Privacy Policy

1. Who we are

Starting in Germany operates the web application at starting-in-germany.de that generates personalised immigration plans for people relocating to Germany.

For the purposes of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), the data controller is:

We are currently in pre-registration stage and do not yet have a registered business address. If you need to exercise GDPR rights, contact us at hello@starting-in-germany.de.

2. What data we collect and why

Account and authentication

When you sign up we collect your email address and display name. This is necessary to create your account and provide you with the service (legal basis: performance of a contract, GDPR Art. 6(1)(b)). Authentication is handled by Supabase Auth; passwords are hashed and never stored in plaintext.

Onboarding answers

To generate your personalised plan we ask about your destination city, purpose of stay, planned arrival date, employment situation, and housing status. This data is stored in your profile and used solely to determine which tasks appear on your plan (legal basis: performance of a contract, GDPR Art. 6(1)(b)).

Plan tasks and notes

Your task completion status, custom tasks, and any notes you write are stored in our database. This data exists only to power your plan and is not used for any other purpose (legal basis: performance of a contract, GDPR Art. 6(1)(b)).

Uploaded documents

Files you upload to Documents are stored in Supabase Storage in an EU data centre. They are accessible only to your account and are not shared with any third party (legal basis: performance of a contract, GDPR Art. 6(1)(b)).

Billing information

Payment is handled entirely by Stripe. We never see or store your card number. We receive a Stripe customer ID, subscription status, and invoice records to manage your plan (legal basis: performance of a contract, GDPR Art. 6(1)(b)).

Analytics (privacy-friendly, no cookies)

We collect anonymous product usage and page-view events via PostHog (EU instance, hosted in the EU) to understand how the product is used and improve it. We run PostHog in cookieless mode: it stores nothing on your device — no cookies, no local storage — and does not track you across sessions or websites. Because no information is stored on or read from your device, no consent is required for this baseline (legal basis: legitimate interests, GDPR Art. 6(1)(f)). We honour your browser's "Do Not Track" setting — enable it and we collect nothing.

Technical and security data

Our infrastructure processors (Supabase, Vercel) may log IP addresses and HTTP request metadata for security and abuse prevention purposes. This data is retained only as long as operationally necessary (legal basis: legitimate interests, GDPR Art. 6(1)(f)).

3. Who we share your data with

We use the following processors, each bound by a Data Processing Agreement (DPA) consistent with GDPR Chapter V requirements:

We do not sell your personal data to any third party.

4. Data retention

• Account and profile data — retained for the lifetime of your account. Deleted within 30 days of an account deletion request.
• Plan tasks and notes — deleted together with your account.
• Uploaded documents — deleted immediately when you remove a file, or within 30 days of account deletion.
• Billing records — retained for 10 years to comply with German commercial law (HGB §257).
• Analytics data — anonymous events subject to PostHog's own retention policy (typically 1–2 years). Enabling "Do Not Track" stops future collection; historical events are not retroactively deleted by us.
• Security/server logs — typically 30–90 days at processor level.

5. Your rights

Under the GDPR you have the following rights:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — ask us to correct inaccurate data.
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten"). You can delete your account directly from Account › Danger zone.
• Restriction (Art. 18) — ask us to pause processing your data in certain circumstances.
• Portability (Art. 20) — receive your data in a machine-readable format. Use the export function in Account › Preferences.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Object to analytics (Art. 21) — our baseline analytics is cookieless and anonymous, but you can opt out of all collection at any time by enabling "Do Not Track" in your browser.

To exercise any of these rights, email hello@starting-in-germany.de. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in Germany that is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) .

6. Cookies and tracking technologies

Strictly necessary (always active)

We use session storage and local storage to keep you logged in, remember your theme preference, and store your cookie consent choice. No consent is required for these because they are essential for the service to function.

Analytics (cookieless baseline)

Our baseline product analytics (PostHog) runs in cookieless mode: it places no cookies and no local storage on your device and does not track you across sessions or websites. We do not use Google Analytics for this baseline. Because nothing is stored on your device, no consent is required for it — but you can opt out of all baseline collection at any time by enabling "Do Not Track" in your browser.

7. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated via an in-app notice. The "Last updated" date at the top of this page always reflects the current version.

8. Contact

For any privacy-related questions, requests, or concerns, please contact us at hello@starting-in-germany.de.