Privacy Policy

2. Our Data Protection Principles

Speexx follows these principles to protect the privacy of your personal data:

• We collect only the personal information that is strictly necessary for the provision of the Service or the operation of the Websites.
• We only use your personal information for the purposes we specify in this Privacy Policy, unless you agree otherwise.
• We do not keep your personal information if it is no longer needed.
• We do not share your personal information with third parties, unless specified in this Privacy Policy.

3. Controller and Contact Details

Controller: digital publishing AG, Tumblingerstraße 32, 80337 Munich, Germany
Email: privacy@speexx.com
Data Protection Officer: Felix Frankenberger, Tumblingerstraße 32, 80337 Munich, Germany, privacy@speexx.com

4. When we act as Controller

Speexx acts as a controller within the meaning of Art. 4(7) GDPR for personal data we collect via our corporate websites, events, marketing activities, and our direct communications with individuals. In this role, we determine the purposes and means of processing.

5. Information We Collect and Why

We collect personal data necessary to provide, improve, and operate the Websites, including:

• Profile data (e.g. name, business email, timezone, nickname), usage data (features used, interactions), device/connection data, and content you provide.
• Website lead/marketing data you submit to access content, register for events/webinars, or subscribe to communications.
• Support/helpdesk data you submit via our customer service channels.
• Billing data processed via payment providers for paid services.
  Example details and purposes are described in our current online policy.
• Sources of Personal Data
  In addition to data you provide directly (for example when creating an account, contacting support, or interacting with the Websites), we may receive personal data from the following sources:
  a) B2B data providers (e.g. Lusha) for business contact enrichment and lead qualification in a strictly business-to-business context;
  b) Referral and channel partners who introduce prospective customers;
  c) Payment and anti-fraud services that provide limited verification signals;
  d) Publicly available sources (e.g. company websites, professional directories) to validate business contact details.
  We process such data only where permitted by law and subject to the purposes and legal bases described in this Policy.Note for job applicants:
  If you apply for a position at Speexx, the collection and processing of your personal data are described separately in the “Job Applicants” section of this Privacy Policy. Please refer to that section for detailed information on the categories of data processed, purposes, retention, and your rights.
• Categories of Recipients
  We share personal data with the following categories of recipients, strictly on a need-to-know basis and under appropriate contractual safeguards:
  a) Customer support and helpdesk providers;
  b) Analytics and service improvement providers (for Websites, where consent/legitimate interests apply);
  c) Marketing automation and communications providers (Websites only, subject to your choices);
  d) Payment processors and anti-fraud services;
  e) Professional advisors (legal, audit, accounting) and authorities where required by law;
  f) Recruiting/ATS providers for job applicants.
  Our current subprocessor list with names, addresses, purposes, and primary processing locations is provided in this Policy

6. Legal Bases

Depending on context, we rely on contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f)), consent (Art. 6(1)(a)) where required (e.g., Websites marketing), and legal obligation (Art. 6(1)(c)).

7. Who May Receive Your Data (Disclosures & Subprocessors)

We share personal data with third parties only when necessary to run our business, comply with law, or when you consent (particularly on the Websites). We assess all providers for security and data protection and bind them via contract.

Below is a list of our key service providers/subprocessors, with bold headings. For each, we include the address, purpose, and primary data processing/storage location. Some providers may process or store data in the United States. Where that occurs, we apply safeguards as detailed in Section 7.

Customer Service / Helpdesk

Intercom
Address: Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18–21 St. Stephen’s Green, Dublin 2, Ireland
Purpose: Website chat and customer support/helpdesk
Primary processing location: EU (regional hosting used for support data)
Link: https://www.intercom.com/legal/privacy

Payments
Stripe, Inc.
Address: 185 Berry Street, Suite 550, San Francisco, CA 94107, USA
Purpose: Payment processing for paid Service
Primary processing location: United States (with onward transfers as needed)
Link: https://stripe.com/privacy

Marketing Forms / Content Access (Websites)
ClickDimensions LLC
Address: 5901 Peachtree Dunwoody Road NE, Suite B500, Atlanta, GA 30328, USA
Purpose: Managing access to content assets (e.g., whitepapers, e-books) and opt-in lists
Primary processing location: United States
Link: https://clickdimensions.com/privacy-policy/

Interactive Content (Websites)
Dot Marketing ApS (dot.vu)
Address: Nupark 51, 7500 Holstebro, Denmark
Purpose: Interactive content (quizzes, videos) embedded in Websites
Primary processing location: Denmark (EU/EEA)
Link: https://dot.vu/privacy-policy

Sales Intelligence / Lead Enrichment
Lusha Systems Inc.
Address: 800 Boylston Street, Suite 1410, Boston, MA 02199, USA
Purpose: B2B contact enrichment and prospecting to support enterprise sales and marketing outreach (Websites/CRM-adjacent data only)
Primary processing location: United States
Link: https://www.lusha.com/legal/privacy-notice/

Workflow Automation
Zapier, Inc.
Address: 548 Market Street, #62411, San Francisco, CA 94104, USA
Purpose: Low-code integrations to automate back-office workflows (e.g., syncing Website form submissions to internal systems)
Primary processing location: United States
Link: https://zapier.com/legal/data-privacy
Note: We maintain and periodically update a detailed internal register of our processors. We will post material updates to this list in this Policy and, where appropriate, notify enterprise customers via account channels.

