Privacy Policy

Last updated: 17 April 2026

1. Data Controller within the meaning of the GDPR

The data controller for the processing on this website and within the SaaS application „Consiliari EMS" is:

Represented by the Managing Director: Raphael J. N. Hettich, M. Sc.

Phone: +49 721 619329 0
E-mail: info@consiliari.de
Commercial Register: Local Court of Mannheim, HRB 753583

The application is developed by the affiliated Consiliari GmbH (Local Court of Mannheim, HRB 727046, same address). Consiliari Software GmbH acts as the contracting party of the customers and is the data controller within the meaning of the GDPR for all processing activities described herein.

2. Data Protection Officer

Our Data Protection Officer is:

Within the Consiliari Group (Consiliari Software GmbH and Consiliari GmbH), Mr. Berger exclusively performs the role of Data Protection Officer. He is not involved in management, development, sales, IT administration or any other operational leadership functions. This ensures independence and freedom from conflicts of interest within the meaning of Art. 38 (6) GDPR and the EDPB Guidelines WP 243 rev.01.

3. General Principles

We only process personal data within the scope of statutory provisions, in particular the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications and Telemedia Data Protection Act (TDDDG). This policy informs you about the nature, scope and purpose of the processing of personal data when visiting our website (temporalis-ems.de) and when using our SaaS application „Consiliari EMS".

Our offering is aimed at entrepreneurs (§ 14 BGB) and their employees aged 16 and over. We do not knowingly process data of minors under 16 years of age (Art. 8 GDPR); such data will be deleted without delay as soon as we become aware of it.

4. Rights of Data Subjects

Under the GDPR, you have the following rights vis-à-vis us:

• Right to access (Art. 15) to the data stored about you
• Right to rectification (Art. 16) of inaccurate data
• Right to erasure (Art. 17) („right to be forgotten")
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20) in a structured, commonly used format
• Right to withdraw consent (Art. 7 (3)) with effect for the future
• Right to lodge a complaint with a supervisory authority (Art. 77)

Right to object (Art. 21 GDPR): You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 (1)(f) GDPR (legitimate interests). If we process your data for direct marketing, you have the right to object at any time to such processing. Following your objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Responsibility and response deadline: We respond to requests within one month of receipt (Art. 12 (3) GDPR). If your request concerns data that you have processed in your capacity as a user of a customer tenant (i.e. as an employee of a client of Consiliari Software GmbH), we will forward the request to the respective customer (controller) within 5 business days and inform you accordingly.

The supervisory authority responsible for us is:

To exercise your rights, a simple message to dsb@consiliari.de is sufficient

5. Processing When Visiting Our Website (temporalis-ems.de)

5.1 Server Log Files

When you access our website, our hosting provider automatically collects information transmitted by your browser:

• IP address (stored truncated/anonymized unless required to defend against attacks)
• Date and time of access
• Amount of data transferred
• Referrer URL
• Browser and operating system used

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in the stability and security of the web offering).
Storage period: Maximum 14 days, then deletion or anonymization.

5.2 Website Hosting (Hetzner Online GmbH)

Our website is hosted by:

The servers are located exclusively in Germany (data centres in Nuremberg/Falkenstein). We have a data processing agreement with Hetzner pursuant to Art. 28 GDPR. Hetzner is certified according to ISO/IEC 27001.

Legal basis: Art. 6 (1)(f) GDPR.

5.3 SSL Encryption

For security reasons and to protect the transmission of confidential content, we use TLS/SSL encryption (recognizable by the „https://" in the address bar and the lock symbol).

5.4 Reach Measurement with Plausible Analytics

On our website we use Plausible Analytics, an analytics service provided by Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia.

Plausible is a cookie-free, privacy-friendly analytics service. No cookies are set, no IP addresses are stored permanently and no personal data is passed on to third parties. The data is evaluated exclusively in aggregated and anonymized form (page views, referrer, rough geo-region at country level, device type). Individual visitors cannot be identified.

The analytics service is hosted on servers within the EU (Germany/Finland).

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in statistical analysis to improve the service); according to our legal assessment, consent under § 25 TDDDG is not required, as Plausible does not store or access information on the end device: no cookies are set, no persistent device identifier is generated and no re-identification of individual visitors between sessions takes place. A daily rotating salt hash used for aggregated daily counting does not constitute a stable re-identification mechanism and serves exclusively for statistical analysis. The processing is therefore strictly necessary within the meaning of § 25 (2)(2) TDDDG for the provision of the service „website" expressly requested by the user. We follow the prevailing opinion of the German supervisory authorities; the legal situation is continuously monitored.

