Privacy Policy
Last updated: March 4, 2026
1. An overview of data protection
General information
The following information will provide you with an easy to navigate overview of what will happen with your personal data when you visit this website. The term “personal data” comprises all data that can be used to personally identify you. For detailed information about the subject matter of data protection, please consult our Data Protection Declaration, which we have included beneath this copy.
Data recording on this website
Who is the responsible party for the recording of data on this website (i.e., the “controller”)?
The data on this website is processed by the operator of the website, whose contact information is available under section “Information about the responsible party (referred to as the ‘controller’ in the GDPR)” in this Privacy Policy.
How do we record your data?
We collect your data as a result of your sharing of your data with us. This may, for instance be information you enter into our contact form.
Other data shall be recorded by our IT systems automatically or after you consent to its recording during your website visit. This data comprises primarily technical information (e.g., web browser, operating system, or time the site was accessed). This information is recorded automatically when you access this website.
What are the purposes we use your data for?
A portion of the information is generated to guarantee the error free provision of the website. Other data may be used to analyze your user patterns.
What rights do you have as far as your information is concerned?
You have the right to receive information about the source, recipients, and purposes of your archived personal data at any time without having to pay a fee for such disclosures. You also have the right to demand that your data are rectified or eradicated. If you have consented to data processing, you have the option to revoke this consent at any time, which shall affect all future data processing. Moreover, you have the right to demand that the processing of your data be restricted under certain circumstances. Furthermore, you have the right to log a complaint with the competent supervising agency.
Please do not hesitate to contact us at any time if you have questions about this or any other data protection related issues.
Analysis tools and tools provided by third parties
There is a possibility that your browsing patterns will be statistically analyzed when you visit this website. Such analyses are performed primarily with what we refer to as analysis programs.
For detailed information about these analysis programs please consult our Data Protection Declaration below.
2. Hosting
We are hosting the content of our website using the following providers:
Lovable (Deployment and Hosting)
This website is deployed and hosted via Lovable (Lovable AB, Stockholm, Sweden). When you visit our website, your browser establishes a connection to Lovable’s infrastructure. In the course of this, your IP address and other technical data (e.g., browser type, operating system, referring URL) may be processed.
Lovable is used on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in a reliable and performant presentation of our website. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.
Supabase (Database and Backend)
We use Supabase (Supabase, Inc., San Francisco, CA, USA) for our database, authentication, and backend services. Supabase infrastructure runs on Amazon Web Services (AWS) in the EU region (Frankfurt, Germany). Your personal data processed through our website’s backend (e.g., form submissions, chatbot sessions) is stored on these EU-based servers.
Supabase is used on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in using a reliable and scalable backend infrastructure. Data transfers to Supabase, Inc. in the United States are covered by the EU–US Data Privacy Framework (DPF), under which Supabase is certified.
Data processing
We have concluded data processing agreements (DPA) with our hosting providers. These are contracts mandated by data privacy laws that guarantee that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.
3. General information and mandatory information
Data protection
The operators of this website and its pages take the protection of your personal data very seriously. Hence, we handle your personal data as confidential information and in compliance with the statutory data protection regulations and this Data Protection Declaration.
Whenever you use this website, a variety of personal information will be collected. Personal data comprises data that can be used to personally identify you. This Data Protection Declaration explains which data we collect as well as the purposes we use this data for. It also explains how, and for which purpose the information is collected.
We herewith advise you that the transmission of data via the Internet (i.e., through email communications) may be prone to security gaps. It is not possible to completely protect data against third-party access.
Information about the responsible party (referred to as the “controller” in the GDPR)
The data processing controller on this website is:
Octily GmbH
Randolfstraße 18
12524 Berlin
Germany
Managing Director: Robert Bucher
Email: octily@octily.com
The controller is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and resources for the processing of personal data (e.g., names, email addresses, etc.).
Storage duration
Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted, unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, the deletion will take place after these reasons cease to apply.
