1. Controller

2Brands Media GmbH

Forststraße 112

50767 Köln

Deutschland

Email: office@2brandsmedia.com

2. Collection and Storage of Personal Data

When you visit our platform, information is automatically transmitted by your browser and stored in server log files: browser type and version, operating system, referrer URL, hostname, time of the request, and IP address. This data cannot be attributed to specific individuals and is not merged with other data sources. Storage is based on Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the platform). Server log files are automatically deleted after 30 days.

3. Cookies

Hubbee only uses technically necessary cookies for authentication and session management. These cookies are required for the operation of the platform and cannot be disabled. No tracking or marketing cookies are used. The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure operation).

4. Account Data

During registration, we collect your email address to create and manage your user account. Authentication is handled via Supabase Auth. You may optionally provide additional profile information (name, profile picture). This data is stored until your account is deleted. The legal basis is Art. 6(1)(b) GDPR (contract performance).

5. WordPress Data

Hubbee processes data from your connected WordPress websites to enable centralized management. This includes: page content, plugin and theme information, health status, configurations, and user data of your WordPress installations. This data is processed exclusively for the provision of our service and stored on our servers within the EU. The legal basis is Art. 6(1)(b) GDPR (contract performance).

6. Hosting and Infrastructure

Supabase (Database & Authentication)

We use Supabase, Inc. for storing user data and authentication. The server location is Frankfurt, Germany (EU). Supabase is GDPR-compliant and a Data Processing Agreement is in place. More information: supabase.com/docs/guides/platform/gdpr

Hetzner (Backend Server)

Our backend services run on servers operated by Hetzner Online GmbH in Germany. Hetzner is GDPR-compliant and processes data exclusively within the EU.

7. Email Delivery (Resend)

For sending transactional emails (signup, invoices, payment notices, notifications) we use Resend Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA. Resend processes on our behalf: your email address, sending metadata (subject, timestamp, delivery status), and bounce/complaint signals to safeguard deliverability. The data transfer to the USA is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). A Data Processing Agreement under Art. 28 GDPR is in place. The legal basis is Art. 6(1)(b) GDPR (contract performance). Resend's privacy policy: resend.com/legal/privacy-policy

8. Payment Processing (Paddle)

For processing subscriptions and payments, we use Paddle.com Market Limited (Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland) as Merchant of Record. Paddle processes on our behalf: payment information, billing address, transaction history, and subscription status. We do not store credit card data ourselves. The legal basis is Art. 6(1)(b) GDPR (contract performance). Paddle's privacy policy: paddle.com/legal/privacy

9. Your Rights Under GDPR

You have the right at any time to: access your stored data (Art. 15 GDPR), rectification of inaccurate data (Art. 16 GDPR), erasure of your data (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), object to processing (Art. 21 GDPR), and withdraw consent (Art. 7 GDPR). A machine-readable JSON export of your billing and account data is available in your account under 'Your data'. For other rights, contact: office@2brandsmedia.com

9a. Retention periods

We delete personal data once the purpose of processing no longer applies, unless statutory retention obligations require otherwise:

• Invoices, transactions and payment-related data: 10 years under § 147 AO and § 257 HGB (German commercial and tax law).
• Billing and contract audit log: up to 10 years for accounting evidence.
• Email delivery logs (recipient, template, status): maximum 90 days.
• Account and profile data: until your account is deleted; fully removed or anonymised within 30 days afterwards.

10. Data Security

We implement comprehensive technical and organizational measures to protect your data: HTTPS encryption for all data transfers, Row Level Security (RLS) on all database tables, rate limiting on all API endpoints, regular security audits, and storage of all data within the EU (Germany).

11. Contact

For questions about data protection, you can reach us at:

Email: office@2brandsmedia.com

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements or to reflect changes in our services.

As of: April 2026 · Version 1.1