SponsorHeadSponsorHead

Privacy Policy

Effective date: 9 January 2026

This privacy policy informs you how Sponsorhead GmbH ("Sponsorhead", "we") processes personal data in connection with the websites sponsorhead.io, app.sponsorhead.io and beta.sponsorhead.io (together "Websites") as well as the Sponsorhead platform (SaaS marketplace).

1. Controller and Contact

Controller:
Sponsorhead GmbH
Mariahilfer Straße 31/26
1060 Vienna, Austria

Contact Privacy:
privacy@sponsorhead.io

2. Terms and Roles (GDPR)

Personal Data means any information relating to an identified or identifiable natural person.

Our Role:

  • For registration, administration, billing, security, platform operation as well as our website and marketing activities, we generally act as Controller (Art 4 No 7 GDPR).
  • Insofar as users process personal data of third parties as "User Data"/"Content" on the platform and we only process these data technically to provide the platform, Sponsorhead may act as a Processor in this context (Art 4 No 8 GDPR). Where necessary, we provide a Data Processing Agreement (DPA) for this purpose.

3. What data we process

3.1 Website usage data (Websites)

When visiting our websites, we process in particular:

  • IP address, date/time, pages visited, referrer URL
  • Browser/device information, language settings
  • Cookie and similar identifiers (see Section 8)

3.2 Account and company data (Platform)

When registering and using the platform, we process in particular:

  • Name, email address, phone number (optional), role/function
  • Company data (company name, business address; optional VAT ID/tax information if required for billing)
  • Authentication and account data (e.g. User ID, organization assignment, login status)

3.3 Marketplace and process data (Platform)

For marketplace and process functionality, we process in particular:

  • Profile information (e.g. sponsor/sponsee, contact person, preferences)
  • Communication and content (e.g. messages, negotiations, offers, bookings, reports)
  • Delivery/return information, insofar as users record this in the process (e.g. tracking IDs; potentially delivery information if included in handling)

3.4 Billing and payment data (Stripe / Stripe Connect / sevDesk)

  • Tariff/subscription data, invoice data, status information
  • Payment and transaction metadata (e.g. status, timestamps, amounts)
  • Technical IDs and references (e.g. Stripe Customer ID, Subscription ID, Connect Account ID, Payment Intent ID)
  • We do not store full card or bank account data insofar as these are processed exclusively by the payment service provider.

3.5 Support, sales and communication data

  • Support requests and feedback (e.g. feature requests, bug reports)
  • Email communication
  • CRM data (leads/contacts, interactions, notes)
  • Internal organization data in work/planning tools, insofar as personal contact data is processed for this purpose

3.6 Log, security and audit data

  • Server/access logs, error logs, security events (e.g. unusual logins, abuse signals)
  • Audit logs within the platform (e.g. who changed what and when)

4. Purposes and Legal Bases

We process personal data for the following purposes:

4.1 Provision of the websites and platform

  • Purpose: Operation, delivery, troubleshooting, function provision, user management
  • Legal basis: Performance of contract or pre-contractual measures (Art 6 (1) (b) GDPR) and legitimate interest (Art 6 (1) (f) GDPR) in secure and stable operation

4.2 Marketplace function and processing of platform processes

  • Purpose: Profile display, communication, booking/process handling, reporting
  • Legal basis: Art 6 (1) (b) GDPR (Contract) and Art 6 (1) (f) GDPR (Operation, quality assurance, abuse prevention)

4.3 Billing and payment processing (incl. Stripe Connect)

  • Purpose: Subscriptions, fees, payment processing, accounting, evidence
  • Legal basis: Art 6 (1) (b) GDPR (Contract) and Art 6 (1) (c) GDPR (Legal obligations, e.g. tax/commercial retention)

4.4 Security, abuse prevention and compliance

  • Purpose: IT security, fraud prevention, enforcement of GTC/TOS, traceability of changes, abuse detection
  • Legal basis: Art 6 (1) (f) GDPR (Legitimate interest in security and legal enforcement)

4.5 Product improvement and analysis

  • Purpose: Usage analysis, improvement of UX/performance, error diagnosis
  • Legal basis:
    • Consent (Art 6 (1) (a) GDPR), insofar as analysis/tracking technologies are used via cookies or similar identifiers (see Section 8)
    • Art 6 (1) (f) GDPR, insofar as telemetry/diagnosis is forcibly required for security, stability and troubleshooting

4.6 Marketing and Sales (B2B)

  • Purpose: Newsletters, product information, invitations, lead management, CRM
  • Legal basis: Consent (Art 6 (1) (a) GDPR) and/or legitimate interest (Art 6 (1) (f) GDPR) within the scope of permissible B2B communication; insofar as required by applicable email/telecommunications law, we obtain prior consent.

