Northsphere

Privacy Policy

Last updated: October 2025

1. Controller

Northsphere UG (haftungsbeschränkt)
Vogelsbergstraße 22
60316 Frankfurt am Main
Germany

Represented by: Tim Guntermann (Managing Director)
E-Mail: tim@northsphere.vc
Phone: +49 172 9336545
Web: www.northsphere.vc

2. General Information on Data Processing

We process personal data in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Telecommunications-Digital Services Data Protection Act (TDDDG) only to the extent necessary to provide a functional website and our content and services, with consent or on the basis of legitimate interests.

Categories of data subjects:
Website visitors, communication partners, appointment bookers, newsletter subscribers.

Legal bases:
Art. 6 Para. 1 lit. a (consent), lit. b (contract/pre-contractual), lit. f (legitimate interest) GDPR.

3. Hosting, Infrastructure & Log Data

Website Hosting (Netlify): Our website is hosted on Netlify. When accessed, technical data including IP address, date/time, URL, referrer, and user agent are processed in server logs.

Purpose: Operation, security, and error analysis (Art. 6 Para. 1 lit. f GDPR).

Storage duration: 7 days (Netlify), up to 30 days in security cases.

Product Backend: Amazon Web Services (AWS, EU-region).

Domains/DNS: IONOS.

Recipients: Netlify (Hosting/CDN), Amazon Web Services (Infrastructure), IONOS (DNS).

4. Contact (Form & Email)

Contact Form: The entered data (e.g., name, email, message, timestamp) is processed to handle your inquiry and stored in Supabase (EU).

E-Mail: Emails to tim@northsphere.vc are processed via IONOS Business Mail.

Legal basis: Art. 6 Para. 1 lit. b GDPR (pre-contractual/contract) or lit. f GDPR (communication).

Storage duration: Until purpose fulfilled or deletion request; statutory retention obligations remain unaffected.

Recipients: Supabase (Form Database), IONOS (Mail Server).

5. Appointment Booking (Cal.com)

For appointment bookings, we use Cal.com (embedded or as external link). Your inputs (e.g., name, email, appointment preferences) are processed.

Purpose: Organization and confirmation of appointments.

Legal basis: Art. 6 Para. 1 lit. b GDPR.

Recipients: Cal.com (SaaS-Scheduling).

Third-country transfer: Transfer outside the EU possible; secured via EU Standard Contractual Clauses / Data Privacy Framework.

Storage duration: Until appointment processing; then deletion according to deletion periods.

6. Newsletter

We send newsletters only after double opt-in. No open or click rates are measured.

Legal basis: Art. 6 Para. 1 lit. a GDPR (consent).

Withdrawal: At any time via unsubscribe link or notification to us.

Recipients: Supabase (List Management, EU), Google (E-Mail-Delivery via Workspace).

Storage duration: Until withdrawal; proof of consent until expiry of statutory limitation periods.

7. Web Analytics (Google Analytics 4)

We use Google Analytics 4 (GA4) for reach measurement. GA4 does not store IP addresses (IP anonymization active). User/event IDs and cookies (_ga) are used.

Legal basis: Art. 6 Para. 1 lit. a GDPR in conjunction with § 25 Para. 1 TDDDG (consent).

Consent: Via cookie banner (CMP); revocable at any time via “Cookie Settings”.

Recipients: Google Ireland Ltd. / possibly Google LLC (USA).

Third-country transfer: Based on EU-US Data Privacy Framework or EU Standard Contractual Clauses.

8. Cookies & LocalStorage

We only use technically non-essential cookies or comparable technologies (e.g., LocalStorage IDs) with consent according to § 25 Para. 1 TDDDG and Art. 6 Para. 1 lit. a GDPR.

This applies in particular to Google Analytics 4 (_ga cookies). Consent can be revoked at any time in the cookie banner / footer (“Cookie Settings”).

Technically necessary cookies or local storage values (e.g., language or design preferences) remain unaffected.

9. Consent Management

Consent management is done via a cookie banner with which we have concluded a data processing agreement. Your decisions are logged; you can change them at any time in the footer under “Cookie Settings”.

10. Fonts (Google Fonts – Locally Hosted)

For uniform display, we use locally hosted fonts. No connections to Google servers are established; thus no transmission of IP addresses to third parties for this purpose.

11. Third-Party Content/Logos

Logos and media from partners or integrations are hosted locally; no external retrieval by the browser occurs.

12. Job Applications

We process applicant data to decide on establishing an employment relationship (§ 26 Para. 1 BDSG). Storage duration: 6 months after completion of the process, unless longer retention is based on consent or for legal defense.

13. Data Processing & Recipients

We use the following data processors:

  • Netlify (Hosting/CDN)
  • Amazon Web Services (AWS) (Infrastructure, EU)
  • IONOS (Domains, E-Mail)
  • Supabase (Forms & Newsletter, EU)
  • Cal.com (Scheduling)
  • Google (Analytics, Workspace-E-Mail)

Data processing agreements (Art. 28 GDPR) exist with all service providers. For third-country transfers, appropriate safeguards (EU-SCC, DPF) are used.

14. Mandatory Information and Necessity

Providing your contact and appointment data is necessary to process your inquiry or appointment. Without this information, the process cannot be carried out. Analytics data is voluntary.

15. Automated Decisions

Automated decision-making or profiling does not take place.

16. Data Deletion

We delete personal data as soon as the purpose ceases and no legal retention obligations exist. Contact inquiries are regularly deleted, newsletter data after unsubscription, log data after security review.

17. Data Security

We implement technical and organizational measures (TOM) to protect your data, including access and encryption controls, rights/role concepts, and regular security audits.

18. Your Rights

You have the following rights under GDPR:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)
  • Withdrawal of consent (Art. 7 Para. 3)

To exercise your rights, simply send a message to tim@northsphere.vc.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority at your place of residence or at the location of our company is usually responsible:

The Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1, 65189 Wiesbaden
E-Mail: poststelle@datenschutz.hessen.de

19. Changes

We reserve the right to update this privacy policy as changes to procedures, services, or legal situation make it necessary. The current version is always available at northsphere.vc/privacy.