Privacy Policy

Controller

Timm Fink

BayManager

Moselstr. 6

64347 Griesheim

Deutschland

E-Mail: contact@baymanager.de

A data protection officer is not required for this processing activity.

1. Scope

This privacy policy applies to the BayManager website, the web application, the API-based platform features, customer communication, package checkout, invoice dispatch, eBay integration, the automated order and message processing systems, and all associated support and security processes.

2. Categories of data processed

Depending on the use of our services, we process in particular: account and contact data (email address, name, company name, postal address, phone number), billing and tax data (tax ID, VAT ID, payment and subscription status), eBay integration data (OAuth tokens, eBay account identifiers, listing data, order data, buyer identifiers, buyer email addresses, message contents, shipment status), digital key and delivery data (encrypted product keys, delivery confirmations, delivery proof records), invoice data (invoice numbers, PDF files, dispatch status), technical log and security data (IP addresses in audit logs, server access data, token data), communication data (message content, thread identifiers, automated reply logs), and consent data (analytics consent, AI processing consent with timestamp and version).

3. Purposes and legal bases

We process personal data to provide contractual services, secure the platform, comply with legal obligations, and improve the product. The main legal bases are Art. 6(1)(b) GDPR for the initiation and performance of contracts, Art. 6(1)(c) GDPR for legal obligations (in particular statutory retention requirements under commercial and tax law), Art. 6(1)(f) GDPR for legitimate interests such as platform security, abuse prevention, product stability, internal documentation, and fraud protection, and Art. 6(1)(a) GDPR where consent is required, especially for optional analytics and AI-supported chatbot functions.

3a. Contact form and communication

If you contact us via the contact form, we process the data you provide there, in particular your name, email address, subject line, and message, in order to handle and answer your request. The legal basis is Art. 6(1)(b) GDPR if the request is aimed at concluding or preparing a contract, and otherwise Art. 6(1)(f) GDPR based on our legitimate interest in orderly communication and request handling.

Contact form messages are not stored as a separate CRM dataset in the application. They are transmitted to our contact mailbox via the configured mail infrastructure. If no contract, support case, or legal retention obligation follows, contact messages are deleted or archived after no later than 180 days from the final substantive handling of the request.

4. Website access and hosting

When you visit our website, the browser used automatically transmits technical access data to our server, including IP address, date and time, requested content, referrer URL, browser information, and operating system. This processing is necessary to deliver the website, maintain system security, and ensure stability. The legal basis is Art. 6(1)(f) GDPR.

Our servers and all associated database and cache infrastructure are operated exclusively in Germany by Netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany. No personal data is transferred outside the European Union in connection with hosting.

5. Registration, login, and account management

When you register or use a user account, we process your email address, password (stored as a bcrypt hash, never in plain text), optional name and company data, postal address, phone number, tax ID and VAT ID where provided, account settings, package and subscription status, billing settings, and security-related login data. This processing is required to provide your account, authenticate you, and administer your contractual relationship. The legal basis is Art. 6(1)(b) GDPR.

For session management, the application stores access and refresh tokens in the browser. Token revocation is supported at account level. For the consent banner, we store your consent preferences locally in the browser and additionally log the consent status server-side with a pseudonymous consent ID, timestamp, policy version, banner configuration hash, vendor context, user agent, and an IP hash. Technically necessary storage is based on Sec. 25(2) no. 2 TDDDG; the related processing on Art. 6(1)(b) or Art. 6(1)(f) GDPR.

6. eBay integration

If you connect an eBay account to BayManager, we process OAuth authorization data, access and refresh tokens (stored encrypted), eBay account identifiers, listing data, order data, buyer identifiers, buyer email addresses where available from eBay, message contents, shipment and fulfillment status information, and refund-related data to provide the requested platform functions. This includes importing orders, synchronizing listings, processing buyer messages, sending configured communications, generating invoice references, and documenting fulfillment actions. The legal basis is Art. 6(1)(b) GDPR.

While an eBay connection is active, orders and messages are polled at regular intervals by automated background processes. Chatbot-dependent automatic responses are only triggered if the corresponding feature is explicitly activated in the account settings.

7. Orders, buyer communication, keys, and invoices

To process orders, we store order references, product references, buyer identifiers, buyer email addresses where available, delivery channels, delivery confirmations, delivery proof records, invoice status, invoice numbers, PDF invoices, and communication logs. Digital product keys are stored encrypted at rest using AES-128 (Fernet). This processing is necessary to perform the contract, document fulfillment, provide support, and comply with retention obligations under commercial and tax law. The legal bases are Art. 6(1)(b) and Art. 6(1)(c) GDPR.

If you use email delivery or invoice dispatch, recipient data and message contents are processed via the configured SMTP infrastructure (currently Turbo SMTP EU, operated within the European Union). The standard sender addresses are no-reply@baymanager.de and invoice@baymanager.de. Issued invoices are archived as fixed document snapshots together with structured e-invoice XML, checksum values, and validation metadata in order to meet legal retention and audit requirements.