Revocation of your consent to the processing of data
A wide range of data processing transactions are possible only subject to your express consent. You can also revoke at any time any consent you have already given us. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation. To revoke consent for cookies, use the “Cookie Settings” link in the footer. To unsubscribe from the newsletter, use the unsubscribe link in any newsletter email. For all other cases, contact us at octily@octily.com.
Right of access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether personal data concerning you is being processed. Where that is the case, you have the right to access the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the data have been or will be disclosed; the envisaged period for which the data will be stored; the existence of the right to request rectification or erasure or restriction of processing; the right to lodge a complaint with a supervisory authority; and any available information about the source of the data. You also have the right to be informed of any appropriate safeguards relating to the transfer of your data to a third country. You may request a copy of your personal data undergoing processing. Please contact us at octily@octily.com.
Right to erasure (Art. 17 GDPR)
You have the right to demand the erasure of your personal data without undue delay. We are obligated to erase your data without undue delay if one of the following grounds applies: the data are no longer necessary for the purposes for which they were collected; you withdraw consent and there is no other legal basis for the processing; you object to the processing under Art. 21 GDPR and there are no overriding legitimate grounds; the data have been unlawfully processed. This right does not apply if the processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defense of legal claims, or for reasons of public interest.
Right to restriction of processing (Art. 18 GDPR)
You have the right to demand the restriction of the processing of your personal data. You can request restriction in the following cases: if you contest the accuracy of your data, for a period enabling us to verify the accuracy; if the processing is unlawful and you oppose erasure and request restriction instead; if we no longer need the data for the purposes of processing but you require them for the establishment, exercise, or defense of legal claims; if you have lodged an objection pursuant to Art. 21(1) GDPR pending verification of whether our legitimate grounds override yours.
Automated decision-making
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.
Right to object to the collection of data in special cases; right to object to direct advertising (Art. 21 GDPR)
IN THE EVENT THAT DATA ARE PROCESSED ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO AT ANY TIME OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON GROUNDS ARISING FROM YOUR UNIQUE SITUATION. THIS ALSO APPLIES TO ANY PROFILING BASED ON THESE PROVISIONS. IF YOU LOG AN OBJECTION, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA, UNLESS WE ARE IN A POSITION TO PRESENT COMPELLING PROTECTION WORTHY GROUNDS FOR THE PROCESSING OF YOUR DATA, THAT OUTWEIGH YOUR INTERESTS, RIGHTS AND FREEDOMS OR IF THE PURPOSE OF THE PROCESSING IS THE CLAIMING, EXERCISING OR DEFENCE OF LEGAL ENTITLEMENTS (OBJECTION PURSUANT TO ART. 21(1) GDPR).
IF YOUR PERSONAL DATA IS BEING PROCESSED IN ORDER TO ENGAGE IN DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR AFFECTED PERSONAL DATA FOR THE PURPOSES OF SUCH ADVERTISING AT ANY TIME. THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS AFFILIATED WITH SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT ADVERTISING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).
Right to log a complaint with the competent supervisory agency
In the event of violations of the GDPR, data subjects are entitled to log a complaint with a supervisory agency, in particular in the member state where they usually maintain their domicile, place of work or at the place where the alleged violation occurred. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.
SSL and/or TLS encryption
For security reasons and to protect the transmission of confidential content, such as inquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption program. You can recognize an encrypted connection by checking whether the address line of the browser switches from “http://” to “https://” and also by the appearance of the lock icon in the browser line.
If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.
4. Recording of data on this website
Cookies and local storage
Our website uses cookies set by third-party services (e.g., Google Analytics) and browser local storage for site preferences. Cookies are small data packages stored on your device. Local storage serves a similar purpose but is managed by your browser rather than sent with every request.
We use these technologies for the following purposes:
- Storing your cookie consent preferences
- Remembering your language and theme settings
- Maintaining your anonymous chatbot session
- Web analytics (only with your consent)
Technically necessary storage (e.g., consent preferences, language settings) is based on Art. 6(1)(f) GDPR. Analytics cookies require your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke or adjust your cookie consent at any time via the “Cookie Settings” link in the footer of our website.
