (technical error messages)
- Browser and operating system
- URL visited at the time of the error
No cookies are set by Sentry. Error reports are automatically deleted after 90 days. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error resolution).
12. Kaufland Connection
The connection to Kaufland uses an API-key-based interface. AfterCost exclusively retrieves business data (products, orders, revenues) from your seller account.
No end-customer data is stored. Names, addresses, and contact details of buyers are neither retrieved nor persisted in our database.
13. Cookie Overview
| Name | Provider | Purpose | Duration | Consent |
|---|---|---|---|---|
| sb-* | Supabase | Authentication | Session | Not required |
| aftercost-demo-* | AfterCost | Demo mode | Session | Not required |
All cookies used are technically necessary and do not require consent pursuant to § 25(2) TDDDG.
14. Automated Decision-Making
No profiling or automated decision-making within the meaning of Art. 22 GDPR takes place. All calculated metrics (contribution margins, margins) serve informational purposes only and have no legal effect on third parties.
15. Founding Member Application
On aftercost.de/founding, you can apply for our Founding Member program. We process the data you provide: name, email address, and optionally your Kaufland marketplaces, a free-text description of your current profit overview, and — if available — visit origin parameters (UTM parameters).
Purposes: Managing your application, personal outreach for the intro call, and — after acceptance — communication regarding the Founding program (product updates, feedback requests, scheduling). No sharing with third parties, no marketing spam.
Legal basis: Your consent (Art. 6(1)(a) GDPR), given via the checkbox in the form, as well as pre-contractual measures (Art. 6(1)(b) GDPR). To verify your email address, we use a double opt-in procedure: you receive a confirmation link (valid for 48 hours); the time of consent and the consent text version are logged as proof.
Invitation and account creation: If we accept you into the Founding program, we send you a personal invitation email with a one-time link (valid for 7 days), through which you create your user account and set your own password (Art. 6(1)(b) GDPR — contract initiation/performance). The account is permanently linked to the email address of your application; the time of your registration is stored with your application. From account creation onward, the sections of this policy regarding dashboard usage also apply.
Service provider: Emails are sent via Resend (EU region Ireland, see Section 4). To protect against automated bot requests, we use Cloudflare Turnstile; your IP address is transmitted to Cloudflare (Art. 6(1)(f) GDPR — legitimate interest in abuse prevention).
Retention and revocation: We store your application data for the duration of the Founding program. You may revoke your consent at any time informally (an email to info@aftercost.de suffices) — we will then promptly delete your application. The lawfulness of processing carried out prior to revocation remains unaffected.
16. In-App Feedback
In the dashboard (app.aftercost.de), you can send us concerns, bug reports, and improvement suggestions via the feedback button. We process: your message text, the dashboard page where the feedback originated, your account association (for the response thread), and — only if you attach it yourself — a screenshot of your current dashboard view. The screenshot may show your own business data (e.g., revenues); before sending, you see in a preview exactly what will be transmitted and can choose the image area or remove the image.
Purposes and legal basis: Processing your concern and product improvement (Art. 6(1)(b) GDPR — contract performance or pre-contractual measures — and (f) — legitimate interest in service improvement). If we respond to your feedback, we notify you by email (sent via Resend, EU region Ireland, see Section 4).
Storage and deletion: Feedback messages and screenshots are transmitted encrypted and stored exclusively in the EU (Supabase, Frankfurt region; screenshots in a private, non-publicly accessible storage area). They are automatically deleted after 24 months, or immediately upon account deletion. Via the data access request (Section 7), you can also obtain your feedback data.
17. Data Access for Quality Assurance and Support
As part of quality assurance, troubleshooting, and service improvement, the AfterCost team may view your dashboard in a read-only mode. We see the same data you see: revenues, costs, orders, returns, and contribution margins. In this mode, we cannot make any changes to your data. Your Kaufland credentials (API keys) are stored encrypted and are not displayed in spectator mode.
Purpose and legal basis: Ensuring the correct functioning of the service (in particular calculations, data import, synchronization) as part of contract performance (Art. 6(1)(b) GDPR) and legitimate interest in quality assurance (Art. 6(1)(f) GDPR). The legal basis derives from the Terms of Service accepted at registration (Quality Assurance section).
Logging: Every access in spectator mode is recorded in an immutable log (timestamp, accessed page, admin identifier). These log entries cannot be deleted or modified. You can view in your settings whether and when your dashboard was accessed.
18. Contact Form
Via the contact form (aftercost.de/kontakt), you can send us a message. We process: your name, email address, subject, and message text.
Purpose and legal basis: Processing your inquiry (Art. 6(1)(b) GDPR — pre-contractual measures — and (f) — legitimate interest in communication with interested parties).
Storage: Contact inquiries are not stored in a database. They are exclusively forwarded as email to our team and are subject to regular email retention.