Privacy Policy

Last updated: April 2026

With this privacy policy, we would like to inform you about the types of your personal data we process, for what purposes, and to what extent. This policy applies to all processing of personal data carried out by us — both in the course of providing our services and on our website, including external online presences such as our social media profiles (collectively referred to as "online services").

The terms used herein are not gender-specific.

Controller

ask mape GmbH i. G./in Gründung
Kolonnenstr. 8
D-10827 Berlin, Germany

Email: hello@askmape.com

Relevant Legal Bases

Legal bases under the GDPR: The following provides an overview of the legal bases on which we process personal data. Please note that national data protection regulations may apply in addition to the GDPR.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

  • Performance of a contract (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject.

German national law: In addition to the GDPR, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) applies. It contains special provisions on the right of access, erasure, the right to object, processing of special categories of data, and automated individual decision-making including profiling. The data protection laws of individual German federal states may also apply.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature and purposes of processing, in order to ensure a level of protection appropriate to the risk.

The measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access, access permissions, input, disclosure, and segregation. We have also established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data security incidents. Privacy by design and privacy by default are observed in the development and selection of hardware, software, and processes.

TLS/SSL encryption (HTTPS): To protect data transmitted via our online services from unauthorized access, we use TLS/SSL encryption. When a website is secured by an SSL/TLS certificate, this is indicated by HTTPS in the URL.

Transfer of Personal Data

In the course of processing personal data, such data may be transferred to other entities, companies, or persons — for example, service providers commissioned with IT tasks or providers of services integrated into a website. In such cases, we comply with legal requirements and conclude appropriate data processing agreements or other contracts to protect your data.

International Data Transfers

Processing in third countries: Where we transfer data outside the EU/EEA, we do so in compliance with legal requirements.

For transfers to the USA, we primarily rely on the EU-U.S. Data Privacy Framework (DPF), recognized by EU Commission adequacy decision of July 10, 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers. This dual approach ensures comprehensive protection: the DPF serves as the primary mechanism, while SCCs provide a reliable fallback should the DPF framework change.

For each service provider, we indicate whether they are DPF-certified and whether SCCs are in place.

Further information and list of certified companies: https://www.dataprivacyframework.gov

For other third countries, corresponding safeguards apply (SCCs, explicit consent, or legally required transfers). Adequacy decisions: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en

Data Retention and Deletion

We delete personal data as soon as the underlying consent is revoked or no further legal grounds for processing exist. Statutory retention obligations or other special interests may require longer retention.

Statutory retention periods under German law:

  • 10 years – Books, records, annual financial statements, inventories, management reports (§ 147(1)(1) AO; § 14b(1) UStG; § 257(1)(1) HGB)
  • 8 years – Accounting documents such as invoices (§ 147(1)(4) AO; § 257(1)(4) HGB)
  • 6 years – Other business documents and commercial correspondence (§ 147(1)(2),(3),(5) AO; § 257(1)(2),(3) HGB)
  • 3 years – Data required for potential warranty or contractual claims (§§ 195, 199 BGB)

Where a period does not start on a specific date and is at least one year, it begins at the end of the calendar year in which the triggering event occurred.

Rights of Data Subjects

As a data subject, you have the following rights under Arts. 15–21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing based on Art. 6(1)(e) or (f) GDPR, including profiling. Where data is processed for direct marketing, you have the right to object at any time.

  • Right to withdraw consent: You may withdraw consent at any time without affecting the lawfulness of prior processing.

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed and to receive a copy.

  • Right to rectification (Art. 16 GDPR): You have the right to request the rectification of inaccurate data and completion of incomplete data.

  • Right to erasure and restriction (Arts. 17, 18 GDPR): You have the right to request immediate erasure of your data, or alternatively a restriction of its processing.

  • Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, machine-readable format or to request its transmission to another controller.

  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or place of the alleged infringement.

The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin
Website: https://www.datenschutz-berlin.de
Email: mailbox@datenschutz-berlin.de

Web Hosting

We process user data in order to provide our online services. For this purpose, we process users' IP addresses, which are necessary to transmit content and functions to users' browsers or devices.

  • Types of data processed: Usage data (pages viewed, click paths, device types); meta and procedural data (IP addresses, timestamps, identifiers); log data (access logs)
  • Data subjects: Users (website visitors)
  • Purposes: Provision of online services; IT infrastructure; security measures
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Vercel (Web Hosting)

For hosting our online services, we use Vercel's infrastructure. Vercel processes connection data, IP addresses, and server log files on our behalf.

