Recall Space
en
en
de

Privacy Policy

Thank you for your interest in Recall Space and for visiting the website www.recall.space.

Effective date: 2024-12-01

Updated on: 2025-06-19

‍

1. Who we are

Controller: Recall Space GmbH,
Julius-Hatry-Str. 1,
68163 Mannheim, Germany,
‍info@recall.space,
Data-Protection Officer (DPO): dpo@recall.space

‍

2. Scope

This notice explains how we process personal data when you visit www.recall.space, interact with our marketing, request a demo, or otherwise contact us. It complements—does not replace—contractual or product-specific terms.

‍

3. What data we collect, why, and on what legal basis

Category / Data Types (Examples) Purpose GDPR Lawful Basis* Typical Retention**
Technical & Log Data – IP address (anonymised), device/OS/browser details, pages visited, time stamps, HTTP response codes, cookies Serve website, secure platform, detect abuse, compile usage statistics Art 6 (1)(f) Legitimate interest (security & performance) 7 days (logs), up to 2 months (analytics)
Contact & Demo Requests – name, email, company, job title, phone, message text Respond to enquiries, schedule demos, pre-contract steps Art 6 (1)(b) Contract; Art 6 (1)(f) Legitimate interest (customer service) Until request resolved + 12 months (evidence)
Newsletter / Webinar / Download Registration – name, email, country, interest areas, engagement metrics (opens, clicks) Send requested content, track consent, tailor marketing Art 6 (1)(a) Consent; proof of consent: Art 6 (1)(f) Until you unsubscribe; consent logs kept 3 years
CRM Interaction Data (HubSpot) – emails, call notes, marketing segmentation, website behaviour tied to email Lead management, customer communication, campaign optimisation Art 6 (1)(f) Legitimate interest; Consent where cookies apply 24 months of inactivity, then anonymised
Third-party Integrations (Google Analytics 4, LinkedIn Insight) – pseudonymised IDs, cookie IDs, IP (truncated), event data Audience analytics, remarketing Consent (Art 6 (1)(a)); Legitimate interest where strictly necessary See individual provider policies; max 26 months
Social Media Embeds (YouTube videos) – device data, interaction data Provide rich content Consent (Art 6 (1)(a)) As per provider
Customer & Contract Data – billing contact, subscription details, invoices, payment references Fulfil and support paid services, comply with tax law Art 6 (1)(b) Contract; Art 6 (1)(c) Legal obligation 6–10 years (German tax code)
*We rely on consent only where strictly required (e.g., non-essential cookies, email)

‍

4. Cookies

This website uses cookies to improve user experience. Essential cookies load automatically. All analytics/marketing cookies are held back until you opt in via the banner.

Strictly necessary

Strictly necessary cookies allow core website functionality such as user login and account management. The website cannot be used properly without strictly necessary cookies.

Performance

Performance cookies are used to see how visitors use the website, eg. analytics cookies. Those cookies cannot be used to directly identify a certain visitor.

Targeting

Targeting cookies are used to identify visitors between different websites, eg. content partners, banner networks. Those cookies may be used by companies to build a profile of visitor interests or show relevant ads on other websites.

‍

‍

5. Who receives your data

  • Processors:
    1. Webflow (Websites), hosting in USA, see details in 6.1.,
    2. HubSpot (CRM & email), hosting in Germany & EU, details 6.2., and
    3. Google Ireland (Analytics, YouTube, Ads), hosting in EU, details see 6.3.
  • Authorities: we disclose only if required by law or to protect our rights.
  • Corporate transactions: data may transfer if we undergo a merger or acquisition (you will be notified).

‍

6. Details on processors and international transfers

When service providers are in the United States, transfers rest on SCCs plus provider DPF certification (Webflow, HubSpot, Google).

6.1. Use of Webflow (Hosting & CMS)

This website is operated on the Webflow platform provided by Webflow Inc., 398 11th St., Floor 2, San Francisco, CA 94103, USA (“Webflow”).
Recall Space GmbH is the Controller (Art. 4 No. 7 GDPR).
Webflow acts solely as our Processor under a signed Data Processing Addendum (DPA) that contains the EU Standard Contractual Clauses (“SCCs”) and the UK International Data Transfer Agreement.

Scope of Processing

  • Content delivery: Static assets (images, CSS/JS) are served via the CDNs Amazon CloudFront (Amazon Web Services, Inc.) and Fastly Inc.
  • Server & CDN logs: IP address, timestamp, user agent, referrer.
  • Form submissions: Data you enter into our online forms (e.g., contact or demo requests) are stored in the Webflow backend.
  • Compatibility scripts: For legacy browsers a fallback script is loaded from Cloudflare Inc. CDN.

Legal Bases‍

  1. Technical operation, delivery & security of the website follows Art. 6 (1) f GDPR (Legitimate interest in a fast and secure website)
  2. Processing contact/demo requests follows Art. 6 (1) b GDPRP (performance of (pre-)contractual measures)
  3. Optional analytics/marketing scripts follows Art. 6 (1) a GDPR (Activated only with your consent via the cookie banner)

International Data Transfers

Webflow, Amazon Web Services, Fastly and Cloudflare are certified under the EU-US Data Privacy Framework. Additionally, all transfers to the USA are safeguarded by the Standard Contractual Clauses (SCCs) contained in our DPA with Webflow. We monitor the continuing certification status of all providers on a regular basis.