Recruiting / Job Applications (Workable)
When you apply for a role with Speexx, we use an Applicant Tracking System (ATS) to process your application data.
Workable Software Limited
Address: 5 Golden Square, 5th Floor, London, W1F 9BS, United Kingdom
Purpose: Applicant Tracking System (ATS) to manage job applications and recruitment workflows (careers page, application intake, interview scheduling)
Primary processing location: UK/EU (with limited support-related transfers as necessary under DPF/SCCs)
Link: https://www.workable.com/privacy
Lawful basis: Art. 6(1)(b) GDPR (steps prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interests in efficient recruitment); where required, consent (e.g., talent pool)
Retention: Candidate data is deleted or anonymized after the recruitment process unless longer retention is permitted/required or the candidate consents to longer storage (e.g., talent pool)

8. International Data Transfers (including to the United States)

Core data is hosted on infrastructure in Germany and the EU. However, several subprocessors listed above process/store certain personal data in the United States (e.g., Stripe, ClickDimensions, Lusha, Zapier).
When transferring personal data outside the EEA/UK/Switzerland, we use appropriate safeguards, which may include:

• EU-U.S. Data Privacy Framework (DPF) participation of the U.S. recipient (where applicable), following the European Commission’s adequacy decision of 10 July 2023, and
  EU Standard Contractual Clauses (SCCs) (and UK Addendum/Swiss clauses as appropriate), plus supplementary measures. The DPF adequacy decision was upheld by the EU General Court on 3 September 2025 (T-553/23).

9. Data Storage

• Unless specified otherwise, personal information is stored on secure servers located in Munich, Germany. For services that require international data transfer, including transfers to the United States, we ensure that such transfers comply with all applicable data protection laws and maintain security and privacy standards equivalent to those in the European Union. This includes the use of appropriate safeguards such as the EU–U.S. Data Privacy Framework, standard contractual clauses, or other legally recognized transfer mechanisms designed to ensure that your data remains protected regardless of where it is processed.
• Data Hosting Partners: We partner with reputable data hosting providers committed to using state-of-the-art security measures. These partners are selected based on their adherence to stringent data protection standards.

10. Cookies & Tracking (Websites only)

• Essential Cookies: Necessary for the website’s functionality, such as authentication and security. They do not require consent.
• Performance and Analytics Cookies: These collect information about how visitors use our website, which pages are visited most frequently, and if error messages are received from web pages. These cookies help us improve our website.
• Functional Cookies: Enable the website to provide enhanced functionality and personalization, like remembering your preferences.
• Advertising and Targeting Cookies: Used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of the advertising campaign.

Details and list of providers: Cookie Policy.

11. Data Security and Retention

We use our own servers, as well as data hosting and housing service providers in Germany and the European Union to host the information we collect, and we use technical measures to secure your data.

12. How long we keep information

How long we keep the information we collect about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible. Backup copies of personal data are maintained only for operational continuity and disaster recovery purposes. Such backups are automatically overwritten or deleted on a rolling basis in accordance with defined retention cycles, ensuring that no outdated or unnecessary data remains stored beyond its required retention period.

Marketing information: If you have chosen to receive marketing content information from us (e.g. via email), we retain information about your marketing content preferences for a reasonable period of time from the date you last expressed interest in our Service, such as when you last opened an email from us. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

Security

We apply measures appropriate to the risk, including encryption in transit and at rest, role-based access controls, segregation of environments, logging and monitoring, vulnerability management, and regular access reviews.
To learn more about it please refer to our Technical & Organizational measures, which you can find in our Trust Center.

Reporting Data breaches

In the event of a personal data breach, we will promptly assess the risks and take appropriate remedial measures. Where required under Article 33 GDPR, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

If the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will inform them in clear and plain language about the nature of the breach, its likely consequences, and the measures taken or proposed to mitigate its possible adverse effects, in accordance with Article 34 GDPR.

Such notifications will include a description of the type of incident (e.g., unauthorized access, data loss, or disclosure) and the contact details of our Data Protection Officer, but will not disclose technical or security-sensitive details that could compromise further protection efforts.