Further information: https://plausible.io/data-policy

5.5 Contact

If you contact us by e-mail, contact form or via Cal.com (see 5.7), we process your information (name, e-mail address, enquiry, and where applicable company name and phone number) for the purpose of handling your request.

Legal basis: Art. 6 (1)(b) GDPR (initiation or performance of a contract) or Art. 6 (1)(f) GDPR (legitimate interest in efficient communication).
Storage period: Until the request has been fully processed, plus statutory retention periods (in particular § 257 HGB, § 147 AO: max. 10 years for business-relevant correspondence).

5.6 Transactional E-mails / E-mail Dispatch

For sending transactional e-mails (trial confirmation, invoices, password reset, system notifications) we use the service of a specialized e-mail provider:

Legal basis: Art. 6 (1)(b) GDPR.
A data processing agreement pursuant to Art. 28 GDPR is in place.

5.7 Appointment Booking with Cal.com

For scheduling demo appointments and consultations we use the service Cal.com.

Provider: Cal.com, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA.

We operate Cal.com self-hosted on servers of Hetzner Online GmbH in Germany. Processing takes place exclusively on servers within the European Union; no transfer of personal booking data to Cal.com, Inc. (USA) takes place.

When booking an appointment, the following data is collected: name, e-mail address, selected time slot and optional additional information (e.g. company name, topic of the meeting).

Legal basis: Art. 6 (1)(b) GDPR (contract initiation).

Cal.com privacy notice: https://cal.com/privacy

6. Processing When Using the SaaS Application „Consiliari EMS"

6.1 Registration and 14-Day Trial Access

Using our SaaS application requires setting up an account. We collect the following data:

• Name, business e-mail address
• Company name
• Chosen password (stored as a hash, not in plain text)
• Optional: phone number, number of employees, industry

The 14-day trial access is activated without a credit card and ends automatically upon expiry unless a paid subscription is taken out.

Legal basis: Art. 6 (1)(b) GDPR (performance of a user contract).

6.2 Ongoing Use (Tenant Data)

During use, data is entered into the system by you and, where applicable, your employees (e.g. projects, time entries, contacts, HR data, receipts). This data is processed on your behalf as a processor (Art. 28 GDPR); the customer remains the controller. The basis is the Data Processing Agreement (DPA) concluded between you and us, which we conclude as a standard component of the main contract.

We provide a template agreement and the associated technical and organizational measures (TOMs) at https://temporalis-ems.de/trust.

6.3 Hosting of the SaaS Application

The SaaS application is hosted exclusively on servers of Hetzner Online GmbH in Germany (data centres in Nuremberg and/or Falkenstein). Customer data does not leave the EEA. Backups are also stored encrypted within Germany.

6.4 Payment Processing with Stripe

For handling paid subscriptions we use the payment service provider:

When a paid subscription is taken out, the payment data (credit card number, SEPA data, billing address, amount) is transmitted directly to Stripe. We ourselves do not store any complete credit card data. Stripe processes the data on its own responsibility and in compliance with the PCI-DSS standard.

Stripe Payments Europe Ltd. is a company based in Ireland; a transfer to Stripe Inc. (USA) only takes place to the extent strictly necessary for processing payments and on the following legal basis:

• EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023); Stripe Inc. is listed on the Data Privacy Framework List;
• additionally EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
• in accordance with EDPB Recommendations 01/2020 (version of 18 June 2021), we have carried out a Transfer Impact Assessment (TIA) and implemented supplementary technical and organizational measures (no transfer of special categories of data to Stripe, purpose limitation to payment processing, TLS 1.2+ encryption in transit). The TIA can be viewed in our Trust Center.

Legal basis: Art. 6 (1)(b) GDPR (contract performance); Art. 45 GDPR (DPF) and Art. 46 (2)(c) GDPR (SCC) for the third-country transfer.
Further information:https://stripe.com/de/privacy

6.5 Support Communication

You can submit support requests by e-mail to support@consiliari.de or from within the application. We do not use an external helpdesk/ticketing tool; processing takes place exclusively on our servers at Hetzner Online GmbH in Germany and in our internally operated e-mail system.

