Privacy Policy

Last updated: 24 April 2026

This privacy policy is a courtesy translation of the legally binding German version available at /de/privacy. In case of discrepancies, the German version prevails.

1. Data Controller

The data controller responsible for the processing of personal data on this website within the meaning of the GDPR is:

Balane GmbH
Balanstraße 84
81541 Munich
Germany

Email: contact@balane.tech
Managing Director: Jonas David Höttler

2. Data Protection Officer

We have not appointed a data protection officer, as the statutory requirements under Art. 37 GDPR in conjunction with § 38 BDSG (German Federal Data Protection Act) do not apply to us. For any data protection matters, please contact us directly at contact@balane.tech.

3. General Information

The following notes provide an overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you (Art. 4 No. 1 GDPR).

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the lock icon in your browser bar and by the address bar starting with „https://".

Web fonts

This website uses the „Geist Sans" and „Geist Mono" fonts provided by Vercel. The font files are embedded once at build time and subsequently served exclusively from the server of our hosting provider (see section 4, self-hosting). When you visit this website, no connection to Google servers is made and your IP address is not transmitted to Google LLC.

Automated decision-making

Automated decision-making, including profiling, within the meaning of Art. 22 GDPR does not take place.

4. Hosting & Server Logs (Vercel)

Hosting provider

Vercel Inc.
440 N Barranca Ave #4133
Covina, CA 91723
USA

Nature and scope of processing

When you visit this website, the hosting provider automatically stores technical information in server log files:

• IP address of the requesting device
• Date and time of access
• Name and URL of the retrieved file
• Website from which access was made (referrer URL)
• Browser and, where applicable, operating system used

Purpose of processing

Processing takes place for the technical provision of the website, to ensure system security and to optimise our online offering.

Legal basis

Art. 6 (1) (f) GDPR (legitimate interest). Our legitimate interest lies in the proper functioning, security and availability of our website.

Storage period

Log data are deleted as soon as they are no longer required to achieve the purpose for which they were collected, typically after 7 to 30 days.

Third-country transfer (USA)

Vercel Inc. is based in the USA and operates servers worldwide, including outside the EU. Data transfer to the USA takes place on the basis of Art. 45 (3) GDPR in conjunction with the adequacy decision of the European Commission of 10 July 2023 concerning the EU-US Data Privacy Framework (DPF), under which Vercel Inc. is certified. In addition, we have concluded a data processing agreement with Vercel pursuant to Art. 28 GDPR, including the EU Standard Contractual Clauses as an additional safeguard. Official access on the basis of US surveillance laws (e.g., FISA 702, CLOUD Act) cannot be technically fully excluded.

Further information

Vercel Privacy Policy · DPF certification list

5. Reach Measurement (Umami)

This website uses Umami, a privacy-friendly open-source web analytics software that we operate on our own instance.

Nature and scope of processing

Umami collects the following data on each page view:

• Truncated or hashed IP address (not stored permanently in clear text)
• Anonymised device and browser information
• Page viewed, referrer, timestamp
• Approximate location at country level (no geo-tracking)

Umami does not set any cookies and does not access information on your device within the meaning of § 25 (1) TDDDG (no access to local/session storage, no fingerprinting). A hash is generated server-side from the IP and user agent on a daily basis, used only to distinguish returning visitors within one day and then discarded.

Purpose of processing

Reach measurement, analysis of user behaviour on an aggregated basis, and optimisation of our online offering.

Legal basis

Since no access to device information within the meaning of § 25 (1) TDDDG takes place, no consent is required. The remaining processing of the hashed IP address is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in data-minimising reach measurement and quality assurance of our online offering.

Hosting / third-country transfer

Our Umami instance is operated on the infrastructure of Railway Corp., 2261 Market Street #4059, San Francisco, CA 94114, USA. The servers are located in a region within the European Union (Amsterdam, Netherlands). Railway Corp. nevertheless remains a US company as the provider of the infrastructure; the transfer to Railway Corp. therefore constitutes a third-country transfer within the meaning of Art. 44 GDPR. We have concluded a data processing agreement with Railway Corp. pursuant to Art. 28 GDPR, including the EU Standard Contractual Clauses as an additional safeguard (Art. 46 (2) (c) GDPR). Official access under US law (CLOUD Act, FISA 702) cannot be fully excluded; as a supplementary technical safeguard, IP addresses are hashed server-side and not stored in clear text.

Storage period

Aggregated usage statistics are retained for 24 months and then deleted. Pseudonymous individual records are not stored for longer than 30 days.

6. Session Recording (OpenReplay)

In addition to aggregated reach measurement, we use OpenReplay, an open-source software for pseudonymous recording of individual sessions on this website. We self-host OpenReplay; no transfer to the vendor or any other third party takes place.

Nature and scope of processing

Per session, the following data is collected:

• Mouse, scroll and click events as well as URLs visited within our website
• Viewport size, user agent and technical errors (JavaScript exceptions)
• IP address (pseudonymised server-side by OpenReplay)

Recording uses aggressive masking: all input fields as well as automatically detected email addresses, phone numbers and other numeric sequences are masked before being transmitted to our OpenReplay server and are not transmitted in clear text. Iframes are not recorded, nor are request/response bodies of network calls. If your browser sends the Do-Not-Track header, no recording takes place regardless of any consent.