Cookie categories and specific technologies
Our cookie consent banner groups cookies and similar technologies into three categories:
- Necessary –
octily-cookie-consent(localStorage, 365 days, Octily): stores your consent preferences.octily-language,octily-theme(localStorage, persistent, Octily): store your language and display theme.octily-chatbot-session(localStorage, session, Octily): maintains your anonymous chatbot session.octily-chat-privacy-ack(localStorage, persistent, Octily): remembers that you acknowledged the chatbot privacy notice. - Analytics –
_ga,_ga_*(cookies, up to 2 years, Google): Google Analytics tracking identifiers used to distinguish users and sessions. - Marketing –
_gcl_au(cookie, 90 days, Google): Google Ads conversion linker cookie for attributing ad conversions.
Server log files
The provider of this website and its pages automatically collects and stores information in so-called server log files, which your browser communicates to us automatically. The information comprises:
- The type and version of browser used
- The used operating system
- Referrer URL
- The hostname of the accessing computer
- The time of the server inquiry
- The IP address
This data is not merged with other data sources.
This data is recorded on the basis of Art. 6(1)(f) GDPR. The operator of the website has a legitimate interest in the technically error free depiction and the optimization of the operator’s website. In order to achieve this, server log files must be recorded.
Get in Touch form
If you submit inquiries to us via our “Get in Touch” form, the information provided in the form as well as any contact information provided therein will be stored by us in order to handle your inquiry and in the event that we have further questions. Your IP address is logged for anti-spam purposes. We will not share this information without your consent.
The processing of these data is based on Art. 6(1)(b) GDPR, if your request is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. In all other cases the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6(1)(f) GDPR) or on your agreement (Art. 6(1)(a) GDPR) if this has been requested; the consent can be revoked at any time.
Contact form submissions are automatically deleted after two years. IP addresses stored with the submission are deleted along with it.
Workflow automation (Make.com) and data management (Notion)
Form submissions on our website are processed using Make.com (Celonis SE, Theresienstraße 6, 80333 Munich, Germany), a workflow automation platform. Make.com receives form data to route it to the appropriate internal systems.
The data is subsequently stored and managed in Notion (Notion Labs, Inc., 2300 Harrison Street, San Francisco, CA 94110, USA). Notion serves as our internal workspace for organizing inquiries and follow-up communication.
The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in efficient business operations and organized handling of inquiries). Data transfers to Notion Labs, Inc. in the United States are covered by the EU–US Data Privacy Framework (DPF), under which Notion is certified.
We have concluded data processing agreements (DPA) with both Make.com and Notion.
Newsletter (Mailchimp)
Our website offers a newsletter subscription. If you subscribe to our newsletter, your email address will be transmitted to and stored by Mailchimp, a service of Intuit Inc., 2700 Coast Avenue, Mountain View, CA 94043, USA.
Mailchimp is used to manage our newsletter subscriber list and to send newsletters. When you subscribe, Mailchimp stores your email address and the date and time of your subscription.
The legal basis is Art. 6(1)(a) GDPR (consent). You can revoke your consent at any time by unsubscribing from the newsletter via the unsubscribe link contained in every newsletter email, or by contacting us directly.
Data transfers to Intuit Inc. in the United States are covered by the EU–US Data Privacy Framework (DPF), under which Intuit is certified. We have concluded a data processing agreement (DPA) with Mailchimp. For more information, see the Mailchimp Privacy Policy.
Book with me (Microsoft Bookings)
Our website gives you the option to schedule appointments with us. We use Microsoft Bookings to book these appointments. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
To book an appointment, enter the requested data and the desired date in the form provided. The data entered will be used for planning, conducting and, if necessary, for the follow-up of the appointment. The appointment data will be stored for us on the servers of Microsoft Bookings.
