Privacy Policy

For the autaxo.studio website and the Autaxo Studio platform. Last updated: July 2, 2026

This is a courtesy translation. Only the German version (Datenschutzerklärung) is legally binding.

Introduction & Overview

With this privacy policy, GOBERU Solutions UG (haftungsbeschränkt) (hereinafter “we”, “us”, or “Autaxo”) informs you in accordance with Art. 13 and 14 GDPR about the processing of personal data on autaxo.studio and in the Autaxo Studio platform.

This policy applies in particular to website visitors, prospects, customers, and authorized users. Where customers process images, vehicle data, or other content of their own end customers or third parties in Autaxo Studio, we generally act as a processor under Art. 28 GDPR in that respect. In that case, the data processing agreement (AVV/DPA), including the technical and organizational measures (TOMs) and the list of subprocessors, takes precedence.

We provide the current version of the DPA at autaxo.de/downloads/autaxo_avv.pdf. Depending on the booked module and activated integrations, different subprocessors may be used.

Controller

The controller within the meaning of Art. 4(7) GDPR is:

GOBERU Solutions UG (haftungsbeschränkt)
c/o Julian Alessio Goßen
Kiefernstraße 25
45525 Hattingen
Germany

  • Represented by: Julian Alessio Goßen
  • Commercial register: Amtsgericht Essen, HRB 36889
  • VAT ID: DE454764286
  • Email: kontakt@autaxo.de

Please direct data protection inquiries to datenschutz@autaxo.de.

Website Visits

Hosting, Delivery, and Security

autaxo.studio is delivered via Firebase Hosting / Google Cloud. The provider is Google Cloud EMEA Ltd., Dublin, Ireland. For server-side functions, we primarily use Google Cloud/Firebase in the europe-west3 (Frankfurt am Main) region, where technically configured.

  • Data: IP address, date and time, requested URL, referrer, HTTP headers, user agent, error and security logs.
  • Purpose: delivery of the website, system security, abuse prevention, error analysis, and availability.
  • Legal basis: Art. 6(1)(f) GDPR.
  • Retention period: Log data is stored only as long as required for security, error analysis, and traceability.

Contact, Demo Requests, and Communication

If you contact us by email, contact form, demo request, phone, or messenger, we process your information to handle your request.

  • Data: name, company, email address, phone number, message content, technical metadata, and any attachments.
  • Purpose: contract initiation, demo provision, support, and documentation.
  • Legal basis: Art. 6(1)(b) GDPR where related to a contract, otherwise Art. 6(1)(f) GDPR.
  • Service providers: Google Workspace and Mailjet/Sinch; where individual legacy or special forms technically run via Formspree, Formspree.

Appointment Booking and Embedded Content

For demo and consultation appointments, we may use Google Calendar Appointment Schedules. In addition, YouTube or YouTube nocookie videos, external demo links, or calendar widgets may be embedded. When you access such content, personal data may be transmitted to the respective providers. Where technically possible, we use data-minimizing embeds and load analytics or marketing functions only after your consent.

Cookies, Local Storage, and Tracking

We use technically necessary cookies and local storage to provide the website and to store your cookie decision. We use analytics and marketing technologies only if you have given your consent.

  • Technically necessary storage: § 25(2) TDDDG; where personal data is processed, Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR.
  • Analytics and marketing: § 25(1) TDDDG and Art. 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future.
  • Consent storage: Your selection is stored locally in your browser under the key cookie-consent.

In particular, we use Google Tag Manager, Google Analytics 4, and Google Ads for reach and campaign measurement. On autaxo.studio we use the GTM container GTM-57SSM83F and GA4 G-7HKD127H0Q. The provider is Google Ireland Ltd. or Google LLC.

You can change your cookie banner decision by deleting the website’s local storage in your browser or by resetting your cookie consent on the website, where a corresponding button is displayed.

Use of the Autaxo Studio Platform

Roles and Responsibilities

We process account, contract, billing, support, security, and usage data of our customers and authorized users as an independent controller. Content that customers upload or generate in Autaxo Studio, in particular vehicle images, license plates, interior shots, reflections, file names, metadata, and export data, we generally process as a processor under the DPA.

The customer remains the controller responsible for the lawfulness of the uploaded content, in particular where images contain identifiable persons, license plates, location data, documents, or other personal information.

Data Categories

  • Customer and contract data: name, company, address, email address, phone number, VAT ID, plan, Credits, contract status, and billing data.
  • User data: names, email addresses, roles, permissions, login and security events.
  • Image and content data: raw images, edited images, license plates, vehicle data, image metadata, prompts, output files, and export information.
  • Usage and diagnostic data: API calls, timestamps, error logs, browser/device information, and security events.
  • Integration data: tokens, status information, platform IDs, and content, where optional interfaces are activated.
  • Provision of AI image processing, showroom generation, license plate blurring, exports, and platform functions: Art. 6(1)(b) GDPR or Art. 28 GDPR on behalf of the customer.
  • Contract management, billing, credit management, and support: Art. 6(1)(b) GDPR.
  • Compliance with legal obligations, in particular commercial and tax law retention requirements: Art. 6(1)(c) GDPR.
  • Error analysis, security, abuse prevention, product improvement, and capacity planning: Art. 6(1)(f) GDPR.