Purpose of processing

Analysis of usability barriers and error situations, improvement of the usability and technical quality of this website.

Legal basis

Because OpenReplay accesses information on your device (in particular Local Storage for session attribution) in order to reproduce a session, recording requires consent under § 25 (1) TDDDG. Processing of the resulting data is based on your consent pursuant to Art. 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future; the lawfulness of processing carried out up to the withdrawal remains unaffected.

Withdrawal / opt-out

You can change your decision at any time by deleting the localStorage entry balane.consent.replay in your browser — the consent prompt will then reappear on the next page view. Alternatively, enable the Do-Not-Track header in your browser; in that case no recording takes place even with granted consent.

Hosting / third-country transfer

Our OpenReplay instance runs on infrastructure of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. The servers are located in a data centre in Nuremberg, Germany. No transfer to a third country takes place. We have concluded a data processing agreement with Hetzner pursuant to Art. 28 GDPR.

Storage period

Session recordings are automatically deleted after 30 days at the latest. Aggregated evaluations (e.g. heatmaps, error statistics) may be retained for up to 12 months.

7. Theme Preference (Local Storage)

This website stores your selection between light and dark colour scheme in a localStorage entry of your browser (key: theme). The storage takes place exclusively locally on your device; no transfer to us or third parties takes place.

Legal basis: § 25 (2) No. 2 TDDDG (strictly necessary to provide the service explicitly requested by you). You can delete the entry at any time via your browser settings.

8. Contact by Email

If you contact us by email, the data you provide (email address, name if applicable, subject, message content) is stored by us in order to process your request. This website itself does not collect data via forms — communication takes place exclusively by clicking mailto: links that open your local email client.

Legal basis

For enquiries relating to a (potential) contract: Art. 6 (1) (b) GDPR (performance of pre-contractual measures / contract performance). For other enquiries: Art. 6 (1) (f) GDPR (legitimate interest in responding).

Obligation to provide data

Providing your data is neither required by law nor by contract. However, without valid contact information we cannot respond to your request.

Email service provider

Our email traffic is handled by IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. Email processing takes place on servers in Germany; there is no transfer to a third country. We have concluded a data processing agreement with IONOS pursuant to Art. 28 GDPR.

Storage period

The data are deleted as soon as your request has been processed and no statutory retention obligations (in particular § 257 HGB, § 147 AO) apply. Enquiries that do not develop into a business relationship are deleted no later than 12 months after the last contact.

9. External Links to App Stores and Third Parties

The product pages of this website contain links to external platforms such as the Apple App Store, the Odoo App Store and product websites of individual apps. When you click such a link you leave balane.app and the privacy provisions of the respective provider apply. We have no influence on their data processing and accept no responsibility for it.

10. Recipient Overview

We transfer your personal data only to the following categories of recipients, each acting as a data processor pursuant to Art. 28 GDPR:

• Vercel Inc. (USA) – Website hosting
• Railway Corp. (USA, servers in Amsterdam/EU) – Hosting of the Umami analytics instance
• Hetzner Online GmbH (Germany, servers in Nuremberg) – Hosting of the OpenReplay instance
• IONOS SE (Germany) – Email services

No further transfer to third parties (e.g., for advertising purposes) takes place.

11. Data Backups

To ensure data security and recoverability, we create regular backups of the Umami instance. Backups are stored encrypted and overwritten on a rolling basis no later than after 30 days. Legal basis: Art. 6 (1) (f) GDPR in conjunction with Art. 32 GDPR (security of processing).

12. Your Rights as a Data Subject

You have the following rights with regard to your personal data. You can assert all rights informally by email to contact@balane.tech.

Right of access (Art. 15 GDPR)

You have the right to obtain information about the personal data we process about you.

Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate data or the completion of your stored data without undue delay.

Right to erasure (Art. 17 GDPR)

You have the right to request the deletion of the data we have stored about you, unless processing is required for exercising the right of freedom of expression and information, for compliance with legal obligations, for reasons of public interest, or for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data.

Right to data portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format, or to request the transfer to another data controller.

Right to withdraw consent (Art. 7 (3) GDPR)

If processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing carried out until the withdrawal remains unaffected.

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, particularly in the Member State of your habitual residence, place of work or place of the alleged infringement (see section 13).

13. Right to Object under Art. 21 GDPR

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR (legitimate interest).

If you object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Contact for objection: contact@balane.tech

14. Competent Supervisory Authority

The competent data protection supervisory authority for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

Telephone: +49 (0) 981 180093-0
Email: poststelle@lda.bayern.de
Website: www.lda.bayern.de

15. Changes to this Privacy Policy

We reserve the right to amend this privacy policy so that it always complies with the current legal requirements or to reflect changes to our services in the privacy policy. The version currently available when visiting the website applies. Version date: 24 April 2026.