Server Log Files

Access to our online services is recorded in server log files. These may include the name and address of pages retrieved, date and time of access, data volumes transferred, browser type and version, operating system, referrer URL, and IP addresses. Log files are used for security purposes (e.g., defending against DDoS attacks) and to monitor server stability.

  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
  • Deletion: Log file data is stored for a maximum of 30 days, then deleted or anonymized. Data required for evidentiary purposes is exempt until the relevant incident is resolved.

Use of Cookies

"Cookies" refers to functions that store and retrieve information on users' devices. We use cookies in accordance with applicable law. Where required, we obtain prior consent. Where consent is not required, we rely on our legitimate interests.

Retention periods:

  • Session cookies: Deleted after the user closes their browser or device.
  • Persistent cookies: Remain stored after closing the device. Unless otherwise stated, assume a storage period of up to two years.

Users may withdraw consent at any time via their browser's privacy settings.

  • Types of data processed: Meta and procedural data (IP addresses, timestamps, identifiers)
  • Data subjects: Users
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR)

Silktide Consent Manager

We use Silktide's Consent Manager to collect, record, manage, and enable withdrawal of users' consent for cookies and similar technologies. Consent declarations are stored to avoid repeated requests and to provide proof of consent. A pseudonymous user identifier is created together with the time and scope of consent and information about the browser, system, and device used.

  • Service provider: Silktide Ltd, The Grange, 100 High Street, Southgate, London N14 6BN, United Kingdom
  • Website: https://silktide.com/consent-manager/
  • Privacy policy: https://silktide.com/privacy/
  • Third-country transfers: EU adequacy decision for the United Kingdom (June 2021) — no SCCs required
  • Legal basis: Consent (Art. 6(1)(a) GDPR)
  • Storage period: Up to two years

Contact and Inquiry Management

When you contact us (e.g., via contact form, email, or social media) we process the information provided insofar as this is necessary to respond to your inquiry.

  • Types of data processed: Contact data (name, email, phone); content data (messages, form inputs); meta and procedural data (IP addresses, timestamps)
  • Data subjects: Communication partners
  • Purposes: Communication; administrative procedures; feedback
  • Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR)

Contact Form (General)

When you contact us via our contact form, email, or other channels, we process the transmitted personal data solely to respond to your inquiry — typically name, contact details, and any additional information needed for appropriate handling.

  • Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR)

Tally (Online Forms)

We use Tally to provide contact and inquiry forms on our website. Data entered in these forms (name, email address, message content) is processed by Tally to transmit and manage contact inquiries.

Clay (Contact Data Management and Enrichment)

We use Clay for the management, enrichment, and processing of contact data. Clay processes contact information from inquiries and business relationships to support our CRM and sales processes. This may include supplementing existing contact data with publicly available information.

HubSpot CRM

We use HubSpot for the management of customer contacts, tracking of sales activities, automation of marketing campaigns, analysis of sales data, and creation and management of email campaigns.

Salesforce CRM

We use Salesforce for the management of customer contacts and business relationships, tracking of sales activities and opportunities, automation of business processes, and analysis of customer data.

Newsletter

We send newsletters and other electronic notifications exclusively with the consent of recipients or on a statutory basis. Registration generally requires only an email address.

Double opt-in: After entering your email address, you will receive a confirmation email containing an activation link. The newsletter is only sent once you have clicked this link. The registration process, including time of sign-up and confirmation, is logged for evidentiary purposes.

Unsubscribe and deletion: Unsubscribed email addresses may be retained for up to three years on the basis of our legitimate interests to demonstrate previously given consent. Individual deletion requests are possible at any time. In cases of permanent objection, the email address may be retained on a blocklist.

Contents: Information about us, our services, promotions, and offers.

  • Types of data processed: Master data; contact data; meta and procedural data; usage data (open rates, click paths)
  • Data subjects: Communication partners
  • Purposes: Direct marketing
  • Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR)
  • Opt-out: Unsubscribe via the link at the bottom of any newsletter or by contacting us directly.

HubSpot Email Marketing

We use HubSpot for sending emails, creating personalized campaigns, automating workflows, segmenting target audiences, and analyzing performance.

