Last updated: 16 May, 2025
We, GAIA Technologies GmbH, Kurfürstendamm 195, 10707 Berlin (hereinafter “we”, “GAIA”) are a company based in Germany which offers a web-based and app-based legal management solution (hereinafter “Service”).
This Service is provided to your employer in the context of a data processing agreement with GAIA.
GAIA is merely the operator of the Service and, in that context, a processor pursuant to Art. 28 GDPR. The basis for the processing by GAIA is a data processing agreement between your employer as the controller and GAIA as the processor. This may also require GAIA to use other subcontractors to provide the Service (e.g. hosting of the software or similar). If you have any questions about this data processing for employment purposes, please contact your employer.
In addition, GAIA processes personal data for its own purposes when you use the Service and which is necessary for the provision and the continuous development of the Service, in particular for the operation of the software. This is discussed in more detail below. For the processing discussed below we are the controller within the meaning of Art. 4 (7) GDPR for the processing of your personal data in the context of the use of our Services. In addition to the possibility of contacting us by mail, you can also contact us at any time via [email protected].
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing the data protection strategy and ensuring compliance with data protection laws and regulations.
The DPO's contact information is as follows:
Name: Kertos GmbH
Email: [email protected]
We may transfer your personal data to third parties where necessary to provide our Service. If we use external service providers, these have been carefully selected by us and commissioned in writing and only process your personal data on our behalf. If necessary, we have concluded a processing agreement pursuant to Art. 28 GDPR with them. The categories of recipient we transfer your data to are cloud service providers, management tool providers, marketing tool providers and technical service providers.
We may transfer your personal data to non-EU/EEA countries. Insofar as there is no adequacy decision for these countries according to Art. 45 GDPR, we transfer your personal data subject to appropriate safeguards according to Art. 46 GDPR.
Your personal data will be deleted or blocked as soon as the purpose for processing no longer applies. We will further retain your data if we are legally obliged to do so, especially for tax and accounting purposes. Blocking or deletion of your personal data will also take place if a retention period prescribed by the standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.
In the following we would like to provide an overview of the personal data we process, the purposes we process them for as well as the legal basis for such processing activity.
Whenever you access our website, hosted by Hetzner, server logs are automatically generated. These logs are typically pseudonymized, meaning they do not allow for the identification of individual users.
The collection of this data is essential for displaying and operating our website. It plays a crucial role in ensuring security by monitoring access, input, transfers, and storage. Anonymous data may be used for statistical analysis and to improve our website. Should there be any suspicion of unauthorized use of our website, these logs can be retrospectively reviewed and analyzed. The legal basis for this data processing is our legitimate interest under Art. 6 (1) (f) GDPR.
The collected data includes the domain name of the website, the type and version of the browser used, the operating system, the IP address, and the timestamp of access. The extent of this data collection is consistent with standard internet practices.
Server logs are retained for a maximum period of 90 days.
Each time the Service is accessed, or significant actions are performed within it, server logs are automatically generated. This data is typically pseudonymized, which means it doesn't allow for identifying individual users.
This collection is essential for displaying and operating the Service. It's also critical for ensuring security, including monitoring access, input, transfers, and storage. Any anonymous data can be used for statistical analysis and improving both the Service. Should there be any suspicion of unauthorized use of the Service, these logs can be retrospectively reviewed and analyzed. The legal basis for the data processing is our legitimate interest (Art. 6 (1) (f) GDPR).
The collected data includes details like the website's domain name, the browser type and version, operating system, IP address, and the timestamp of access. The extent of this data collection is consistent with standard internet practices.
Server logs are retained for a maximum period of 90 days.
Error logs are generated to identify and resolve issues, which is vital for promptly addressing problems in displaying and functioning of the Service. Like server logs, this data is typically pseudonymized, preventing individual identification. The legal basis for the data processing is our legitimate interest (Art. 6 (1) (f) GDPR).
In the event of errors, data such as the website's domain name, browser type and version, operating system, IP address, and the timestamp of the error occurrence are collected.
Error logs are also stored for up to 90 days.
For the purpose of monitoring our Service and crash reports we the service “New Relic” provided by New Relic Inc., 188 Spear Street, Suite 1000, San Francisco, California 94105 (“New Relic”). Your personal data may be sent to New Relic for this purpose. For more information on how New Relic stores and processes your personal data please visit:
https://newrelic.com/termsandconditions/services-notices
Our website employs Cloudflare, a leading Content Delivery Network (CDN) service, to enhance performance and security. When you access our site, Cloudflare's systems automatically generate server logs containing pseudonymized data. This process is essential for maintaining our website's functionality, optimizing its display, and safeguarding against potential security threats.
The information collected by Cloudflare includes your IP address, the pages you visit on our site, your browser type and version, operating system, device type, and approximate geographical location. Additionally, Cloudflare records the timestamp of your visit and the amount of data transferred. It's important to note that this data collection aligns with standard practices across the internet and is necessary for Cloudflare to provide its CDN services effectively.
We utilize this data for several purposes, including analyzing website performance, identifying and addressing technical issues, and enhancing overall user experience. In instances where unauthorized access is suspected, these logs serve as a valuable tool for retrospective analysis and security investigations.