The legal basis for the processing of the data is Art. 6(1)(f) GDPR. The operator of the website has a legitimate interest in ensuring that appointments with customers and prospective customers can be scheduled as easily as possible.
Chatbot (Auto Mate)
Our website features an AI-powered chatbot (“Auto Mate”) that allows you to ask questions about our services. In accordance with Art. 50(1) of the EU AI Act (Regulation (EU) 2024/1689), we inform you that Auto Mate is an artificial intelligence system. The chatbot is only active after you choose to open it. No data is collected before you interact with the chatbot.
When you open the chatbot, an anonymous session is created using a randomly generated identifier (UUID) stored in your browser’s localStorage. Your IP address is recorded alongside your chat messages for the purpose of preventing abuse and enforcing daily usage limits. No device fingerprints or user agent strings are collected. While the chatbot is open, we record the pages you visit on our website along with an approximate scroll position. This data helps us provide contextually relevant answers during your conversation.
Your chat messages are processed by Anthropic, PBC (San Francisco, CA, USA) to generate AI responses. Anthropic processes the data as a sub-processor under a data processing agreement and does not use your messages to train its models. The transfer of data to Anthropic in the USA is safeguarded by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. The chat messages, page visits, and session data are stored on Supabase servers (AWS, EU region). The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in providing helpful customer support through the chatbot). AI-generated responses may be inaccurate; please verify important information independently.
IP addresses stored in connection with chatbot messages are automatically purged after 24 hours. Chat sessions inactive for more than 90 days are automatically deleted.
To delete your chatbot data, clear your browser’s localStorage for this website or contact us at octily@octily.com.
5. Analysis tools
Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables the website operator to analyze the behavior patterns of website visitors. To that end, the website operator receives a variety of user data, such as pages accessed, time spent on the page, the utilized operating system and the user’s origin.
Google Analytics is only loaded after you have given your consent via our cookie consent banner. The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time via the “Cookie Settings” link in the footer.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF).
Google Ads (Conversion Tracking)
This website uses Google Ads conversion tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
With Google Ads conversion tracking, Google and we are able to recognize whether the user has completed certain actions on our website after clicking on a Google ad. This helps us measure the effectiveness of our advertising campaigns.
Google Ads conversion tracking uses cookies. The conversion tracking cookie is set when a user clicks on a Google ad. It is only activated after you have given your consent via our cookie consent banner. The use occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time via the “Cookie Settings” link in the footer of our website.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF).
6. Plug-ins and tools
YouTube with expanded data protection integration
This website integrates videos from the YouTube website. The operator of the website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in extended data protection mode. According to YouTube, videos that are played in extended data protection mode are not used to personalize browsing on YouTube.
The use of YouTube is based on our interest in presenting our online content in an appealing manner. Pursuant to Art. 6(1)(f) GDPR, this is a legitimate interest.
Google Fonts (local embedding)
This website uses so-called Google Fonts provided by Google to ensure the uniform use of fonts on this site. These Google fonts are locally installed so that a connection to Google’s servers will not be established in conjunction with this application.
7. Online-based audio and video conferences
Microsoft Teams
We use Microsoft Teams for video conferences with customers and prospective customers. The provider is the Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. For details on data processing, please refer to the Microsoft Teams privacy policy: https://privacy.microsoft.com/en-us/privacystatement
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF).
8. Handling applicant data
We offer website visitors the opportunity to submit job applications to us (e.g., via email or postal services). We assure you that the collection, processing, and use of your data will occur in compliance with the applicable data privacy rights and all other statutory provisions and that your data will always be treated as strictly confidential.
If you submit a job application to us, we will process any affiliated personal data (e.g., contact and communications data, application documents, notes taken during job interviews, etc.), if they are required to make a decision concerning the establishment or an employment relationship. The legal grounds for the aforementioned are § 26 BDSG according to German Law, Art. 6(1)(b) GDPR (General Contract Negotiations) and – provided you have given us your consent – Art. 6(1)(a) GDPR.
If we are unable to make you a job offer or you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application procedure.