1. Who we are

The controller responsible for the processing of personal data described in this policy is Crelora GmbH in connection with the OneLence website and related services (“we”, “us”, “our”).

Crelora GmbH
Ernst-Thälmann-Straße 41
06686 Lützen, Germany
Commercial register: HRB 35614, Amtsgericht Stendal
VAT identification number: DE453924952

For privacy questions about OneLence: [email protected]. Full company and legal details (Impressum) are available in our Legal disclosure.

If we appoint a data protection officer, we will publish their contact details here and in our imprint.

2. Scope

This policy applies to personal data we process when you visit our websites, use OneLence, communicate with us, or interact with our marketing (e.g. newsletters, ads). If you use OneLence under a separate agreement with your employer or another organisation, that agreement and any organisation-specific terms may also apply.

If you use OneLence on behalf of a business and submit or configure processing of personal data about your end users, site visitors, or other third parties, you are typically the controller of that data under the GDPR. We process it as a processor on your instructions (as set out in your agreement with us), except where we act as a controller for our own purposes (e.g. your account, billing, security, and service operation as described here). Your obligations toward those individuals—including transparency, lawful bases, consent where required, and handling rights requests—remain with you unless we expressly agree otherwise in writing.

3. What data we collect

Depending on how you interact with us, we may process:

• Account and contact data — e.g. name, email, company, role, billing details where applicable.
• Service and usage data — e.g. features used, approximate location derived from IP, device/browser type, logs, and diagnostics to keep the service secure and reliable.
• Content you provide — e.g. messages you send us, files or inputs you upload to the product, subject to the product’s functionality.
• Marketing and communications — e.g. subscription preferences, campaign identifiers, and whether you opened emails or clicked links, where permitted.
• Analytics data — aggregated or pseudonymous statistics about how visitors and users interact with our sites and product, to improve UX, performance, and features.

We do not require you to provide more information than necessary for the relevant purpose.

4. Why we use your data (purposes)

We process personal data for purposes such as:

• Providing, operating, and securing OneLence and our websites.
• Onboarding, authentication, support, and contract administration.
• Improving the product, fixing bugs, and developing features (including through analytics).
• Measuring and optimising marketing and communications, where allowed.
• Complying with legal obligations and enforcing our terms.
• Defending legal claims and protecting our rights and those of our users.

5. Legal bases (GDPR)

Where the EU General Data Protection Regulation (GDPR) applies, we rely on one or more of the following:

• Contract (Art. 6(1)(b) GDPR) — processing necessary to provide the service you requested or to take steps before entering a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) — e.g. improving our product, fraud prevention, IT security, aggregated analytics, and business-to-business marketing that does not require consent under applicable law, balanced against your rights.
• Consent (Art. 6(1)(a) GDPR) — where we ask for consent (e.g. certain cookies or marketing emails), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c) GDPR) — where we must retain or disclose information to comply with the law.

6. Analytics and marketing

We use analytics to understand how our websites and product are used so we can improve stability, usability, and features. Where we use marketing tools, we aim to measure campaigns in aggregate and to respect your choices (e.g. unsubscribe links, cookie preferences).

We may use or integrate tools such as Google Analytics, Customer.io, and Mixpanel (or comparable services) for product and marketing measurement. We also use such insights to understand usage patterns in the aggregate—alongside our own product analytics—so we can prioritise improvements, benchmark how well our built-in analytics and reporting meet real needs, and keep OneLence competitive and reliable for customers. We do not use these tools to identify individuals for unrelated purposes beyond what this policy describes.

How each tool processes data is described in its provider’s documentation; we configure integrations to align with applicable law and our agreements. This list may change as our stack evolves.

For cookies and similar technologies on our sites, see our Cookie Policy.

7. Sharing with others — we don’t sell your data

We do not sell your personal data to third parties for their own marketing or brokerage purposes.

We may share data only where necessary, for example:

• With service providers (processors) who help us host, analyse, email, support, or secure our services, under contracts that require them to protect your data and use it only on our instructions.
• With professional advisers (e.g. lawyers, auditors) where required.
• With authorities if we are legally required or if disclosure is necessary to protect rights, safety, or security.
• In connection with a business transfer (e.g. merger), subject to appropriate safeguards.

If we agree with an individual customer (for example under a written contract) to share or transfer specific data in a way that goes beyond standard processing, we will do so only as described in that agreement.

8. Hosting, infrastructure, and subprocessors

Much of the OneLence service is operated by Crelora GmbH using our own product and systems. To run the SaaS reliably and securely, we also use trusted infrastructure and service providers who may process personal data on our instructions as processors. Depending on the feature, these may include (without limitation):

• Supabase — database, authentication, and related backend services;
• Cloudflare — network delivery, security, and related edge or hosting services;
• Google Cloud — cloud hosting, storage, and related Google Cloud services;
• Stripe — subscription management, checkout, payment processing, and related billing operations (subject to Stripe’s terms and privacy policy).

We enter into data processing terms with providers where required by law. Providers and roles may change; we will update this policy or maintain a separate subprocessor notice for material changes where appropriate.

9. International transfers

We are based in the EU. If we transfer personal data outside the European Economic Area, we will ensure appropriate safeguards under GDPR (e.g. adequacy decisions, Standard Contractual Clauses, or other approved mechanisms), unless a specific derogation applies.

10. Retention

We keep personal data only as long as needed for the purposes above, including legal, tax, and accounting requirements. Retention periods depend on the type of data and context; we delete or anonymise data when it is no longer necessary.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration. No method of transmission or storage is 100% secure; if we become aware of a breach that affects you where we are required to notify you, we will do so in line with applicable law.

12. Your rights

Where GDPR applies, you may have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate data or complete incomplete data.
• Erase data in certain circumstances (“right to be forgotten”).
• Restrict processing in certain circumstances.
• Data portability for data you provided, where processing is based on consent or contract and automated.
• Object to processing based on legitimate interests, including profiling in some cases.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority — in Germany, e.g. your local state authority or the Federal Commissioner.

To exercise these rights, contact [email protected]. We may need to verify your identity before responding.

12. Children

Our services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have done so, please contact us and we will take steps to delete the information where appropriate.

14. Automated decision-making

We do not use fully automated decision-making, including profiling, that produces legal or similarly significant effects solely based on automated processing, unless we explicitly inform you otherwise and have a lawful basis to do so.

14. Changes

We may update this policy from time to time. We will post the revised version on this page and adjust the effective date. For material changes, we may provide additional notice (e.g. email or in-product message) where appropriate.

16. Contact

Questions about this Privacy Policy or your personal data: [email protected]
Crelora GmbH, Ernst-Thälmann-Straße 41, 06686 Lützen, Germany.