Privacy Policy – Abomate Contract Management

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data with which you could be personally identified. Detailed information on the subject of data protection can be found in our privacy policy listed below.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find the operator's contact details in the section "Information about the responsible party" in this privacy policy.

How do we collect your data?

Your data is collected in part by you providing it to us. This could, for example, be data that you enter into a contact form or provide when registering for our service.

Other data is automatically collected or collected after your consent when you visit the website by our IT systems. This is primarily technical data (e.g., internet browser, operating system, or time of the page visit). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior. If you use our SaaS service, your data is processed to provide and improve our service.

What rights do you have regarding your data?

You always have the right to receive information about the origin, recipient, and purpose of your stored personal data free of charge. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right, under certain circumstances, to request the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

You can contact us at any time regarding this and other questions on the subject of data protection.

2. Hosting

We host the content of our website and our SaaS service with the following provider:

Hetzner

The provider is Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (hereinafter "Hetzner"). When you visit our website or use our service, Hetzner collects various log files including your IP addresses. For details, please refer to Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy.

The use of Hetzner is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website and provision of our service. If consent has been requested, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR.

Server location: The servers are located exclusively in data centers in Germany (EU). This ensures that your data is not transferred to third countries.

3. General Information and Mandatory Information

Data Protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

We would like to point out that data transmission over the Internet (e.g., when communicating by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible.

Information About the Responsible Party

The responsible party for data processing on this website is:

Abomate GmbH
Große Elbstraße 45
22767 Hamburg
Germany

Phone: +49 (0) 40 123 456 78
Email: datenschutz@abomate.io

The responsible party is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You may revoke any consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to Lodge a Complaint with the Competent Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, their place of work, or the place of the alleged violation. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedies.

Competent supervisory authority:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
(The Hamburg Commissioner for Data Protection and Freedom of Information)
Ludwig-Erhard-Str. 22, 7th floor
20459 Hamburg
https://datenschutz-hamburg.de

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of data to another controller, this will only be done to the extent technically feasible.

SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as inquiries you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock icon in your browser bar.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Information, Deletion, and Correction

Within the scope of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of data processing and, if applicable, a right to correction or deletion of this data. You can contact us at any time regarding this and other questions on the subject of personal data.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data was/is carried out unlawfully, you may request the restriction of data processing instead of deletion.
If we no longer need your personal data, but you need it for the exercise, defense, or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.
If you have lodged an objection pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

4. Data Collection on This Website

Cookies

Our websites use so-called "cookies." Cookies are small data packets and do not cause any damage to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted after your visit ends. Permanent cookies remain stored on your device until you delete them yourself or they are automatically deleted by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services of third-party companies within websites.

Cookies that are necessary for the electronic communication process, for the provision of certain functions you have requested, or for the optimization of the website (e.g., session cookies for login) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of technically necessary cookies for the technically error-free and optimized provision of its services.

You can configure your browser so that you are informed about the setting of cookies and only allow cookies on a case-by-case basis, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

Browser type and browser version
Operating system used
Referrer URL
Hostname of the accessing computer
Time of the server request
IP address

This data is not merged with other data sources. The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website – for this purpose, server log files must be collected.

Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if this has been requested.

The data you enter in the contact form will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after completion of your inquiry). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Inquiry by Email

If you contact us by email, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.

5. Analytics Tools and Advertising

We currently do not use any analytics tools or advertising services on our website. Should this change in the future, we will update this privacy policy accordingly and, if applicable, request your consent.

6. Newsletter

Newsletter Data

If you would like to receive the newsletter offered on the website, we require an email address from you as well as information that allows us to verify that you are the owner of the specified email address and agree to receive the newsletter. No further data is collected. We use this data exclusively for sending the requested information and do not pass it on to third parties.

The processing of the data entered into the newsletter registration form is based exclusively on your consent (Art. 6(1)(a) GDPR). You may revoke your consent to the storage of the data, the email address, and its use for sending the newsletter at any time, for example via the "Unsubscribe" link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

The data you have stored with us for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe. Data that has been stored by us for other purposes remains unaffected.

7. Payment Provider

Stripe

We use the payment service provider Stripe for processing payments. The provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (hereinafter "Stripe").

When paying via Stripe, the payment data you enter (e.g., credit card number, expiry date, CVC) is transmitted directly to Stripe and processed there. We only receive confirmation of the successful payment and reference data (transaction ID, customer reference). Credit card numbers are not stored by us.

Data processing by Stripe is based on Art. 6(1)(b) GDPR (contract fulfillment). Stripe is certified as a PCI DSS Level 1 payment service provider and meets the highest security standards.

For more information, please refer to Stripe's privacy policy: https://stripe.com/privacy.

8. Our Own Services

Abomate SaaS Platform

When you register for and use our SaaS service "Abomate," we process the following personal data:

Registration data: Company name, name, email address, password (stored encrypted with bcrypt)
Usage data: Contract and license data you enter, categories, departments, custom fields
Technical data: IP address, browser information, access timestamps
Communication data: Support tickets and their messages
Payment data: Billing address, payment history (credit card data is stored exclusively at Stripe)

The processing of this data is based on Art. 6(1)(b) GDPR for the fulfillment of the usage contract.

Data Isolation (Multi-Tenancy)

Each customer receives their own isolated database. Your data is technically separated from the data of other customers. No cross-tenant data processing takes place.

AI Features

Our service offers AI-powered features (PDF recognition, chat assistant, email import). In doing so, your contract documents and queries are transmitted to the Anthropic (Claude) API to perform the desired analysis. The transmission is encrypted. AI queries are not used for training AI models.

The use of AI features is optional and is based on Art. 6(1)(b) GDPR (contract fulfillment) or Art. 6(1)(a) GDPR (consent).

Data Deletion

Upon cancellation of your account, your data will be completely deleted after a retention period of 30 days. This includes your tenant database, uploaded files, and all associated entries in the master database. Statutory retention periods (e.g., for invoice data) remain unaffected.

Data Security

We employ extensive technical and organizational measures to protect your data:

SSL/TLS encryption for all connections
Passwords are stored exclusively as bcrypt hashes
Regular automatic backups
CSRF protection for all forms
Rate limiting to protect against brute-force attacks
Security headers (HSTS, X-Frame-Options, CSP)
Servers in Germany (Hetzner, Nuremberg/Falkenstein)

Last updated: March 2026