13. How to Access and Control Your Information (Expanded)

You have certain choices regarding your information. Depending on your relationship with us and local law, you may exercise:

• Access & portability: Request a copy of your personal data and, where technically feasible, a portable format.
• Rectification & deletion: Request correction or deletion. Deletion may be restricted by legal obligations or for the establishment, exercise, or defense of legal claims.
• Restriction & objection (including to marketing): Request restriction or object to processing, including direct marketing.
• Consent withdrawal: Where processing relies on consent (e.g., Website marketing), you can withdraw consent at any time.
• Service vs. Website: If your Service account is provided by an organization (employer), please contact that organization first; we act as processor for such accounts.
• Cookies & DNT: Manage cookies via our banner and browser settings (see Cookies & Tracking). Our websites currently do not respond to browser DNT signals.
  We describe practical request paths and limitations in our current online policy.
• Objection to Direct Marketing: You may object at any time to the processing of your personal data for direct marketing, including any profiling related to such marketing. If you object, we will stop processing your personal data for this purpose.
  To exercise this right, use the contact options listed in this Policy or the unsubscribe controls provided in our marketing communications.

14. Overview of Your Rights

Right of access

You have the right to demand confirmation as to whether we process your personal data. If this is the case, you are entitled to receive information about this personal data. Please contact us to request information about your personal data.

If personal data is passed on to a third country or an international organization, you have the right as the person affected to be informed about the respective guarantees (pursuant to Article 46 of the EU GDPR) regarding this sharing of data.

Right to rectification

You have the right to demand that we correct any incorrect personal data concerning you with immediate effect. Taking the purposes of processing into account, you have the right to demand the completion of any incomplete personal data – including by means of a supplementary explanation.

Right to erasure (“Right to be forgotten”)

You are entitled to demand that we delete your personal data without delay if one of the following applies: The personal data is no longer required for the purposes for which it was collected or processed in some other way. You withdraw your consent that the processing was based on pursuant to Article 6 (1) a) or Article 9 (2) a) of the EU GDPR, and there are now no valid legal grounds for processing. You submit an objection to the processing of your data pursuant to Article 21 (1) of the EU GDPR and there are no overriding justifiable grounds for the processing, or you submit an objection to the processing of your data pursuant to Article 21 (2) of the EU GDPR. The personal data was processed unlawfully. The deletion of the personal data is required to fulfil a legal obligation in accordance with EU law or the law of individual member states. The personal data was recorded in relation to the offer of information society services directly to a child, pursuant to Article 8 (1) of the EU GDPR. Once you have made your request we are obliged to delete the data with immediate effect. The lawfulness of the data processing for the period between the consent and the withdrawal of this consent shall remain unaffected.

Right to restriction of processing

You are entitled to demand a restriction to the processing of your personal data in cases where you dispute the correctness of the personal data, for a period of time that allows the controller to review the correctness of that personal data. If the processing is unlawful and you reject the erasure of the personal data in favour of demanding a restriction to the use of the personal data we will fulfill this request.
Processing will also be restricted if we no longer require your personal data for the purposes of processing but do require it for the establishment, exercise or defence of legal claims. Or if you have objected to processing pursuant to Article 21 (1) of the EU GDPR, for as long as is not yet ascertained whether the justifiable grounds of the controller outweigh your grounds. You will be informed in advance by us should the restriction be revoked.

Right to data portability

You have the right to receive personal data concerning you that you have made available to us in a structured, conventional and machine-readable format, and you also have the right to transfer this data to another controller without being impeded by us to whom the personal data has been made available. The condition is that a) processing is based on consent pursuant to Article 6 (1) a) of the EU GDPR or Article 9 (2) a) of the EU GDPR or on a contract pursuant to Article 6 (1) b) of the EU GDPR, and b) the processing is conducted with the help of automated processes. When exercising your right to data portability you have the right to demand that the personal data is transferred directly from us to another controlling body, provided this is technically viable.

Right to withdraw consent

If processing is subject to your consent you have the right to withdraw this consent at any time. This shall not affect the lawfulness of any processing that took place with your consent up until its withdrawal.

15. Children

Our Service is not directed to children under the age defined by applicable law, and we do not knowingly collect personal data from them.

16. Changes

We may update this Policy to reflect changes in our processing or legal requirements. If we make material changes, we will notify you by posting an update here.

17. Consent

Where required under applicable data protection laws, we will obtain your consent before processing your personal data for specific purposes, such as sending marketing communications, placing non-essential cookies, or conducting optional surveys.
You may withdraw your consent at any time by following the instructions provided in our communications or by contacting us using the details in this Policy. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

18. Right to Object to Data Processing in Special Cases and to Direct Marketing (Art. 21 GDPR)

If the data processing is based on Article 6(1)(e) or (f) of the GDPR, you have the right, at any time, to object to the processing of your personal data for reasons arising from your particular situation. This also applies to profiling based on these provisions.

The respective legal basis for the processing can be found in this privacy policy.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims (objection pursuant to Article 21(1) GDPR).

If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes. This also applies to profiling insofar as it is related to such direct marketing.

If you object, your personal data will no longer be used for direct marketing purposes (objection pursuant to Article 21(2) GDPR).