B2B Privacy Notice

The controller is Alexander Göcke, Gartenexpedition, Fellackerstr. 4a, 47495 Rheinberg, Germany.

Email: hallo@gartenexpedition.de

During registration, trial, checkout, support, or contract management, we process company name, legal form where provided, business email address, contact person, domain, plan/tier, billing and payment status, Stripe customer IDs, and contract-related communications.

The legal basis is Art. 6(1)(b) GDPR for pre-contractual and contractual measures, and Art. 6(1)(f) GDPR for secure administration, abuse prevention, and proof of compliance.

For the Widget we process API key prefixes and hashes, licence status, plan, permitted domains, primary domain, species quotas, rate limits, Stripe subscription IDs, and usage data. Plaintext API keys are not stored permanently; lookups are performed via SHA-256 hashes.

On widget requests we log the licence, the requested plant slug, cache status, timestamp, and an IP hash where technically necessary. This data is used for quota calculation, abuse protection, error analysis, and contract fulfilment.

For ESG we process company data, user account assignment, property names, approximate location data such as federal state or postal code prefix, area figures, sealing ratios, information on pesticide/peat use, plant lists, habitat modules, notes, score snapshots, certification status, and public certification slugs.

The customer decides which properties and details to enter and whether to use public certification pages. Exact addresses should only be entered where necessary for the respective purpose.

Payments and subscription management may be handled via Stripe. Billing processes may be supported by Billbee, Cloudflare R2 storage, and Brevo email delivery. Depending on the transaction, business contact data, payment status, invoice data, and email metadata may be processed.

Legal bases are Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (statutory retention obligations), and Art. 6(1)(f) GDPR (secure delivery and proof of compliance).

Technical infrastructure is provided primarily by Vercel, Supabase, Cloudflare R2, Upstash, Stripe, Billbee, and Brevo. Where providers are based outside the EU, transfers are based on appropriate safeguards such as the EU–U.S. Data Privacy Framework, standard contractual clauses, or comparable contractual protections.

Security measures include HTTPS, Row Level Security, API key hashing, rate limiting, audit logs, access controls, and regular technical reviews.

• Company and contract data: for the duration of the contract and applicable statutory retention periods.
• Widget usage logs: as long as required for quota, security, billing, and error analysis.
• ESG property data and score snapshots: until deletion by the customer or end of contract, unless retention obligations apply.
• Support and communication data: until final resolution plus an appropriate evidence retention period.

Data subjects have rights under the GDPR including access, rectification, erasure, restriction of processing, data portability, objection, and the right to lodge a complaint with a supervisory authority. Please direct requests to hallo@gartenexpedition.de.

Where Naturkompass processes personal data on behalf of a B2B customer, we will provide a data processing agreement (DPA) upon request or agree on a suitable arrangement individually. The specific need depends on what data the customer enters in ESG, widget integration, or support processes.