Privacy Policy

Last updated: March 2026

Note: Only the German version of this Privacy Policy is legally binding. This English translation is provided for informational purposes only.

1. Data Controller

elixxier Software GmbH
Hohnerstraße 25
D-70469 Stuttgart, Germany

Phone: +49 711 728050
Email: info@elixxier.com
Website: www.elixxier.com

Managing Director: Johannes Dauner
Commercial Register: Stuttgart District Court, HRB 747501

Contact for data protection inquiries: info@elixxier.com

2. Overview of Data Processing

We process personal data of our users, customers, and website visitors in connection with the provision of our website, our online shop, our software set.a.light 3D, and associated services such as the community platform and customer support.

The categories of data we process include master data (e.g. name, address), contact data (e.g. email address, phone number), content data (e.g. support inquiries, community contributions), contract data (e.g. license data, purchase information), payment data (e.g. billing information, transaction IDs), usage data (e.g. pages visited, access times), and technical data (e.g. IP address, browser information, device information). In connection with our software, we also process technical identifiers such as license IDs and hardware IDs.

The primary purposes of processing are the provision of our website and online shop, the execution of purchase agreements and payments, the licensing and activation of our software, the provision of customer support, the sending of newsletters (with consent), the operation of our community platform, and ensuring IT security.

3. Legal Bases

The processing of personal data is carried out on the following legal bases under the GDPR:

Consent (Art. 6(1)(a) GDPR): The data subject has given consent for a specific processing purpose, e.g. for receiving newsletters or the setting of non-essential cookies.

Performance of a contract (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract or for pre-contractual measures, e.g. when processing an order or software licensing.

Legal obligation (Art. 6(1)(c) GDPR): Processing is necessary to comply with a legal obligation, e.g. tax retention requirements.

Legitimate interests (Art. 6(1)(f) GDPR): Processing serves our legitimate interests, e.g. in the security of our IT systems, fraud prevention, or the improvement of our services, provided the interests or fundamental rights of the data subject do not override these interests.

4. Security Measures

We implement technical and organizational measures to ensure an appropriate level of protection. These include encryption of data transmission via TLS/SSL, access controls, regular review of our security measures, and pseudonymization and anonymization of data where possible given the purpose of processing.

5. Data Transfers to Third Countries

In the course of our business activities, we use service providers that may also process data outside the European Economic Area (EEA), particularly in the United States. Transfers are based on appropriate safeguards:

EU-US Data Privacy Framework (DPF): Since the adequacy decision of the European Commission of July 10, 2023, personal data may be transferred to companies in the US that are certified under the DPF. This applies to several of our service providers (in particular Stripe, Freshworks, Cloudflare, Google).

Standard Contractual Clauses (SCCs): Where no adequacy decision exists or a service provider is not DPF-certified, we rely on the Standard Contractual Clauses approved by the European Commission pursuant to Art. 46(2)(c) GDPR.

More information about the Data Privacy Framework: https://www.dataprivacyframework.gov

6. Cookies and Consent Management

Our website uses cookies and similar technologies. Technically necessary cookies are set on the basis of our legitimate interest (Art. 6(1)(f) GDPR) or for the performance of a contract (Art. 6(1)(b) GDPR). All other cookies are only set with your explicit consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG (German Telecommunications Digital Services Data Protection Act).

We use Borlabs Cookie (provider: Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg, Germany) to manage cookie consent. Borlabs Cookie stores your consent decision in a technically necessary cookie in your browser. The stored data does not contain personal data but only information about which categories you have consented to or not, along with a timestamp. You can revoke your consent at any time via the cookie settings on our website.

More information: https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

7. Web Hosting and Email

Our website and email services are hosted by:

DomainFactory GmbH, c/o WeWork, Neuturmstr. 5, 80331 Munich, Germany (a GoDaddy company). Data centers are located in Strasbourg and Cologne.

Each time our website is accessed, the hosting provider automatically collects server log files. These contain the IP address of the accessing device, date and time of access, the requested URL, the referrer URL, the browser and operating system used, and the amount of data transferred. This data is processed to ensure operation and to detect and prevent attacks.

The legal basis is our legitimate interest in the secure operation of our website (Art. 6(1)(f) GDPR). Log files are automatically deleted after 30 days, unless further retention is required for evidentiary purposes.

We have concluded a data processing agreement (DPA) with DomainFactory pursuant to Art. 28 GDPR.