5. Obligation to provide data

Certain data are required to create an account and provide the platform (e.g. email, user and company master data, required billing data). Without this data, the platform cannot be used or cannot be used fully.

6. Recipients and Service Providers (Processors)

We use service providers who process personal data on our behalf ("Processors") or – depending on the service – also act as independent controllers (esp. payment service providers). We conclude – where necessary – data processing agreements and select providers according to data protection and security criteria.

Currently used service providers/tool categories (selection):

  • Hosting/Infrastructure: Hetzner
  • Authentication/Database: Supabase
  • Email/Collaboration: Google Workspace
  • Payment processing: Stripe (incl. Stripe Connect)
  • Accounting: sevDesk
  • Analytics/Session Replay: Google Analytics, Microsoft Clarity
  • Error Tracking: Sentry
  • Support/Feedback: Featurebase
  • CRM: Attio
  • Work organization: Motion

Important note on payment service providers:
Stripe regularly processes data also as an independent controller (e.g. KYC/AML, fraud prevention, legal obligations). In these cases, Stripe's privacy notices apply additionally.

7. Third country transfers (outside EEA)

Some service providers or their subcontractors may process data outside the EEA (esp. USA). In these cases, we ensure an adequate level of data protection through appropriate guarantees, in particular:

  • Adequacy decisions of the EU Commission (if applicable), and/or
  • Standard Contractual Clauses (SCCs) of the EU Commission, potentially supplemented by additional protective measures (e.g. encryption, access restrictions).

8. Cookies, Consent Management, Tracking

We use cookies and similar technologies.

8.1 Essential Cookies

These are required to provide the websites/platform and operate them securely (e.g. session management, login, security functions, storage of your cookie selection).

8.2 Analytics and Marketing Technologies

We use – subject to your consent – technologies for reach measurement and improvement of user experience, in particular:

  • Google Analytics
  • Microsoft Clarity (Session Replay/Heatmaps)

Insofar as legally required, these technologies are only activated if you have consented via our consent banner. You can revoke or change your consent at any time via the cookie settings (e.g. via the corresponding link in the website/app or via the consent banner).

9. Storage duration / Deletion

We store personal data only as long as necessary for the respective purposes or as long as legal obligations exist. Afterwards, data will be deleted or anonymized unless statutory retention obligations or legitimate interests (esp. legal enforcement/defense) stand in the way.

Specific storage periods:

  • Account and platform data: for the duration of the contractual relationship; after end of contract generally 3 months (e.g. conclusion/settlement, export), thereafter deletion/anonymization unless longer storage is required
  • Invoice and accounting documents: 7 years from end of the calendar year of issuance (statutory retention obligations in Austria)
  • Support and CRM data: up to 3 years from last contact/closing of the transaction, unless longer retention is required for legal enforcement/defense
  • Server/access logs: 180 days
  • Security and audit logs: 24 months
  • Consent proofs: 3 years from revocation or last relevant processing

Disputes/Chargebacks/Claims:
Where necessary, we store relevant data beyond that until final clarification and within the scope of statutory limitation and retention periods.

10. Data security

We use appropriate technical and organizational measures to protect personal data, in particular:

  • Encryption of data transmission (TLS/HTTPS)
  • Access controls and authorization concepts
  • Logging of security-relevant events
  • Backups and recovery processes according to appropriate security standards

11. Automated decisions

We generally make no solely automated decisions with legal effect or similarly significant impairment (Art 22 GDPR) within the scope of platform use.
Payment service providers (e.g. Stripe) may carry out automated checks (e.g. KYC/AML, fraud) under their own responsibility; their information applies to this.

12. Your rights

You have – depending on applicable law – the following rights:

  • Access (Art 15 GDPR)
  • Rectification (Art 16 GDPR)
  • Erasure (Art 17 GDPR)
  • Restriction of processing (Art 18 GDPR)
  • Data portability (Art 20 GDPR)
  • Objection to processing based on legitimate interests (Art 21 GDPR)
  • Withdrawal of consent at any time with effect for the future (Art 7 (3) GDPR)

Exercise of rights:
Please write to privacy@sponsorhead.io. We may request appropriate evidence for identity verification.

Right to complain:
You can complain to a data protection supervisory authority, in particular in Austria to the Austrian Data Protection Authority (DSB).

13. Minors

Our websites and platform are not directed at minors. We do not knowingly process personal data of persons under 16 years. If we become aware that personal data of minors has been processed, we will take appropriate steps to delete and prevent further processing.

14. Changes to this privacy policy

We may adapt this privacy policy, in particular in case of changes to the platform, the legal situation or the service providers used. We provide the currently valid version on our websites.