Skip to content
clawproofcd ~
$ cat legal/privacy-policy.md

Privacy Policy

Last updated: April 2026

1. Data Controller

Lexbeam Software, Inh. Werner Plutat
Speditionstraße 15A
40221 Düsseldorf, Germany
Email: info@lexbeam.com

2. Types of Data Collected

We collect and process the following types of personal data when you use our website:

  • Technical Data: IP address, browser type, operating system, referrer URL (server logs)
  • Analytics Data: page URL, referrer, approximate region, device and browser type (cookieless, see Section 4a)
  • Payment Data: processed by Stripe when you choose to buy the PDF report (see Section 6)
  • Booking Data: processed by Calendly when you book a call (see Section 7)
  • Newsletter Data: processed by Substack when you subscribe (see Section 5)

We do not use cookies on this website. We do not track users across websites or devices. We have no user accounts and no login. The Clawproof Assessment runs entirely in your browser; your answers never reach our servers.

3. Legal Basis for Processing

We process your personal data on the following legal bases (Art. 6 GDPR):

  • Consent (Art. 6 (1) lit. a): when you initiate the newsletter handoff to Substack
  • Contract (Art. 6 (1) lit. b): for the PDF report purchase (Stripe) and booking calls (Calendly)
  • Legal obligation (Art. 6 (1) lit. c): for retention of payment + invoice records under § 257 HGB / § 147 AO
  • Legitimate interests (Art. 6 (1) lit. f): server log processing for security and stability; cookieless analytics for aggregate usage statistics

4. Hosting

This website is hosted by Vercel Inc. (440 N Baxter St, Coppell, TX 75019, USA). In the course of hosting, Vercel processes server log data (IP address, timestamp, URL, user agent).

Data transfers to the USA are based on the EU-US Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR.

Privacy policy: vercel.com/legal/privacy-policy

4a. Analytics

This website uses OpenPanel, a privacy-friendly, cookieless web analytics tool (openpanel.dev). OpenPanel does not use cookies and does not track users across websites or devices.

The information collected includes: page URL, referrer, approximate geographic region (derived from your IP address), device type, browser type, and screen resolution. This data is aggregated and used to produce anonymous usage statistics. IP addresses are used only to derive approximate location and are not stored in their original form.

OpenPanel processes this data on our behalf as a data processor pursuant to Art. 28 GDPR. Analytics data is retained for the duration necessary to fulfil the stated purpose and is then deleted.

Legal basis: Art. 6 (1) lit. f GDPR. Our legitimate interest is the statistical analysis of website usage in order to improve our online offering. We have weighed this interest against your rights and consider the impact on your privacy to be minimal given the aggregated, non-identifying nature of the data collected.

You have the right to object to this processing at any time for reasons arising from your particular situation (Art. 21 (1) GDPR). To exercise this right, please contact us at the address provided above.

5. Newsletter (Substack redirect)

Our newsletter form does not collect email addresses on this website. When you submit the form, your browser opens Substack (the newsletter provider) in a new tab and copies your typed email to your clipboard so you can paste it on Substack's subscription page. Subscription itself happens entirely on Substack, governed by their privacy policy.

Substack Inc. (USA) is the data controller for newsletter subscriptions you complete on their platform. See: substack.com/privacy.

Legal basis (the brief in-browser handoff to Substack): Art. 6 (1) lit. a GDPR (consent; you initiate the action by clicking subscribe).

6. Assessment + PDF Report (Stripe)

The Clawproof Assessment runs entirely in your browser. Your answers are stored only in your browser's localStorage and encoded into the URL when you view your result. We do not transmit your answers to any server. The optional 49 EUR PDF report is generated client-side and downloaded directly to your device.

When you choose to unlock the PDF report, you are redirected to Stripe Payments Europe Ltd. / Stripe, Inc. (the payment processor). Stripe collects and processes the data necessary to complete the payment: name, email address, billing address, payment method details (card / SEPA / etc.), VAT identification number (for B2B reverse-charge invoices), business name, and transaction metadata. We receive a confirmation token and a redacted summary of the payment, never the full payment-method details.

Stripe is the data controller for payment data; we are the data controller for the resulting transaction record. Data may be transferred to the United States. Stripe relies on the EU–US Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses (Art. 46 GDPR) for these transfers. Stripe privacy policy: stripe.com/privacy.

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract you initiated by buying the report) and Art. 6 (1) lit. c GDPR (compliance with bookkeeping and tax-record obligations).

Retention of payment and invoice records: 10 years as required by § 257 HGB and § 147 AO (German commercial and tax law). Other transaction metadata is retained per Stripe's standard retention.

7. Booking calls (Calendly)

Links labeled “Book a call” or similar redirect to Calendly LLC (USA). When you book a meeting on Calendly, Calendly processes the data you provide (name, email, calendar availability) as the data controller for that booking. We receive a confirmation with the meeting time and your contact details so we can attend the call.

Legal basis: Art. 6 (1) lit. b GDPR (steps prior to entering into a contract, at your request). Data transfers to the USA are based on the EU–US Data Privacy Framework and Standard Contractual Clauses. Calendly privacy policy: calendly.com/privacy.

8. Open-Source Content and GitHub

We link to open-source repositories hosted on GitHub (GitHub, Inc., USA). When you visit GitHub, their privacy policy applies. We do not collect any data through our GitHub repositories beyond what GitHub processes as part of their platform.

9. Data Retention

  • Assessment answers: stored only in your browser; never reach our servers.
  • Newsletter: not held by us; managed by Substack on their platform.
  • Payment + invoice records: 10 years per § 257 HGB / § 147 AO.
  • Booking data: kept while the booking is active and a reasonable period for follow-up; then deleted.
  • Server logs: per the standard retention of the hosting provider.

10. Your GDPR Rights

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR)
  • Right to Rectification (Art. 16 GDPR)
  • Right to Erasure (Art. 17 GDPR)
  • Right to Restriction of Processing (Art. 18 GDPR)
  • Right to Data Portability (Art. 20 GDPR)
  • Right to Object (Art. 21 GDPR)

To exercise any of these rights, contact us at: info@lexbeam.com

11. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence.

Supervisory authority for Germany:
Landesbeauftragte für Datenschutz und Informationsfreiheit NRW
Kavalleriestraße 2-4, 40213 Düsseldorf
www.ldi.nrw.de

12. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (HTTPS/TLS) and access controls.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify of material changes by posting the new privacy policy on this page and updating the “last updated” date.