8. Customer Account and Business Services

Customers can create a customer account on our website. As part of the customer account and contract processing, we process name, email address, billing address, license data, and download history. To secure the registration and for fraud prevention, we store the IP address and the time of registration.

The legal basis is the performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in fraud prevention (Art. 6(1)(f) GDPR).

Retention period: Customer account data is stored for the duration of the business relationship. After termination of the business relationship, we retain data within the statutory retention periods: tax-relevant data (invoices, accounting records) for 10 years (Section 147 German Fiscal Code), commercially relevant data (business correspondence) for 6 years (Section 257 German Commercial Code). In addition, we retain data as necessary for the assertion, exercise, or defense of legal claims (general limitation period: 3 years pursuant to Section 195 German Civil Code).

9. Payment Service Providers

We use the following service providers for payment processing:

Stripe

Provider: Stripe Technology Europe, Limited, 1 Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland. Stripe processes payments by credit card (Visa, MasterCard, JCB), bank transfer, and Alipay.

During a payment transaction, the required payment data (e.g. name, card number, billing address, transaction amount) is transmitted directly to Stripe. We do not receive or store complete credit card data.

Stripe processes data under the EU-US Data Privacy Framework. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

PayPal

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

When PayPal is selected as a payment method, the data required for payment processing is transmitted to PayPal. In this context, PayPal acts as an independent data controller. The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

Payment on Invoice

For selected business customers and educational institutions, we offer payment on invoice upon individual request. In this case, we process order and billing data for the performance of a contract (Art. 6(1)(b) GDPR). No automated credit check is performed.

10. Newsletter (Brevo)

We use the service Brevo (formerly Sendinblue) to send our newsletter.

Provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Data is stored on servers in Germany.

When you sign up for our newsletter, we process your email address and, if applicable, your name. Registration uses a double opt-in procedure: after entering your email address, you will receive a confirmation email. Your registration becomes active only after you click the confirmation link.

Brevo enables us to analyze our newsletter campaigns (e.g. whether the newsletter was opened and which links were clicked). This evaluation serves to optimize our communication.

The legal basis is your consent (Art. 6(1)(a) GDPR). You can unsubscribe from the newsletter at any time via the unsubscribe link at the end of each message. Data processing carried out prior to unsubscription remains unaffected. After unsubscription, your email address may be stored in a suppression list to prevent future mailings.

We have concluded a data processing agreement with Brevo (integrated into their terms as Annex 3).

11. Customer Support (Freshdesk)

We use the ticketing system Freshdesk for handling support inquiries.

Provider: Freshworks, Inc., 2950 S. Delaware St., Suite 201, San Mateo, CA 94403, USA.

When you contact us via our contact form or by email, your inquiry and the contact details you provide (name, email address, and any additional information) are stored and processed in Freshdesk. Freshworks is certified under the EU-US Data Privacy Framework and additionally uses Standard Contractual Clauses.

The legal basis is the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) and our legitimate interest in the efficient handling of customer inquiries (Art. 6(1)(f) GDPR).

We have concluded a Data Processing Addendum (DPA) with Freshworks.

12. set.a.light 3D Software

Our software set.a.light 3D processes the following data in connection with its use:

License Verification and Activation

At startup and at regular intervals, the software communicates with our own license server to verify the validity of the license. In this process, the license ID, a device-specific hardware ID, and the IP address are transmitted. The license server is operated by us and hosted at DomainFactory.

The hardware ID is generated from device characteristics (e.g. processor ID, motherboard serial number) and serves exclusively to associate the license with authorized devices. We do not use the hardware ID for profiling or advertising purposes.

Hardware Information

At software startup, technical information about the device in use is collected (e.g. graphics card, RAM, operating system). This data serves to ensure compatibility and to optimize the software.

Update Check

At startup, the software checks whether a new version is available. This involves establishing a connection to our server.

Crash Reports

In the event of a software crash, the software may send a crash report to our server. This contains technical information about the error (e.g. stack trace, operating system, software version) and is used exclusively for bug fixing.

No Telemetry

We do not transmit any data about your usage behavior within the software. There is no tracking of workflows, features used, or similar information.

The legal basis for license verification is the performance of a contract (Art. 6(1)(b) GDPR). The collection of hardware information, update checks, and crash reports is based on our legitimate interest in ensuring software functionality (Art. 6(1)(f) GDPR).

13. Community (community.elixxier.com)

We operate a community platform at community.elixxier.com where users can share and download lighting setups. The platform is based on a proprietary solution (built on the Vaadin framework) and is hosted at DomainFactory.

