Privacy Policy

Last updated: March 2026

1. Introduction and Data Controller

Paul-Jasper Sahr ("Gemhog", "we", "us") operates the website gemhog.com and the Gemhog waitlist/product-update service. We are the data controller responsible for your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the German Digitale-Dienste-Gesetz (DDG).

Paul-Jasper Sahr
Quellenweg 162a, 26129 Oldenburg
Germany


Email: hello@gemhog.com

This policy explains what personal data we collect, why we collect it, how we process it, and what rights you have under GDPR Articles 13 and 14.

2. Data We Collect

Identity Data

  • Email address
  • Display name and profile image if you use a sign-in provider in an early-access product

Authentication Data

  • Session tokens (stored as HTTP-only cookies) where login is available
  • One-time passwords (OTP codes — used for verification only, not stored after verification)

Technical Data

  • IP address
  • Browser user agent
  • Device type
  • Referring URL

Usage Data

  • Page views and feature interactions
  • PostHog analytics events (e.g. landing_page_viewed, subscribe_started, subscribe_completed)

Error Data

  • Stack traces and console logs
  • Breadcrumbs and session IDs (Sentry)

Support Data

  • Messages and conversation history submitted via customer support chat (Chatwoot)

Newsletter Data

  • Email address
  • Subscription status
  • Unsubscribe date (if applicable)

3. How We Use Your Data and Legal Basis

We process personal data only when we have a lawful basis under GDPR Article 6:

Performance of Contract — Art. 6(1)(b) GDPR

  • Waitlist registration and email verification
  • Authentication where login is available
  • Product-update and early-access communication
  • Transactional email delivery

Consent — Art. 6(1)(a) GDPR

  • Product analytics via PostHog (controlled via cookie consent)
  • Error tracking via Sentry (controlled via cookie consent)
  • Newsletter or product-update subscription

Legitimate Interest — Art. 6(1)(f) GDPR

  • Security logging — IP address logging for fraud prevention and abuse detection
  • Basic server logging for infrastructure stability and debugging

4. Third-Party Sub-processors

We share personal data with the following sub-processors, each for a specific purpose:

PostHog (EU — Frankfurt)

Product analytics and feature tracking. Endpoint: eu.i.posthog.com. Data processed: anonymous usage events; identified user events where login is available. Retention: per PostHog retention policy.


PostHog Privacy Policy

Sentry (DE — Germany)

Error tracking and crash reporting. Endpoint: ingest.de.sentry.io. Data processed: stack traces, console breadcrumbs, session IDs. Retention: 90 days.


Sentry Privacy Policy

Resend (US)

Transactional email delivery. Data processed: email address, email content. International transfer safeguard: Standard Contractual Clauses (SCCs).


Resend Privacy Policy

Amazon Web Services (EU — Frankfurt)

Infrastructure, database hosting, and compute. Region: eu-central-1 (Frankfurt). Data processed: all user data is stored on AWS infrastructure.


AWS Privacy Policy

Cloudflare (US/EU)

DNS, CDN, and DDoS protection. Data processed: IP addresses, request headers. International transfer safeguard: Standard Contractual Clauses (SCCs).


Cloudflare Privacy Policy

Chatwoot (Self-hosted)

Customer support chat. Self-hosted on our infrastructure. Data processed: support conversation content, email address.


Chatwoot Privacy Policy

5. International Data Transfers

PostHog, Sentry, and Amazon Web Services process your data within the European Union (Frankfurt, Germany). Chatwoot is self-hosted on our own EU infrastructure.

Resend and Cloudflare are based in the United States. Transfers of personal data to these processors are made under Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c), ensuring an adequate level of data protection.

6. Data Retention

  • Waitlist/newsletter subscriber data: email retained until unsubscribe + 30 days for bounce processing
  • User accounts where login is available: retained until you request deletion or your account is terminated
  • Session tokens: 30 days (rolling refresh)
  • OTP codes: immediately discarded after verification
  • PostHog analytics events: per PostHog retention settings (default 365 days)
  • Sentry error data: 90 days
  • Server logs: 30 days rolling

7. Your Rights under GDPR

Under GDPR Articles 15–22, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you. Email hello@gemhog.com to submit a data subject access request (DSAR).
  • Right to rectification (Art. 16): You may update your information directly where available, or contact us to correct inaccurate data.
  • Right to erasure (Art. 17): You may request deletion of your personal data by emailing hello@gemhog.com.
  • Right to restriction of processing (Art. 18): You may request that we restrict processing of your data in certain circumstances. Contact us at hello@gemhog.com.
  • Right to data portability (Art. 20): You may request your personal data in a structured, commonly used, and machine-readable format. Email hello@gemhog.com and we will provide your data.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where processing is based on consent (e.g. analytics, error tracking), you may withdraw consent at any time by managing your cookie preferences via the Cookie Settings on our website. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. Your competent authority is Die Landesbeauftragte für den Datenschutz Niedersachsen (or your local EU data protection authority).

8. Automated Processing

We do not use personal data for credit scoring, profiling, or automated individual decision-making as defined in GDPR Article 22.

9. Cookies

We use cookies and similar technologies. For detailed information about the specific cookies we set, their purposes, and how to manage your preferences, please see our Cookie Policy.

10. Children

Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@gemhog.com and we will delete it promptly.

11. Updates to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. We will notify registered users and newsletter subscribers by email of any material changes. The date of the most recent update is shown at the top of this page.