Privacy · Datenschutzerklärung

Information pursuant to Art. 13 & 14 GDPR · Last updated: 2026-04-18

Note: This template lists all sections required by GDPR Art. 13–14, TTDSG and German supervisory-authority guidance. Specific legal wording (especially around legal bases for each processing purpose, retention periods, and automated decision-making) should be reviewed by a German data-protection lawyer or generated via a certified service (e.g. e-recht24.de, IT-Recht Kanzlei) before go-live.

1. Controller

Controller:: FSFM GmbH
Address:: Fischerinsel 6, 10179 Berlin, Germany
Email:: info@fsfmgmbh.com
Phone:: +49 (0)30 8092 0877

2. Purposes and legal bases of processing

a) Operating the website and providing the service

When you use Superlink we process: account identifiers (email, legal company name), supplier identity data you submit (company website, certifications, evidence cards), buyer targets you create (buyer names, websites, emails), and generated outreach content.

Legal basis: Art. 6 (1)(b) GDPR — performance of contract.

b) Buyer intelligence research

To research buyer companies you nominate, we query third-party services (Firecrawl, Tavily, Gemini) using the buyer's public website / company name. Results are stored in your session record.

Legal basis: Art. 6 (1)(b) GDPR (contract) and Art. 6 (1)(f) GDPR (legitimate interest in providing the service you requested).

c) Outreach generation

Generated email / LinkedIn copy is produced by large language models (Claude, Gemini). Your supplier profile and the buyer intelligence are sent to these providers as prompt input. Prompts and generations are logged for audit.

Legal basis: Art. 6 (1)(b) GDPR.

d) Payment processing

Stripe processes payment data on our behalf (card / SEPA / WeChat Pay). We do not store full card numbers. Invoice metadata (amount, tier, date) is retained for German tax law (§147 AO, 10 years).

Legal basis: Art. 6 (1)(b) GDPR, Art. 6 (1)(c) GDPR (legal obligation).

e) Transactional emails

Supplier alerts (e.g. "a buyer shook hands with your profile") are sent via Resend. Email content includes buyer email, session slug, and timestamp.

Legal basis: Art. 6 (1)(b) GDPR.

Categories of recipients (processors)

We engage the following processors. Data-processing agreements (DPA) are in place for each. Transfers outside the EEA are protected by Standard Contractual Clauses (SCC, Commission Decision 2021/914) plus Transfer Impact Assessment where required (Schrems II).

Processor	Purpose	Location	DPA
Supabase	Database, authentication, file storage	EU (Frankfurt) — data residency set to eu-central-1	Link
Stripe Payments Europe, Ltd.	Payment processing (Card, SEPA, WeChat Pay)	Ireland (EU) + US (SCC in place)	Link
Anthropic, PBC	LLM inference for outreach copy + landing generation (Claude)	US (SCC + TIA documented)	Link
Google LLC (Gemini)	LLM inference (intelligence synthesis, fallback generator)	US (SCC + TIA documented)	Link
Firecrawl	Website scraping for buyer intelligence	US (SCC + TIA documented)	—
Tavily	Web search for buyer intelligence	US (SCC + TIA documented)	—
Resend	Transactional email delivery (supplier alerts)	US (SCC + TIA documented)	Link
Vercel Inc.	Application hosting	US (SCC in place) — edge nodes in Frankfurt	Link

International data transfers

Several processors above are located in the United States. These transfers are based on Art. 46 (2)(c) GDPR — Standard Contractual Clauses — supplemented by technical measures (TLS encryption in transit, encryption at rest with provider-managed keys) and organisational measures (access restrictions, logging). A Transfer Impact Assessment was performed; an enquiry about the current TIA can be sent to the email address above.

Retention periods

Account data: until account deletion + 30 days (for backup expiry).
Supplier profile, campaigns, sessions: until deletion request.
Invoices and payment records: 10 years (§147 AO).
Email logs: 90 days for deliverability debugging.
LLM prompt/generation logs: 180 days for abuse detection and quality review.

Cookies and local storage

We only use cookies / local storage entries that are strictly necessary for the service to function (Art. 6 (1)(b) GDPR, §25 (2) Nr. 2 TTDSG — no consent required):

Name	Purpose	Lifetime
`sl_sb_collapsed`	Stores sidebar collapsed state (UI preference)	persistent (localStorage)
`sb-*-auth-token`	Supabase authentication session	session + 7-day refresh

We do not use analytics, advertising or tracking cookies.

Your rights as a data subject

You have the following rights regarding personal data we process about you:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Right to withdraw consent where processing is based on consent (Art. 7 (3) GDPR)
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise any of these rights, contact us at info@fsfmgmbh.com.

Supervisory authority

Fill in: The competent supervisory authority depends on the registered office of FSFM GmbH. For Hesse, this is the Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Wiesbaden. Update this block based on your actual registered office.

Automated decision-making

We do not use automated decision-making including profiling within the meaning of Art. 22 GDPR that produces legal or similarly significant effects on you. LLM-generated outreach content is reviewed and sent manually by the supplier.

Changes to this policy

We may update this privacy policy to reflect changes in law, our services, or processors. We will announce material changes via email and in the app.