8. Package purchases and payments

For paid packages, top-ups, and payment processing, we work with Stripe (Stripe Payments Europe Ltd., Dublin, Ireland) and PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg). In this context we process package references, user identifiers, transaction identifiers, payment status data, billing period data, amount and currency data, as well as provider-specific checkout and webhook data. BayManager does not process or store full payment card data itself. The legal basis is Art. 6(1)(b) GDPR.

9. Chatbot and AI-supported functions

If chatbot features are activated, customer messages, product knowledge base content, account-related support context, and order-related context may be transmitted to an AI service to generate draft replies or automated responses. The AI service currently used is Mistral AI (Mistral AI SAS, Paris, France), a provider based within the European Union. Data processing by Mistral AI is governed by a data processing agreement pursuant to Art. 28 GDPR. According to Mistral AI's terms of service, data transmitted via the API is not used for model training.

Before activating external AI processing, platform users (sellers) must explicitly provide their consent within the account settings. This consent is documented with a timestamp and version. Platform users are independently responsible for informing their own buyers (end customers) about AI-supported message processing in accordance with applicable data protection law.

Automated responses are only triggered if the corresponding package is active and the feature is enabled in the account settings. The legal basis for the seller's consent is Art. 6(1)(a) GDPR; the operational processing for activated features is Art. 6(1)(b) GDPR.

10. Analytics, consent, and local storage

BayManager uses a consent banner. Optional analytics are only activated if you expressly consent. The current implementation supports administrator-configured analytics integrations such as Google Analytics or Plausible. Without consent, optional analytics scripts are not loaded. Consent can be changed again at any time via the cookie settings link on the website. The legal basis for storing and accessing information on end devices is Sec. 25(1) TDDDG; the subsequent processing is based on Art. 6(1)(a) GDPR.

Storage that is technically necessary for the operation of the website or the logged-in platform area — such as consent preferences, session tokens, authentication information, and selected local cache data for the dashboard — is based on Sec. 25(2) no. 2 TDDDG. Consent changes are additionally stored server-side as evidence records.

11. Technical security measures

We implement technical and organisational measures to protect personal data in accordance with Art. 25 and Art. 32 GDPR. These include in particular: transport encryption via HTTPS/TLS for all connections; symmetric AES-128 encryption (Fernet) at rest for all sensitive credentials including eBay OAuth tokens, supplier API keys, and SMTP credentials; bcrypt hashing with strength validation for passwords; JWT-based authentication with server-side token revocation; IP-address logging in audit logs for abuse detection; automated data deletion and anonymisation via a retention system (see section 13); and access controls limiting data access to authenticated users and authorised system processes.

12. Recipients and processors

We disclose personal data only where legally permitted and necessary. Where we engage service providers as processors pursuant to Art. 28 GDPR, we have concluded data processing agreements with them. Current processors and recipients include:

• Netcup GmbH, Karlsruhe, Germany — server hosting, database, and cache infrastructure (EU/DE)
• Turbo SMTP EU — transactional email delivery (EU)
• Mistral AI SAS, Paris, France — AI processing for chatbot functions when activated (EU)
• eBay GmbH, Dreilinden, Germany / eBay Inc., USA — eBay platform integration
• Stripe Payments Europe Ltd., Dublin, Ireland — payment processing (EU)
• PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg — payment processing (EU)

13. Third-country transfers

The majority of our service providers — including Netcup (Germany), Turbo SMTP EU, Mistral AI (France), Stripe Payments Europe (Ireland), and PayPal Europe (Luxembourg) — are based within the European Union. No third-country transfer occurs in connection with these providers.

In connection with the eBay integration, data may be transferred to eBay Inc. in the United States. eBay Inc. participates in the EU–US Data Privacy Framework and additionally uses standard contractual clauses pursuant to Art. 46(2)(c) GDPR. If you use optional analytics services such as Google Analytics, data may also be transferred to the USA; such transfers are based on the respective provider's standard contractual clauses.

14. Retention periods and automated deletion

We store personal data only as long as required for the relevant purpose, the contractual relationship, statutory retention obligations, or legitimate documentation and security interests.

BayManager operates an automated data retention system that regularly deletes or anonymises data that is no longer required: buyer messages are automatically deleted after the configured retention period (default: 12 months). Order records are automatically anonymised after the configured retention period (default: 12 months); the personal fields buyer ID, buyer email, delivery email, error messages, and delivery proof data are overwritten with null values while the anonymised transaction record is retained for documentation. Audit log entries are automatically deleted after the configured retention period (default: 12 months).

Exception: data linked to invoice documents is retained for the legally required period under commercial and tax law (currently 10 years under §§ 147 AO, 257 HGB). Security and system logs are retained only as long as necessary for troubleshooting and abuse prevention.

15. Data subject rights

You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and objection (Art. 21 GDPR), subject to the statutory requirements. If processing is based on consent, you may withdraw that consent at any time with effect for the future without affecting the lawfulness of processing before withdrawal.

You have the right to lodge a complaint with a competent supervisory authority. The supervisory authority responsible for the controller is: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Postfach 3163, 65021 Wiesbaden, Germany, www.datenschutz.hessen.de.

16. Contact for privacy matters

For privacy-related requests, please contact us by email at contact@baymanager.de.