6.6 Disclosure to Affiliated Companies

Consiliari GmbH (Local Court of Mannheim, HRB 727046, Brauerstraße 12, 76135 Karlsruhe) develops the „Consiliari EMS" application and provides development and maintenance services for Consiliari Software GmbH. In this context, Consiliari GmbH may access technical layers of the system, e.g. for bug-fixing and further development.

Insofar as this involves personal customer data, this takes place exclusively on the basis of a group-internal data processing agreement (Art. 28 GDPR); Consiliari GmbH acts as a sub-processor of Consiliari Software GmbH and is subject to the same security requirements as set out in Annex 1 to the DPA. Access to production data is additionally secured by a Privileged Access Management with just-in-time approval, time limitation and session recording (for details see Annex 1 to the DPA). Consiliari GmbH is listed as a sub-processor in Annex 2 to the DPA (see § 7 of this policy).

6.7 AI-assisted Assistance Functions

The service includes AI-assisted assistance functions (e.g. for automated filling of forms, filter suggestions, full-text search, language translations). These functions do not make any decisions with legal effect within the meaning of Art. 22 GDPR and do not replace human assessment; they merely prepare inputs that the user reviews and approves before acceptance. No fully automated individual decision-making takes place.

The LLM providers used are listed in full in Annex 2 to the DPA (registered office, data location, transfer mechanism). No personal customer data is used to train AI models of the providers (opt-out contractually secured in the enterprise tariff of the respective providers). The customer can deactivate the AI functions tenant-wide.

Insofar as the AI functions fall under the AI Act (Regulation (EU) 2024/1689), we comply with the respective applicable transparency and documentation obligations; according to the current assessment, the functions are predominantly classified as systems with low risk.

7. List of Sub-processors

The following service providers process data on our behalf or as independent third parties (for payment processing):

A current, complete list can be found in our Trust Center at https://temporalis-ems.de/trust. We will inform existing customers of changes 30 days in advance; customers have a right to object with an extraordinary right of termination.

8. Storage Period and Erasure

We only store personal data for as long as is necessary for the respective purposes or as required by statutory retention obligations:

• Server logs: 14 days
• Plausible statistics: aggregated, no personal identification
• Trial accounts without conversion: automatic deletion 30 days after trial expiry
• Customer data after contract end: release/export within 30 days, then final deletion within a further 60 days
• Invoice-relevant data: 10 years (§ 147 AO, § 257 HGB)
• Contract-relevant correspondence: 6 years (§ 257 HGB)
• Application documents: 4 months after rejection (AGG deadline plus buffer); longer retention only with express consent for inclusion in the talent pool or in the event of pending litigation

9. No Automated Individual Decision-Making / Profiling

There is no automated decision-making with legal effect or similarly significant impact within the meaning of Art. 22 GDPR. Insofar as we use AI-assisted assistance functions (cf. § 6.7), these do not make such decisions but merely prepare content or suggestions that the user evaluates and approves.

9a. Employee Data Protection in the HR Module

If a customer uses the HR module of the service, it processes data of its employees in its role as controller within the meaning of § 26 BDSG or on the basis of a collective agreement (§ 26 (4) BDSG). The customer is obliged to

• inform the employees pursuant to Art. 13 GDPR,
• obtain co-determination rights under works constitution law (§ 87 (1)(6) BetrVG for conduct/performance monitoring through time tracking), insofar as a works council exists,
• only enter sensitive data (Art. 9 GDPR, e.g. health data) into the service on a sound legal basis.

Consiliari Software GmbH supports the customer in fulfilling these obligations upon request within the scope of the DPA (Art. 28 (3)(e) and (f) GDPR).

9b. Data Origin for Third-Party Imports (Art. 14 GDPR)

If a customer imports third-party contact data (e.g. customer, supplier or prospect data) from external sources (CRM import, LinkedIn exports, business card scans) into the service, the customer is the controller within the meaning of the GDPR for this purpose and fulfils the information obligations towards data subjects pursuant to Art. 14 GDPR itself. Consiliari Software GmbH acts exclusively as a processor in this respect.

10. Security

We take appropriate technical and organizational measures to protect your data (including TLS encryption in transit, encrypted backups, need-to-know access controls, role-based permissions, regular updates, two-factor authentication for administrators, annual external penetration test). Details can be found in our Technical and Organizational Measures (TOMs) as an annex to the DPA.

11. Changes to this Privacy Policy

We adapt this privacy policy when the legal situation or our services change. The current version is available at this URL. We additionally inform active customers of material changes by e-mail.

Contact for data protection enquiries:dsb@consiliari.de