Web Analytics

Web analytics is used to evaluate visitor flows to our online services and may include behavior, interests, or demographic information of visitors as pseudonymous values. Through reach analysis we can identify the most frequently accessed content and areas requiring optimization.

IP addresses are stored but pseudonymized via IP masking. No clear-text personal data (names, email addresses) is stored — only pseudonyms.

  • Types of data processed: Usage data; meta and procedural data
  • Data subjects: Users
  • Purposes: Reach measurement; user profiling; provision of online services
  • Retention: Cookies up to 2 years
  • Security measures: IP masking (pseudonymization)
  • Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR)

Google Analytics

We use Google Analytics to measure and analyze the use of our online services on the basis of a pseudonymous user identification number. Google Analytics does not log or store individual IP addresses for EU users — it derives only approximate geolocation metadata before immediately discarding the IP data. All EU traffic is processed on EU-based servers.

Google Tag Manager

We use Google Tag Manager to centrally manage website tags via a user interface. Google Tag Manager itself does not create user profiles, store cookies, or conduct analyses. However, users' IP addresses are transmitted to Google for technical implementation purposes.

Online Marketing

We process personal data for the purpose of online marketing, including the display of promotional content based on users' potential interests and measurement of their effectiveness. User profiles are created and stored in cookies or via similar technologies. IP addresses are stored but pseudonymized via IP masking.

We generally only receive aggregated information about the success of our advertisements. Unless otherwise stated, marketing cookies are stored for up to two years.

Opt-out options by region:

LinkedIn Insight Tag

Code loaded when a user visits our online services; tracks user behavior and conversions and stores them in a profile. Purposes: measuring campaign performance, optimizing ad delivery, building custom and lookalike audiences.

Social Media

We maintain online presences within social networks and process user data in order to communicate with users and provide information about us. User data may be processed outside the EU/EEA. Data within social networks is generally also processed for market research and advertising purposes by the network operators.

For detailed information and opt-out options, please refer to the privacy policies of the respective networks. For the most effective exercise of data subject rights, we recommend contacting the respective provider directly.

  • Types of data processed: Contact data; content data; usage data
  • Data subjects: Users
  • Purposes: Communication; feedback; public relations
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

LinkedIn

We maintain a LinkedIn profile. We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of visitor data used to create "Page Insights" for our LinkedIn profiles. This includes information about content interacted with, device details (IP addresses, operating system, browser type, cookie data), and profile information (job function, country, industry, seniority, company size).

We have entered into a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum": https://legal.linkedin.com/pages-joint-controller-addendum), which regulates security measures and in which LinkedIn has agreed to fulfill data subject rights. Joint responsibility is limited to data collection and transmission to LinkedIn Ireland (EU-based). Further processing, including transfers to LinkedIn Corporation in the USA, is the exclusive responsibility of LinkedIn Ireland.

Changes and Updates

We update this privacy policy whenever changes to our data processing activities require it. We will notify you as soon as changes require your action (e.g., renewed consent) or individual notification. Please review the content of this policy regularly.

Definitions

  • Master data: Essential information for the identification and management of contractual partners and user accounts (names, contact information, dates of birth, user IDs).

  • Content data: Information generated during the creation and publication of content — texts, images, videos, audio files, and related metadata.

  • Contact data: Information enabling communication — telephone numbers, postal addresses, email addresses, social media handles, and messaging identifiers.

  • Meta, communication and procedural data: Information about how data is processed and transmitted — metadata, email correspondence, call logs, timestamps, and transaction logs.

  • Usage data: Information capturing how users interact with digital services — features used, time spent, navigation paths, frequency of use, IP addresses, and device information.

  • Personal data: Any information relating to an identified or identifiable natural person.

  • Log data: Information about events logged in a system — timestamps, IP addresses, user actions, error messages, and operational details.

  • Reach measurement (web analytics): Evaluation of visitor flows to an online service, including behavior and interests. Pseudonymous cookies and web beacons are frequently used.

  • Tracking: Tracing of user behavior across multiple online services. Behavioral and interest information is stored in cookies or on servers of tracking technology providers (profiling), and used for interest-based advertising.

  • Controller: The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • Processing: Any operation performed on personal data — collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

  • Audience building (Custom Audiences): Determination of target groups for advertising based on user interest profiles. "Lookalike Audiences" are groups of users whose profiles correspond to those of an existing audience.