Privacy Policy
Preamble
With this Privacy Policy, we want to inform you about the types of personal data we process, for what purposes, and to what extent. This statement applies to all data processing carried out by us — whether within the scope of our services, on our website, or on external online presences such as our social media profiles.
Date: 25 May 2026
Controller
- Dmitry Dugarev
- Address: Mombacher Weg 26, 65936 Frankfurt am Main, Germany
- Email: [email protected]
- Imprint: fledgekit.com/impressum
Overview of processing
The following overview summarises the types of data processed, the purposes of their processing, and refers to the data subjects.
Types of processed data
- Contact data
- Content data
- Usage data
- Meta, communication, and procedural data
- Protocol data (log data)
Categories of data subjects
- Prospects and waitlist subscribers
- Communication partners
- Users
Purposes of processing
- Communication
- Direct marketing (newsletter / launch announcement)
- Reach measurement and web analytics
- Conversion measurement
- Target group formation
- Provision of our online offering and ensuring user-friendliness
- Operation of the information technology infrastructure
- Security measures
Relevant legal bases
Relevant Legal Bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the GDPR regulations, national data protection requirements in your or our country of residence or establishment may also apply.
- Consent (Art. 6 para. 1 sentence 1 lit. a GDPR): You have given your consent to the processing of your personal data for one or more specific purposes.
- Legal Obligation (Art. 6 para. 1 sentence 1 lit. c GDPR): Processing is necessary for compliance with a legal obligation.
- Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR): Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your rights.
National Data Protection Regulations in Germany: In addition, specific regulations apply in Germany, namely the Federal Data Protection Act (BDSG) — particularly regarding access, deletion, objection, processing of special categories of personal data, as well as transmission and automated decision-making.
Security measures
In accordance with legal requirements — taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing — we take appropriate technical and organisational measures to ensure a level of security commensurate with the risk.
Important measures include:
- Ensuring the confidentiality, integrity, and availability of your data by controlling access and processing.
- Establishing procedures for exercising your data subject rights and for erasing or restricting processing.
- Considering data protection already when selecting hardware, software, and procedures through privacy-by-default settings.
Securing online connections: We use TLS/SSL encryption (HTTPS). A website protected by an SSL/TLS certificate displays "HTTPS" in the URL, signalling to you that your data is transmitted securely and encrypted.
Transfer of personal data
We may transmit or disclose your personal data to other bodies, companies, legally independent organisational units, or persons — for example, to IT service providers or providers of services and content that are integrated into our website. In doing so, we always comply with legal requirements and conclude corresponding contracts or agreements.
International data transfers
If we process or transfer your data in a third country (outside the EU/EEA), this will only take place in compliance with legal requirements. If the data protection level of a third country is recognised by an Adequacy Decision (Art. 45 GDPR), this serves as the basis. Otherwise, the data transfer only takes place if the data protection level is otherwise secured, for example, through Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR), explicit consent, or contractual/statutory requirements.
General information on data storage and deletion
We delete your personal data in accordance with statutory provisions as soon as the underlying consents are revoked or no further legal bases exist — this applies if the original processing purpose ceases to apply or the data is no longer required. Exceptions exist if legal obligations or special interests require longer retention.
Data that must be retained for commercial or tax reasons or for legal prosecution will be archived accordingly. Further information on specific retention periods can be found in the relevant sections below.
Rights of data subjects
According to the GDPR, you have the following rights as a data subject. To exercise any of these rights, write to [email protected]. We respond within 30 days.
- Right to Object (Art. 21): You can object at any time to the processing of your personal data based on Art. 6 para. 1 lit. e or f GDPR. In particular, you have the right to object to processing for direct marketing purposes.
- Right to Withdraw Consent (Art. 7(3)): You can withdraw your given consent at any time without affecting the lawfulness of prior processing.
- Right of Access (Art. 15): You have the right to know whether and what data of yours is being processed, as well as to receive a copy of this data.