6.2. Use of HubSpot CRM & Meeting Scheduler

Recall Space GmbH acts as Controller under the GDPR. HubSpot Inc. (“HubSpot”) is our Processor pursuant to a Data Processing Agreement that incorporates the EU Standard Contractual Clauses. legal.hubspot.com

Scope of Processing

  • Forms: First name, last name, business email and message are transferred – after consent – to HubSpot and stored in our EU account (AWS Frankfurt). knowledge.hubspot.com
  • Meetings: HubSpot syncs your booking with our Microsoft 365 calendar (Exchange Online); Office 365 is natively supported. blog.hubspot.com
  • Logs: IP address and timestamps may be processed for security/compliance.

Legal Basis

  1. Handling contact/demo requests follows Art. 6 (1)(b), GDPR(Pre-)contractual steps
  2. Meeting scheduling follows Art. 6 (1)(b) GDPR for Contract initiation
  3. Optional marketing/trackingArt. 6 (1)(a) GDPR, Consent only

International Transfers‍

Primary data residency is EU (Germany). Limited support access from third countries is safeguarded by SCCs and HubSpot’s EU-US DPF certification.
legal.hubspot.com and knowledge.hubspot.com

Meeting data shared with Microsoft Ireland stays within the EU Data Boundary for Microsoft 365; any exceptional access is covered by SCCs and Microsoft safeguards.
learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn

6.3 Use of Google Services (Google Analytics 4, YouTube Embeds, Google Ads)

6.3.1. Google Analytics 4

Roles & DPA: Recall Space GmbH is the Controller; Google Ireland Limited acts as Processor for measurement data under the Google Ads Data Processing Terms (incl. EU SCCs). privacy.google.com

Scope: GA4 sets cookies / similar IDs to gather pseudonymous usage statistics. For EEA users, IP addresses are dropped on EU servers before any storage or further processing. support.google.com

Legal basis: Art. 6 (1)(a) GDPR (consent via our banner).

International transfers: Google LLC (USA) may access data; transfers are covered by the EU-US Data Privacy Framework and SCCs. policies.google.com

Retention: Event data are deleted after 14 months (default).

Opt-out: Withdraw consent anytime in the banner or install the official Google Analytics Opt-out Browser Add-on. support.google.com

6.3.2. YouTube Embeds

Videos are loaded only after consent and use Privacy-Enhanced Mode (youtube-nocookie.com), which avoids personalised cookies and ads. support.google.com

Role: Google acts as an independent controller. Legal basis: Art. 6 (1)(a) GDPR (consent).

6.3.3. Google Ads (Conversion Tracking & Remarketing)

We employ Google Ads to measure campaign performance and – if you consent – to build remarketing audiences. Google processes cookie IDs, online identifiers and, where enabled, conversion events from GA4. Depending on the feature, Google is either controller-to-controller (personalised ads) or processor (pure measurement) under the Google Ads privacy terms. privacy.google.com

Legal bases:

  • Conversion tracking: Art. 6 (1)(f) GDPR (legitimate interest in campaign optimisation).
  • Remarketing / personalised ads: Art. 6 (1)(a) GDPR (consent).

International transfers follow the safeguards in 9.1 (DPF & SCCs).

User controls: You can disable ad personalisation anytime in Google’s “My Ad Center”.

‍

7. Security

We run ISO 27001-aligned controls: TLS 1.3 in transit, AES-256 at rest, role-based access, MFA, quarterly vulnerability scans, and annual penetration tests. Employee access is “need to know”.

‍

8. Your rights under GDPR

You may, at any time:

  1. Access – obtain a copy of the data we hold about you (Art 15).
  2. Rectify – correct incomplete or inaccurate data (Art 16).
  3. Erase – request deletion where data is no longer needed, consent withdrawn, or processing unlawful (Art 17).
  4. Restrict – have processing suspended in certain cases (Art 18).
  5. Object – stop processing based on legitimate interest or direct marketing (Art 21).
  6. Data portability – receive data in a machine-readable format or have it sent to another controller (Art 20).
  7. Withdraw consent – at any time, without affecting past processing (Art 7 (3)).
  8. Lodge a complaint – with the Baden-Württemberg supervisory authority (LfDI BW) or your local authority (Art 77).

‍

9. Exercising rights

Email privacy@recall.space or write to the DPO (address above). We normally respond within one month.

‍

10. Children

Our site is not intended for children under 16; we do not knowingly collect their data. If you believe we have done so, contact us and we will delete it promptly.

‍

11. Updates

When we materially change this notice, we will post the new version here and, for significant changes, email registered users. Latest revision date appears at the top.

‍

info@recall.space
Mafinex
Julius-Hatry-Str. 1
68163 Mannheim
Germany
HomeBlogResearchManifesto
ImprintPrivacy PolicyTerms & Conditions
Security
GDPR DSVGO
ISO27001
© Copyright Recall Space GmbH. All rights reserved.
linkedin