Privacy Policy

Last updated: 30 April 2026

This policy explains how personal data is processed when you visit innig.app or sign up for the innig. waitlist. It is written to comply with the EU General Data Protection Regulation (GDPR / DSGVO) and German federal data protection law (BDSG).

1. Who is responsible

The data controller in the meaning of Art. 4 (7) GDPR is:

Benjamin Stöberl
Lauinger Straße 51
80997 München
Germany
Email: [email protected]

A separate Data Protection Officer (DPO) is not appointed because the conditions of Art. 37 GDPR / § 38 BDSG are not met.

2. What data we process

2.1 When you visit the website

The site is hosted as static HTML on a content delivery network. When your browser requests a page, the host automatically receives:

• your IP address;
• the date and time of the request;
• the URL of the requested page;
• your browser type, version, and operating system;
• the referring URL, if any.

This information is processed only for the purpose of delivering the page and protecting the service from abuse. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in operating the site).

2.2 When you join the waitlist

If you submit the waitlist form, we process the following data:

• your email address;
• the timestamp of your signup;
• UTM parameters from the URL (utm_source, utm_medium, utm_campaign) and the HTTP referrer, if present, in order to understand which channels users arrive from.

Legal basis: Art. 6 (1) (a) GDPR (your consent, given by submitting the form to be notified about innig.). You can withdraw consent at any time with effect for the future, see section 7.

2.3 Cookies and tracking

This site does not use third-party analytics, advertising pixels, or social plugins.

Our hosting and CDN provider Cloudflare automatically sets the strictly necessary cookie __cf_bm (Cloudflare Bot Management). It is used to distinguish humans from automated traffic, expires after 30 minutes of inactivity, and contains no personally identifying information beyond what is required to operate the security service. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in the integrity and availability of the site) in conjunction with § 25 (2) Nr. 2 TTDSG (strictly necessary for the service explicitly requested by the user).

2.4 Fonts

The Inter typeface is self-hosted on this site. No font data is requested from Google Fonts or any other third-party CDN, and your IP address is not shared with such providers.

3. Who receives your data

Your data is shared only with the following processors, each engaged under a Data Processing Agreement pursuant to Art. 28 GDPR:

• Supabase, Inc. (USA) — stores the waitlist database. Data may be transferred to the United States. The transfer is safeguarded by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (Art. 46 (2) (c) GDPR). See Supabase's privacy policy.
• Cloudflare, Inc. (USA) — serves the static website through Cloudflare Pages and provides CDN, DDoS protection, and bot management. Cloudflare operates a global edge network: your request is typically served by the data centre nearest to you, which may be inside the EU. Cloudflare logs the technical request data described in section 2.1 for security and operational purposes. Transfer to the United States is safeguarded by the EU-US Data Privacy Framework (Cloudflare is certified) and by Standard Contractual Clauses. See Cloudflare's privacy policy and Data Processing Addendum.

We do not sell your data. We do not share it for advertising. We do not hand it to third parties except as required by law.

4. International transfers

As noted above, some processors are based in the United States. Where transfer to a third country occurs, it relies on the EU-US Data Privacy Framework (where the recipient is certified) or on Standard Contractual Clauses adopted by the European Commission. You may request a copy of the safeguards in place by emailing [email protected].

5. Retention

• Server logs: retained by the hosting provider for a short period (typically up to 30 days) for security and operational purposes, then deleted or anonymised.
• Waitlist data: retained until product launch and for up to 12 months after launch, or until you ask us to delete it, whichever comes first.

6. Automated decision-making

We do not use your data for any automated decision-making, including profiling, with legal or similarly significant effects on you.

7. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you (Art. 15);
• have inaccurate data corrected (Art. 16);
• have your data erased (Art. 17);
• request restriction of processing (Art. 18);
• receive your data in a portable format (Art. 20);
• object to processing based on legitimate interest (Art. 21);
• withdraw consent at any time, with effect for the future (Art. 7 (3));
• lodge a complaint with a supervisory authority. The competent authority for federal matters in Germany is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI). For your Land's data protection authority, see bfdi.bund.de.

To exercise any of these rights, email [email protected]. We respond within one month (Art. 12 (3) GDPR).

8. Changes to this policy

We may update this policy when the website or our processors change. The "Last updated" date at the top of the page reflects the current version. For material changes that affect existing waitlist subscribers, we will inform you by email before the change takes effect.