Privacy Policy

1. General

At BarBrain GmbH (“BarBrain”), we attach great importance to the protection and security of your personal data. We handle your personal data with due care and in accordance with the applicable data protection laws, in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the German Federal Data Protection Act (“BDSG”). This means that we only ever process your data on the basis of a valid legal ground under data protection law.

This privacy policy applies to the website www.barbrain.com, all associated sub-pages, the web-based application and all mobile applications (“Apps”) of BarBrain (together “Services”).

Please read this privacy policy carefully. If you have any questions, please contact the controller identified in Section 2.

2. Controller

The controller within the meaning of Article 4(7) GDPR is:

‍

BarBrain GmbH

Lindwurmstraße 25

80337 Munich, Germany

Email: hello@barbrain.com

Telephone: +49 (0) 89 12085622

‍

For further information, please refer to our legal notice (https://barbrain.com/legal/impressum).

3. Principles of Data Processing

3.1 The subject matter of data protection is personal data within the meaning of Article 4(1) GDPR. This includes any information relating to an identified or identifiable natural person. Data that has been anonymised or aggregated and can no longer be used to identify a specific natural person is not considered personal data.

3.2 We process your personal data in accordance with the principle of data minimisation (Article 5(1)(c) GDPR). This means that we only collect data that is necessary for the respective processing purpose.

3.3 The following legal bases are particularly relevant for the processing of personal data:

Article 6(1)(a) GDPR (consent),

Article 6(1)(b) GDPR (performance of a contract and pre-contractual measures),

Article 6(1)(c) GDPR (compliance with legal obligations),

Article 6(1)(f) GDPR (legitimate interests).

3.4 We do not carry out any automated decision-making, including profiling, within the meaning of Article 22 GDPR.

4. Data Collected and Processing Purposes

4.1 Registration and User Account

During registration for our Services, we collect the following data:

first name and surname,

email address,

telephone number,

address (billing address).

Legal basis: Article 6(1)(b) GDPR (performance of a contract). The data is necessary for setting up and managing your user account and for performing the contract.

4.2 Use of the Software

When you use our Software, the following data is automatically processed:

login credentials (email address, hashed password),

usage data (log data, device information, time of last login),

content data (product and inventory data that you enter into the Software).

Legal basis: Article 6(1)(b) GDPR (performance of a contract). The processing is necessary for the provision and operation of the Software.

4.3 Payment Processing

Payment processing is handled by our payment service provider Stripe Payments Europe, Ltd. (see Section 6). In the course of payment, billing address and payment information are processed.

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

4.4 Support and Communication

When you contact our support (by email, chat or telephone), we process the data you provide (name, email address, content of the enquiry) in order to handle your request. The in-app chat is provided by our service provider Intercom (see Section 6).

Legal basis: Article 6(1)(b) GDPR (performance of a contract), alternatively Article 6(1)(f) GDPR (legitimate interest in handling customer enquiries).

4.5 Transactional Emails

We send system-generated emails (e.g. registration confirmation, password reset, system notifications) via our service provider Twilio Inc. (SendGrid) (see Section 6).

Legal basis: Article 6(1)(b) GDPR (performance of a contract).

4.6 Use of Aggregated Data

We are entitled to use the data generated through the use of the Software in aggregated and anonymised form for statistical purposes, product improvement and market analyses. Any inference as to individual customers or their business operations is excluded.

Legal basis: Article 6(1)(f) GDPR (legitimate interest in improving our products). Anonymised data is no longer subject to the GDPR.

4.7 Reference Customers

Unless you object, we use your company name and logo for advertising purposes (e.g. on our website, in presentations and marketing materials). You may object to this use at any time in text form (see Section 13(2) of our GTC).

Legal basis: Article 6(1)(f) GDPR (legitimate interest in marketing our products).

5. Cookies and Web Analytics

5.1 Cookies – General

Our website uses cookies and similar technologies. Cookies are small text files stored on your device. Some cookies are technically necessary for the operation of the website; other cookies are used to analyse user behaviour or for marketing purposes.

5.2 Cookie Consent Management (Usercentrics)

We use the consent management platform Usercentrics to obtain and document your consent to the storage of certain cookies and the use of certain technologies. The provider is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

When you visit our website, a Usercentrics cookie is stored in your browser that records the consents you have given or their revocation. The data is stored until you request deletion, delete the cookie yourself, or the purpose of the data storage ceases to apply.

Legal basis: Article 6(1)(c) GDPR (legal obligation) in conjunction with Section 25(1) of the German Telecommunications Digital Services Data Protection Act (TDDDG). Obtaining consent is required by law.

5.3 Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies to enable an analysis of the use of our website. The information generated by the cookie about your use is generally transferred to a Google server in the USA and stored there.

We use Google Analytics with IP anonymisation enabled. This means that your IP address is truncated within the Member States of the EU or the EEA before being transmitted to Google.

Google Analytics is only activated if you have given your consent via our cookie consent tool (Usercentrics).

Legal basis: Article 6(1)(a) GDPR (consent). You may revoke your consent at any time with effect for the future via the cookie consent tool.

Third-country transfer: To the extent data is transferred to Google LLC in the USA, Google is certified under the EU-U.S. Data Privacy Framework.