AI Image Processing

For AI-powered functions, Google Gemini / Vertex AI and specialized providers such as fal.ai may be used, depending on the workflow. Only the images, prompts, metadata, and outputs required for the respective function are processed.

We do not use customer images to train public AI models. Any use for training or model optimization purposes takes place only in anonymized or aggregated form, or with the customer’s prior express consent, to the extent legally permissible.

Recipients, Processors, and Subprocessors

We share personal data only where this is necessary to provide our services, where a legal obligation exists, where a legitimate interest applies, or where you have given your consent. We conclude agreements with processors in accordance with Art. 28 GDPR. The list of subprocessors that is contractually binding for customers is the annex to the DPA.

Our key service providers include in particular:

  • Google Cloud EMEA Ltd. / Google Cloud: hosting, Firebase, Cloud Functions, storage, logging, monitoring, and, where applicable, Vertex AI/Gemini.
  • Google Ireland Ltd. / Google Workspace: email, calendar, office, and support communication.
  • Sinch / Mailjet: transactional email delivery and form forwarding.
  • fal.ai: AI-powered image and media processing, where the corresponding functions are used.
  • Aurinko / Yoxel, Inc.: optional connection to email, calendar, contact, or task APIs, in particular Google and Microsoft.
  • ZERNIO SOFTWARE SL: optional social media, posting, and API integrations.
  • Formspree: form processing only where individual forms or legacy systems still technically run via Formspree.

Payment Providers

We use external payment providers for payments. They generally process payment data as independent controllers or under their own regulatory responsibility. We do not receive complete credit card or account credentials, but rather payment status, invoice, and contract information.

  • Stripe: Stripe Payments Europe, Ltd., Dublin, Ireland.
  • PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg.

The legal basis is Art. 6(1)(b) GDPR for payment processing and Art. 6(1)(f) GDPR for fraud prevention, receivables management, and proof of payment, where applicable.

Optional Interfaces

If you activate interfaces, data may be transmitted to third-party providers or platforms at your instruction. This may include in particular mobile.de, AutoScout24, Google/Microsoft email and calendar services via Aurinko, and social media or posting integrations via Zernio. The respective target providers are generally responsible for their own further processing.

Third-Country Transfers

We prefer European providers and European storage locations where this is technically and economically feasible. With internationally operating service providers, support cases, security analyses, AI functions, or activated interfaces, data may be transferred to or processed from countries outside the EU/EEA.

  • EU-US Data Privacy Framework: For certified US providers, the adequacy decision may serve as the basis for the transfer.
  • Standard contractual clauses: Where required, we use EU standard contractual clauses and additional safeguards.
  • Your instruction: With optional integrations, a transfer may also occur because you activate a third-party provider or actively export data.

Retention Period

We store personal data only as long as necessary for the respective purpose.

  • Contact inquiries: until final processing and thereafter in accordance with statutory retention or limitation periods.
  • Contract and billing data: for the duration of the contract and beyond within the scope of statutory retention obligations, in particular under the German Commercial Code (HGB) and the German Fiscal Code (AO), generally up to 10 years.
  • Raw and output images: in accordance with the DPA, the contract, and the customer’s instructions; after the end of the contract, generally deletion or return within the agreed periods, unless legal obligations require otherwise.
  • Logs and security data: as long as required for security, error analysis, abuse prevention, and traceability.

Your Rights

Subject to the statutory requirements, you have the following rights:

  • Access under Art. 15 GDPR
  • Rectification under Art. 16 GDPR
  • Erasure under Art. 17 GDPR
  • Restriction of processing under Art. 18 GDPR
  • Data portability under Art. 20 GDPR
  • Objection to processing based on Art. 6(1)(e) or (f) GDPR under Art. 21 GDPR
  • Withdrawal of consent given, with effect for the future, under Art. 7(3) GDPR

To exercise your rights, an email to datenschutz@autaxo.de is sufficient.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular with the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen), the authority responsible for us.

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place.

Data Security

We implement technical and organizational measures under Art. 32 GDPR to protect personal data against loss, manipulation, unauthorized access, and other risks. These include in particular TLS encryption, role-based access controls, admin access with MFA, logging, backup and recovery concepts, authorization concepts, service provider reviews, and contractual confidentiality obligations.

Changes to This Privacy Policy

We update this privacy policy when the legal situation, providers, functions, or processing operations change. The current version is always available on this page.

Last updated: July 2, 2026 (Version 1.1, Autaxo Studio)