- Right to Rectification (Art. 16): You can request the completion or correction of inaccurate data.
- Right to Erasure (Art. 17): You can request the erasure of your data in accordance with statutory provisions.
- Right to Restriction of Processing (Art. 18): You can request a restriction of processing in accordance with statutory provisions.
- Right to Data Portability (Art. 20): You have the right to receive your data in a structured, common, and machine-readable format or to request transmission to another controller.
- Right to Complain to a Supervisory Authority (Art. 77): You can lodge a complaint with a supervisory authority if you believe that the processing of your data violates the GDPR. For Germany, the relevant authority is the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden.
Waitlist & newsletter
We send a launch announcement email and occasional product updates (hereinafter "newsletter") only to subscribers who have explicitly consented at the point of signup.
Deletion and restriction of processing: Unsubscribed email addresses may be stored in a suppression list for up to three years to prove former consent and defend against potential claims. You can request deletion or object at any time.
Logging of the registration process: We document the registration process to prove proper procedure.
Content
In our newsletter we inform you about FledgeKit™'s product development, launch date, and early-access offer. We will not use this list for third-party promotions.
- Types of Data Processed: Contact data (email address), optional inventory data (name, company, team size), meta and procedural data.
- Data Subjects: Waitlist subscribers.
- Purposes of Processing: Direct marketing, launch communication.
- Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
- Objection / Opt-Out: Every email contains an unsubscribe link, or contact us at [email protected].
Measurement of open and click rates
Our newsletters may contain tracking pixels that record technical data (e.g., browser, operating system, approximate location, time) when opened, to optimise newsletter performance. This data is only stored with your consent.
- Legal Bases: Consent.
MailerLite
We use MailerLite for sending newsletters and managing the waitlist.
- Service Provider: MailerLite Limited, 38 Mount Street Upper, Dublin 2, D02 PR89, Ireland
- Legal Bases: Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
- Website: mailerlite.com
- Privacy Policy: mailerlite.com/legal/privacy-policy
- Data Processing Agreement: mailerlite.com/legal/data-processing-agreement
- Transfer Basis: Data Privacy Framework (DPF) / Standard Contractual Clauses.
Provision of the online offering and web hosting
We process user data to provide our online services. This includes, in particular, the IP address, which is required to send content and functions to your browser or device.
- Types of Data Processed: Usage data, meta, communication, and procedural data, protocol data.
- Data Subjects: Users of our website.
- Purposes of Processing: Provision of the online offering, ensuring user-friendliness, operation of the IT infrastructure, security measures.
- Legal Bases: Legitimate Interests.
Collection of access data and log files
All accesses to our online offering are logged in server log files, which include, among others, IP addresses, access times, and browser information. This serves to protect against overload and misuse.
- Legal Bases: Legitimate Interests.
- Deletion: Log files are deleted or anonymised after a maximum of 30 days.
Hosting via Cloudflare Pages
Our website is provided via Cloudflare Pages, which offers a Content Delivery Network (CDN) and other security and optimisation services. Cloudflare may process connection metadata (IP address, request headers) as part of its CDN and DDoS-protection service.
- Legal Bases: Legitimate Interests.
- Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA
- Website: cloudflare.com
- Privacy Policy: cloudflare.com/privacypolicy
- Transfer Basis: Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR).
Use of cookies
Cookies are functions that store and read information on your devices. They serve, among other things, the functionality, security, and user-friendliness of our offerings, as well as the creation of visitor statistics. We use cookies in accordance with legal regulations. Where necessary, we obtain your consent via the cookie banner shown when you first visit this website.
Storage duration:
- Session cookies: Deleted as soon as you leave our offer or close your browser.
- Permanent cookies: Remain stored after the browser is closed (duration specified per service below).
Withdrawal and objection: You can withdraw your consent and change your cookie preferences at any time via the "Cookie settings" link in the footer of this website.
