Privacy Policy
Last updated: February 12, 2026
1. Controller
ContextFab GmbH Aberlestr. 18, 81371 München, Germany Registered: Amtsgericht München, HRB 305930 Represented by: Marc Krüger-Sprengel, Louis Saade Email: privacy@contextfab.ai
For our full legal details, see our Imprint.
2. Overview
This Privacy Policy explains how ContextFab GmbH ("context/fab", "we", "us") processes personal data. We provide a cloud-based SaaS platform for manufacturing data integration and contextualization ("Services") to business customers.
Where we process personal data on behalf of our customers as a data processor, the terms of our Data Processing Agreement (DPA/AVV) apply. To request a copy, contact privacy@contextfab.ai.
3. Website Visitors
What We Process
When you visit our website, we collect: IP address, browser type and version, pages visited, date and time of access, and referrer URL. If you use our contact form or request a demo, we collect the information you provide (name, email, company, message).
Purpose and Legal Basis
- Website operation and security: Legitimate interest (Art. 6(1)(f) GDPR) in providing a secure, functional website and preventing misuse.
- Contact requests: Performance of pre-contractual measures at your request (Art. 6(1)(b) GDPR), or legitimate interest in responding to inquiries.
- Analytics: With your consent (Art. 6(1)(a) GDPR) via our cookie banner. We use Mixpanel for product and website analytics. See Section 8 (Cookies) for details.
Retention
Server logs are deleted after 90 days. Contact form submissions are retained for the duration of the business relationship or until you request deletion.
4. Customers and Business Contacts
What We Process
When you enter into a contract with us or represent a customer organisation, we collect: name, email address, company name, job title, phone number, and billing information.
Purpose and Legal Basis
- Contract performance: Processing necessary to provide our Services, manage your account, and fulfil our contractual obligations (Art. 6(1)(b) GDPR).
- Legal obligations: Retention of invoices and financial records as required by German commercial and tax law (Art. 6(1)(c) GDPR — HGB §257, AO §147).
- Legitimate interests: Account administration, service communications, and security monitoring (Art. 6(1)(f) GDPR).
Necessity of Providing Data
Providing account and billing data is necessary to enter into and perform our contract. Without this data, we cannot provide the Services.
Retention
- Customer account data: Duration of the account plus 30 days. Upon account closure, data is retained for 30 days before permanent deletion.
- Financial records and invoices: 10 years (HGB §257, AO §147).
- Contracts and agreements: Duration plus 10 years.
5. Platform Usage Data
What We Process
When you use our Services, we collect technical data including IP addresses, access timestamps, feature usage, and error logs.
Purpose and Legal Basis
- Service delivery and improvement: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR) in maintaining platform security and reliability.
- Security monitoring: Legitimate interest in detecting and responding to security incidents.
Retention
- Security and audit logs: 1 year.
- Operational logs: 90 days.
Aggregated and anonymised data that cannot be linked to an individual may be retained indefinitely for service improvement.
6. Data Sharing
We do not sell personal data. We share personal data only with recipients bound by contractual data protection obligations.
Sub-processors (processing customer data on our behalf):
| Provider | Purpose | Data Residency |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and platform hosting | EU (Ireland) |
| Vercel Inc. | Website hosting | EU / US |
| Mixpanel Inc. | Product and website analytics | EU |
We use additional tools for internal business operations (e.g., identity management, collaboration, communication). These providers do not process customer data. A full list is available upon request at privacy@contextfab.ai.
We may also share data with legal, accounting, and audit firms as necessary for business operations, and disclose personal data where required by law, regulation, or valid legal process.
7. International Data Transfers
Our primary data processing takes place within the European Union. Where personal data is transferred to service providers located outside the EU/EEA, we ensure appropriate safeguards are in place, including: certification under the EU-US Data Privacy Framework, EU Standard Contractual Clauses (SCCs), or other mechanisms recognised under Art. 46 GDPR.
8. Cookies
Our website uses cookies and similar technologies.
Essential cookies are necessary for website functionality and do not require consent.
Analytics cookies are only set with your prior consent via our cookie banner. You may withdraw consent at any time through our cookie preferences or your browser settings.
| Tool | Purpose | Provider | Data Residency | Retention |
|---|---|---|---|---|
| Mixpanel | Product and website analytics | Mixpanel Inc. | EU | Per Mixpanel data retention settings |
9. Data Security
We implement appropriate technical and organisational measures to protect personal data, including: encryption of data at rest and in transit, multi-factor authentication, role-based access controls following the principle of least privilege, regular security assessments, logical tenant separation for customer data, and continuous security monitoring. Our information security management system is designed to conform to ISO/IEC 27001:2022.
10. Your Rights
Under GDPR, you have the following rights:
- Access (Art. 15): Request confirmation of whether we process your personal data and obtain a copy.
- Rectification (Art. 16): Request correction of inaccurate personal data.
- Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Restriction (Art. 18): Request restriction of processing in certain circumstances.
- Data portability (Art. 20): Request your personal data in a structured, commonly used, machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interests. For direct marketing, you may object at any time.
- Withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
To exercise your rights, contact us at privacy@contextfab.ai. We will respond within one month.
Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via our website. The "Last updated" date at the top indicates the most recent revision.
12. Contact
For questions about this Privacy Policy or our data processing practices, contact us at privacy@contextfab.ai.