6. Recipients and Processors

In the course of providing our Services, we engage the following processors within the meaning of Article 28 GDPR:

‍

Service Provider

Registered Office

Processing Activity

Third-Country Transfer

DigitalOcean, LLC

New York, USA (servers: EU/Frankfurt)

Cloud hosting of the BarBrain Software; provision of computing power, databases and storage

EU-U.S. DPF + SCC

Stripe Payments Europe, Ltd.

Dublin, Ireland

Payment processing; processing of billing address and payment information

Primarily EU

Twilio Inc. (SendGrid)

San Francisco, USA

Sending transactional emails (registration, password reset, system notifications)

EU-U.S. DPF + SCC

Intercom R&D Unlimited Company

Dublin, Ireland

In-app support and customer communication; chat support within the Software

Primarily EU

Usercentrics GmbH

Munich, Germany

Cookie consent management; documentation of consents given

No third-country transfer

Google Ireland Ltd.

Dublin, Ireland

Web analytics (Google Analytics); analysis of website usage

EU-U.S. DPF (Google LLC)

‍

Beyond this, we do not disclose your personal data to third parties unless we are required to do so by law or you have given your express consent. Under no circumstances do we sell personal data.

Further details on data processing are set out in our Data Processing Agreement (DPA) pursuant to Article 28 GDPR, which forms an integral part of our GTC.

7. Data Transfers to Third Countries

Your personal data is generally processed within the European Union or the European Economic Area. To the extent data is transferred to recipients in the USA (DigitalOcean LLC, Twilio Inc., Google LLC), this is done on the basis of the adequacy decision of the European Commission pursuant to Article 45 GDPR (EU-U.S. Data Privacy Framework), provided the respective recipient is certified under that framework. In addition, Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR are agreed.

8. Retention Period

8.1 Your personal data is generally stored for the duration of the contractual relationship.

8.2 Upon termination of your user account, your data will be deleted unless its retention is required for commercial or tax law reasons (in particular Sections 147 of the German Fiscal Code (AO) and 257 of the German Commercial Code (HGB); retention period of up to 10 years). You have the option of deleting your account yourself in your user profile.

8.3 Upon deletion of your account, all data associated with the account will, as a rule, be irrevocably deleted within 30 days. An export function in common machine-readable formats (in particular CSV) is available. It is the customer’s responsibility to back up its data prior to deletion.

9. Your Rights as a Data Subject

You are entitled to the following rights. To exercise your rights, an informal notification by email to hello@barbrain.com is sufficient.

9.1 Right of access (Article 15 GDPR): You have the right to obtain information about your personal data processed by us, including the processing purposes, the categories of data processed, the recipients, the planned retention period and the origin of your data.

9.2 Right to rectification (Article 16 GDPR): You have the right to obtain the rectification or completion of your personal data without undue delay.

9.3 Right to erasure (Article 17 GDPR): You have the right to request the erasure of your personal data, unless statutory retention obligations apply or we continue to require the data for the proper performance of the contract.

9.4 Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of processing of your data, for example while the accuracy of your data is being verified, in the event of unlawful data processing, for the assertion of legal claims, or if you have lodged an objection.

9.5 Notification obligation (Article 19 GDPR): If you have exercised your right to rectification, erasure or restriction, we shall notify all recipients to whom your data has been disclosed, unless this is impossible or involves a disproportionate effort.

9.6 Right to data portability (Article 20 GDPR): You have the right to receive your personal data that we process on the basis of your consent or in performance of a contract in a structured, commonly used and machine-readable format, or to request its transfer to another controller.

9.7 Right to withdraw consent (Article 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent prior to its withdrawal shall remain unaffected. To withdraw consent, an email to hello@barbrain.com or a change to your settings in the cookie consent tool is sufficient.

9.8 Right to object (Article 21 GDPR): Where we process your data on the basis of legitimate interests (Article 6(1)(f) GDPR), you may object to such processing at any time. We shall then cease processing unless there are compelling legitimate grounds for continued processing.

9.9 Right to lodge a complaint (Article 77 GDPR): In the event of data protection violations, you have the right to lodge a complaint with the competent supervisory authority. The supervisory authority responsible for BarBrain is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany; https://www.lda.bayern.de.

10. Data Security

We implement appropriate technical and organisational security measures pursuant to Article 32 GDPR to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access. These include, in particular:

encryption of data in transit by means of TLS (at least version 1.2) and encryption of stored data (encryption at rest),

role-based access controls and two-factor authentication,

regular automated data backups (daily, retention of at least 14 days),

monitoring and logging of security-relevant events,

documented processes for the detection, reporting and handling of security incidents (incident response).

The specific technical and organisational measures are described in Annex 2 of our DPA. All employees are bound by confidentiality obligations.

11. Minors

Our Services are exclusively aimed at entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB). Users under the age of 16 should only transmit personal data to us with the consent of their legal guardians.

12. Changes to this Privacy Policy

It may from time to time become necessary to update the content of this privacy policy. We therefore reserve the right to amend this privacy policy as required. The current version is always available at https://www.barbrain.com/datenschutz.

‍

Last updated: April 2026

‍