- Types of Data Processed: Meta, communication, and procedural data (e.g., IP addresses, time details, IDs).
- Data Subjects: Users of our website.
- Legal Bases: Consent (for non-essential cookies) or legitimate interests (for strictly necessary cookies).
Web analysis, monitoring, and optimisation
Our web analysis (also called "reach measurement") serves to evaluate the visitor flows of our online offering and to understand how users interact with key features. It collects pseudonymised data about the behaviour and interests of users so we can understand when and how our offer is used and where improvements are needed. In addition to page-level traffic data, we also capture product events (see PostHog section below) to measure conversion rates and detect errors.
We store the IP addresses of users, but pseudonymise them using IP masking to prevent personal identification.
- Types of Data Processed: Usage data, meta, communication, and procedural data.
- Data Subjects: Users of our website.
- Purposes of Processing: Reach measurement, conversion analysis, error monitoring, optimisation of our offering.
- Legal Bases: Consent.
Google Analytics
We use Google Analytics for measuring and analysing user behaviour, using pseudonymous IDs. No personal data such as name or email address is stored; instead, rough geodata is derived from IP addresses and deleted.
- Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Legal Bases: Consent
- Website: marketingplatform.google.com/about/analytics
- Privacy Policy: policies.google.com/privacy
- Data Processing Agreement: business.safety.google/adsprocessorterms
- Transfer Basis: Data Privacy Framework (DPF).
Google Tag Manager
This tool allows us to centrally manage website tags without storing user data ourselves. It loads other services that then process their data. The Tag Manager itself does not store any cookies and does not collect personal data. Google Consent Mode v2 is implemented to ensure all tags respect your consent choices before activating.
- Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Legal Bases: Consent
- Website: marketingplatform.google.com/about/tag-manager
PostHog
We use PostHog for product analytics and error tracking. PostHog collects pseudonymised usage data and custom product events to help us understand the waitlist signup flow and improve the user experience. Data is processed and stored on servers located in Frankfurt, Germany (EU) and does not leave the European Economic Area.
PostHog sets a persistent cookie (ph_*) to recognise returning visitors via a pseudonymous ID. No full IP address is stored.
Events we capture:
- Page views (automatic)
- Waitlist CTA button clicked
- Waitlist form submitted successfully
- Waitlist form validation errors (field-level, no content)
- Subscription confirmed by the email provider (server-side)
- Subscription failure (server-side error, no personal data)
- Email confirmation link clicked (landing on /confirm)
- Cookie consent choice (accepted all / saved preferences)
- Application errors (exception type and message only)
When you submit the waitlist form, your email address is used as a pseudonymous identifier (distinct_id) in PostHog to correlate client-side and server-side events for the same signup. No other personal data is linked to this identifier inside PostHog.
- Service Provider: PostHog, Inc., 965 Mission St, Suite 600, San Francisco, CA 94103, USA (EU Cloud — data hosted in Frankfurt, Germany)
- Legal Bases: Consent (analytics cookie); Legitimate Interests (server-side error tracking)
- Website: posthog.com
- Privacy Policy: posthog.com/privacy
- Data Processing Agreement: posthog.com/dpa
- Transfer Basis: Data remains within the EU/EEA (EU Cloud). No third-country transfer.
- Cookie duration: Up to 1 year (persistent identifier cookie
ph_*). - Opt-Out: Withdraw consent at any time via the "Cookie settings" link in the footer, or write to [email protected] to request deletion of your PostHog data.
Online marketing
We process personal data for online marketing purposes — this includes, in particular, placing advertising and measuring the effectiveness of these measures.
- Types of Data Processed: Usage data, meta, communication, and procedural data.
- Data Subjects: Users of our website.
- Purposes of Processing: Conversion measurement, target group formation, personalised marketing.
- Legal Bases: Consent.
Google Ads and conversion measurement
We use Google Ads to place ads in Google's advertising network and measure their success via conversion tracking.
- Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Legal Bases: Consent
- Website: marketingplatform.google.com
- Privacy Policy: policies.google.com/privacy
- Transfer Basis: Data Privacy Framework (DPF).
Microsoft Ads (Bing Ads) and conversion measurement
We use Microsoft Ads to place ads in the Bing advertising network. Only aggregated, anonymous data is collected via a pseudonymous cookie ID.
- Service Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
- Legal Bases: Consent
- Website: ads.microsoft.com
- Privacy Policy: privacy.microsoft.com/privacystatement
Reddit Ads conversion measurement (Reddit Pixel)
We use Reddit Pixel to measure the effectiveness of our advertising campaigns on Reddit. The pixel records specific user interactions — in particular, when a visitor clicks a “Join the waitlist” button (Lead event) and when the waitlist form is successfully submitted (SignUp event). On form submission, the email address you entered is passed to Reddit in a one-way hashed (SHA-256) form for attribution matching. This hashed value cannot be reversed to recover your plain-text email address.
- Types of Data Processed: Usage data, pseudonymous cookie ID, SHA-256 hashed email address (on form submission only).
- Data Subjects: Users who interact with the website.
- Purposes of Processing: Conversion measurement, campaign optimisation, and audience targeting on Reddit.
- Legal Bases: Consent.
- Service Provider: Reddit, Inc., 548 Market Street #16093, San Francisco, California 94104, USA
- Website: reddit.com
- Privacy Policy: reddit.com/policies/privacy-policy
- Transfer Basis: Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR).
- Cookie duration: Up to 2 years.
- Opt-Out: Withdraw consent at any time via the “Cookie settings” link in the footer, or via Reddit’s ad preferences: reddit.com/settings/privacy.
Presences in social networks
We maintain online presences in social networks to communicate with users and offer information about FledgeKit™. Please note that your data may be processed outside the EU by the respective platform provider, which may limit your rights.
- Types of Data Processed: Contact data, content data, usage data, and other metadata.
- Data Subjects: Users of the respective social networks.
- Purposes of Processing: Communication, feedback, and public relations.
- Legal Bases: Legitimate Interests.
- Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
- Legal Bases: Legitimate Interests
- Website: linkedin.com
- Privacy Policy: linkedin.com/legal/privacy-policy
- Opt-Out: linkedin.com/psettings/guest-controls/retargeting-opt-out
X (formerly Twitter)
- Service Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland
- Legal Bases: Legitimate Interests
- Website: x.com
- Privacy Policy: x.com/privacy
Amendment and update
Please regularly inform yourself about the content of this privacy policy. We will adapt it as soon as changes in our data processing make this necessary. As soon as a change requires your cooperation (e.g., renewed consent) or an individual notification is necessary, we will inform you. Please note that addresses and contact data of companies mentioned in this privacy policy may change over time.
Definitions of terms
- Personal Data: All information relating to an identified or identifiable natural person (e.g., name, ID, location data, online identifier).
- Processing: Any operation related to personal data, be it collection, evaluation, storage, transmission, or deletion.
- Controller: The person or organisation that decides on the purposes and means of the processing of your personal data.
- Consent: A freely given, specific, informed, and unambiguous indication of wishes by the data subject.
- Usage Data: Information about how and when users interact with digital offerings (e.g., page views, click paths, device information).
- Contact Data: Information that enables communication (e.g., email addresses, postal addresses).
- Meta, Communication, and Procedural Data: Data about the handling of information (e.g., file size, creation date, communication histories, audit logs).
- Protocol Data (Log Data): Records of events or activities in a system (e.g., timestamps, IP addresses, error messages).
- Reach Measurement: Also known as Web Analytics, used to evaluate visitor flows to optimise the offering.
- Tracking: The monitoring of user behaviour across various offers, often using cookies and profiling.
- Conversion Measurement: Procedure for recording the reaction to marketing measures (e.g., clicks on ads, sign-ups), often with the help of cookies.