English version — for reading purposes only, not legally binding. The binding German version is available at /datenschutz.
Privacy Notice — ekipa VentureKit
Version 1.6 | May 2026 | venturekit.ekipa.de/datenschutz
This Privacy Notice explains what personal data ekipa GmbH processes in connection with ekipa VentureKit, the legal basis for such processing, and the rights available to you as a data subject. It is issued in accordance with Art. 13 of the General Data Protection Regulation (GDPR).
1. Controller
ekipa GmbH
Münchener Straße 41, 60329 Frankfurt am Main
Email: hello@ekipa.de | Website: ekipa.de
Data Protection Officer (external):
IITR Datenschutz GmbH, Dr. Sebastian Kraska
Email: data-protection@ekipa.de
Competent supervisory authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Wiesbaden, Germany.
2. What personal data do we process?
We process only data that is necessary for the provision of our services within the scope of the project:
2.1 Master and account data
- First and last name
- Business email address
- Affiliated organisation (Client Organisation)
- Role within the project (e.g. Stakeholder, Viewer, Admin)
- Authentication method (Magic Link)
2.2 Usage data
- Login timestamps and session data
- Interactions with platform features (page views, actions)
- Technical device data (browser, operating system, IP address)
2.3 Project content
- Content entered by you or within the project (e.g. comments, uploaded files, ratings)
- Analyses, reports and identified solution providers
3. Purposes and legal bases of processing
3.1 Contract performance and legitimate interest (Art. 6(1)(b) and (f) GDPR)
The processing of your personal data in connection with the use of VentureKit is carried out on one of the following legal bases, depending on the underlying contractual arrangement:
Where VentureKit forms an explicit part of the service agreed between ekipa GmbH and your Client Organisation, processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract). In this case, the use of VentureKit is a contractually owed service and the processing of your data is necessary for its delivery.
Where VentureKit is used as a supplementary tool and does not form part of a contractually owed service, processing is based on Art. 6(1)(f) GDPR (legitimate interest). ekipa's legitimate interest lies in the efficient, structured and secure management of innovation projects to the benefit of the Client Organisation. As the processing is limited to a professional context and users in a B2B environment must reasonably expect their employer's service provider to use digital project tools, your fundamental rights and interests do not override this legitimate interest.
If you are not willing to share your data within the VentureKit platform, please contact data-protection@ekipa.de. We will assess, together with your Client Organisation, whether project delivery without the use of VentureKit is possible.
4. Recipients and processors
ekipa GmbH engages external service providers as processors for the operation of VentureKit (Art. 28 GDPR). Data Processing Agreements (DPAs) have been concluded with all service providers. Convex, Hetzner and Mailjet process data exclusively within the EU. For Anthropic, Inc. (USA), additional transfer mechanisms pursuant to Art. 46 GDPR apply (see Section 5):
| Provider | Purpose | HQ | Transfer basis | DPA | Status |
|---|---|---|---|---|---|
| Convex, Inc. | Backend database, real-time sync, data storage | EU (Frankfurt) | DPA (GDPR-compliant) | Yes | active |
| Hetzner Online GmbH | Web application hosting and server operations | Germany | DPA (GDPR-compliant) | Yes | active |
| Mailjet SAS | Transactional emails (Magic Link authentication) | EU (France) | DPA (GDPR-compliant) | Yes | active |
| Anthropic, Inc. | AI language model (Claude API) for AI-assisted scouting and analysis features; data transferred only when AI feature is actively used; data not used for model training | USA | SCCs + DPF + Anthropic DPA | Yes | active |
5. International data transfers
Convex, Hetzner and Mailjet process data exclusively within the European Union; no third-country transfers are required for these providers.
For the AI features of VentureKit, data is transferred to Anthropic, Inc. (USA). A transfer occurs only when a user actively invokes an AI-assisted feature; no data is sent to Anthropic during regular platform use. Pursuant to its commercial terms, Anthropic expressly does not use API requests to train its AI models. The transfer is safeguarded by the following mechanisms pursuant to Art. 46 GDPR:
- Standard Contractual Clauses (SCCs) of the European Commission (Implementing Decision 2021/914, Module 2: Controller to Processor)
- Anthropic's certification under the EU-US Data Privacy Framework (DPF)
- Data Processing Addendum pursuant to Anthropic's commercial terms of service
A copy of the executed SCCs is available upon request at data-protection@ekipa.de.
6. Cookies
VentureKit uses only technically necessary cookies. These are required for:
- Managing the user session (session cookie after login)
- Authentication token (HttpOnly cookie, SHA-256-hashed)
- CSRF protection
Technically necessary cookies are exempt from the consent requirement pursuant to § 25(2) TTDSG (German Telecommunications-Telemedia Data Protection Act). A cookie consent banner is therefore not required. No tracking, advertising or analytics cookies requiring consent are used.
7. Retention periods and deletion policy
Personal data is retained only for as long as necessary for the respective purposes or as required by statutory retention obligations:
| Data category | Retention period | Legal basis |
|---|---|---|
| User account (name, email, role) | 6 months after project end | Art. 6(1)(b)/(f) GDPR |
| Project content (analyses, reports, provider lists) | 6 months after project end | Art. 6(1)(b)/(f) GDPR |
| Audit logs / system logs | 3 years | Legitimate interest (security, compliance), Art. 6(1)(f) GDPR |
Upon expiry of the applicable retention period, data is automatically and irreversibly deleted or anonymised. Data may be deleted earlier upon request, provided no statutory retention obligations apply (see Section 8).
8. Your rights as a data subject
Under the GDPR, you have the following rights against ekipa GmbH as controller:
- Access (Art. 15 GDPR) — You have the right to obtain information about whether and which personal data we process about you.
- Rectification (Art. 16 GDPR) — You may request the correction of inaccurate data or the completion of incomplete data.
- Erasure (Art. 17 GDPR) — You may request the deletion of your personal data, provided no statutory retention obligations apply.
- Restriction of processing (Art. 18 GDPR) — Under certain conditions, you may request that we restrict the processing of your data.
- Data portability (Art. 20 GDPR) — Where processing is based on Art. 6(1)(b) GDPR and carried out by automated means, you have the right to receive your data in a structured, commonly used and machine-readable format.
- Objection (Art. 21 GDPR) — Where we process data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), you have the right to object to that processing.
To exercise your rights, please contact: data-protection@ekipa.de
We will respond to your request within 30 days. You also have the right to lodge a complaint with the competent supervisory authority: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Wiesbaden, Germany.
9. Data security
ekipa GmbH implements appropriate technical and organisational measures (TOMs) to protect your data in accordance with Art. 32 GDPR. These include, among other things, encrypted data transmission, access controls and regular security reviews. Detailed information on the security measures in place is available within the framework of the Data Processing Agreement.
10. Changes to this Privacy Notice
ekipa GmbH reserves the right to update this Privacy Notice in the event of material changes to data processing or changes in the legal framework. The current version is available at venturekit.ekipa.de/datenschutz. Material changes will be communicated to users by email.
11. Contact and enquiries
General enquiries:
hello@ekipa.de | ekipa GmbH, Münchener Straße 41, 60329 Frankfurt am Main
Data protection enquiries:
data-protection@ekipa.de | IITR Datenschutz GmbH, Dr. Sebastian Kraska (external Data Protection Officer)
Frankfurt am Main, May 2026 — ekipa GmbH