Use of the community requires registration with a customer account. During use, username, email address, uploaded content, IP address, and access timestamps are processed. Authentication is handled by our own server.

Users of the set.a.light 3D software can upload lighting setups directly from the software to the community and download setups from there. This involves communication between the software and the community server, during which authentication data is transmitted.

The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

14. Bot Protection

To protect our forms from automated abuse, we use the following services:

Google reCAPTCHA

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. reCAPTCHA analyzes visitor behavior based on various characteristics to determine whether the visitor is human. Data such as IP address and browser information may be transmitted to Google. Google is certified under the EU-US Data Privacy Framework.

Cloudflare Turnstile

Provider: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Turnstile uses browser signals (e.g. IP address, TLS fingerprint, User-Agent) to determine whether access is by a human. Cloudflare is certified under the EU-US Data Privacy Framework.

The legal basis for both services is our legitimate interest in protecting our online services from abusive automated use and spam (Art. 6(1)(f) GDPR). The integration may also be based on your consent (Art. 6(1)(a) GDPR / Section 25(1) TDDDG) insofar as access to information on the end device takes place.

We have concluded a data processing agreement with Cloudflare.

Privacy policy of Google: https://policies.google.com/privacy
Privacy policy of Cloudflare Turnstile: https://www.cloudflare.com/turnstile-privacy-policy/

15. Embedded Content

YouTube

We embed YouTube videos using the enhanced privacy mode (youtube-nocookie.com).

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

By using the enhanced privacy mode, no YouTube cookies are set when the page is merely loaded. Data is only transmitted to YouTube when a video is played (e.g. IP address, which video was viewed). If you are logged into your YouTube/Google account, YouTube may associate the visit with your account.

The legal basis is your consent (Art. 6(1)(a) GDPR / Section 25(1) TDDDG).

Meta (Facebook) Content

Our website may include content from the Meta platform Facebook (e.g. social plugins or embedded posts). This content is only loaded after your explicit consent. Without your consent, only a placeholder is displayed and no connection to Meta is established.

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

After consent is granted, a connection to Meta’s servers is established, during which data such as IP address and browser information may be transmitted.

The legal basis is your consent (Art. 6(1)(a) GDPR / Section 25(1) TDDDG).

16. Social Media Presences

We maintain publicly accessible profiles on the following social networks:

Instagram and Facebook: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. In connection with the use of Facebook, joint controllership exists pursuant to Art. 26 GDPR for the processing of “Insights data” (page statistics). Details are governed by the agreement at https://www.facebook.com/legal/terms/page_controller_addendum. You may exercise your data subject rights against both us and Meta. Privacy policy: https://www.facebook.com/privacy/policy/

YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy

Pinterest: Pinterest Europe Ltd., 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland. Privacy policy: https://policy.pinterest.com/en/privacy-policy

TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, D02 T380, Ireland. Privacy policy: https://www.tiktok.com/legal/privacy-policy-eea

The legal basis for operating our social media profiles is our legitimate interest in public relations and communication with users (Art. 6(1)(f) GDPR).

We note that the respective platform operators have their own privacy policies and may process personal data outside the EEA. We recommend reading the privacy policies of the respective platforms.

17. Affiliate Program

We operate an affiliate program at affiliate.elixxier.com. For this purpose, we use the software Post Affiliate Pro, which is hosted on our own server at DomainFactory. No affiliate data is shared with third-party providers.

As part of the affiliate program, we process registration data of affiliates (name, email address, payment information), tracking data for the attribution of referrals (clicks, conversions), and commission data.

The legal basis is the performance of a contract (Art. 6(1)(b) GDPR).

18. Data Processing Agreements

We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with the following service providers: DomainFactory (web hosting, email), Brevo (newsletter), Freshworks (customer support), Stripe (payments), Cloudflare (bot protection). These agreements ensure that the service providers process personal data only on our instructions and in compliance with the GDPR.

19. Data Subject Rights

Under the GDPR, you have the following rights:

Right of access (Art. 15 GDPR): You have the right to obtain information about the personal data we process about you.

Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.

Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.

Right to restriction of processing (Art. 18 GDPR): You may request the restriction of processing, e.g. if the accuracy of the data is disputed.

Right to data portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.

Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests. We will cease processing unless there are compelling legitimate grounds.

Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent given at any time with effect for the future.

Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority for us is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany (https://www.baden-wuerttemberg.datenschutz.de).

20. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy to reflect changes in the legal situation or changes to our services or data processing. The current version is always available at https://www.elixxier.com/en/privacy/.