Cloudflare may process this information on servers located in various countries, including the United States. To ensure compliance with EU data protection standards, Cloudflare has obtained certification under the EU-US Data Privacy Framework, providing an adequate level of protection as per Article 45 of the GDPR.
The legal foundation for this data processing lies in our legitimate interest, as outlined in Article 6(1)(f) of the GDPR. We strive to balance this interest with your privacy rights, ensuring that data is retained only as long as necessary. Typically, Cloudflare's server logs are stored for no more than 24 hours, unless extended retention is required for specific security or operational purposes.
For a comprehensive understanding of Cloudflare's data handling practices, we encourage you to review their Privacy Policy at https://www.cloudflare.com/privacypolicy/
Cookies are small text files that store information on the user behavior when using our Service and that are placed on the user’s computer and held available for further visits to the Service. These cookies do not cause any damage to your computer and do not contain any viruses.
| Name | Provider | Purpose | Storage Duration |
|---|---|---|---|
| hjSessionUser | Hotjar | Purpose is to store a unique user ID for Hotjar analytics | 11 months 31 days |
| hjActiveViewportIds | Hotjar | Purpose is to track the active viewport IDs for analytics purposes | unlimited |
| hjViewportId | Hotjar | Purpose is to store the viewport ID for session tracking | Session |
| NRBA_SESSION | New Relic | Purpose is to store session information for performance monitoring | unlimited |
| CookieScriptConsent | GAIA | Purpose is to store the user’s cookie consent state | 11 months 31 days |
| _gaia_api_session | GAIA | Purpose is to maintain the session state of the user | Session |
| TessenSessionId | New Relic | Crash reporting and application logging | Session |
| TSNGUID | New Relic | Crash reporting and application logging | 1 year |
| JSESSIONID | New Relic | Crash reporting and application logging | Session |
| GAIA.AuthUser | Firebase | Authentication information to manage access | 8 days |
| GAIA.AuthUser.sig | Firebase | Authentication information to manage access | 8 days |
| GAIA.AuthUserTokens | Firebase | Authentication information to manage access | 8 days |
| GAIA.AuthUserTokens.sig | Firebase | Authentication information to manage access | 8 days |
Necessary cookies allow core functionalities of the Service such as user login and account management. The Service cannot be used properly without necessary cookies. The legal basis for the data processing is our legitimate interest (Art. 6 (1) (f) GDPR). We weighed our interest in providing this Service against your interest in the confidentiality of your personal data, whereby our interest prevails. Without the processing of personal data, it is not technically possible to provide the Service in a safe and compliant manner.
New Relic
For the purpose of monitoring our Service and crash reports we use third party cookies of the service New Relic. Your personal data may be sent to New Relic for this purpose. For more information on how New Relic stores and processes your personal data please visit:
https://newrelic.com/termsandconditions/services-notices
Firebase
For the purpose of authentication, we use the third-party service “Firebase” provided by Google Ireland Limited, Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Your personal data may be sent to Google for this purpose. For more information on how Google stores and processes your personal data please visit: https://policies.google.com/privacy?hl=en-US
We use functional cookies to ensure functionality of our Service. The information obtained using functional cookies will not be linked to your IP address. No other personal data is collected. We use the information contained in these cookies to enable, analyze, and prove the operation and use of our service and in order to ensure our IT security.
The legal basis for the data processing is your legitimate interest (Art. 6 (1) (f) GDPR). We weighed our interest in providing the cookie-dependent functions of this Service against your interest in the confidentiality of your personal data, whereby our interest prevails. Without the processing of personal data, it is not technically possible to provide the functions. At the same time, the option outlined above is open to you to prevent the processing of your personal data in connection with cookies.
Google Maps
In our Service, we integrate the map service Google Maps, provided by Google. We use Google Maps for the autocomplete addresses function of our Service. You have the option to unselect the autocomplete function.
The legal basis for the processing of your personal data is your consent (Art. 6 (1) (a) GDPR) and our legitimate interest Art. 6 (1) (f) GDPR. You may revoke your consent at any time with future effect. For more information on the purpose and scope of data collection and processing by Google, please refer to Google's privacy policy, where you will also find further information on your rights in this regard and setting options for protecting your privacy: https://policies.google.com/privacy?hl=en-US
New Relic
On our website, we use New Relic, a service provided by New Relic, Inc. When using this service, the following data is transmitted to New Relic: IP address, referrer URL, operating system, browser information, page views and usage statistics, response times, and error messages. The purpose of New Relic is to monitor and analyze the performance and availability of our website. The information is typically forwarded to and stored on a New Relic server in the United States. For data transfers to the US, there is an adequacy decision by the EU Commission, the EU-US Data Privacy Framework. New Relic is certified under this framework, so such transfers are based on the legal grounds of Art. 45 GDPR. The data is stored for a maximum of 90 days after transmission. Due to the protection of the website and ensuring its provision, we have a legitimate interest in the sense of Art. 6 para. 1 lit. f GDPR. We use New Relic to optimise our website's performance and quickly identify and resolve any technical issues that may arise. This helps us provide a smooth and efficient user experience for our visitors. For more information about data protection at New Relic, please visit: https://newrelic.com/termsandconditions/privacy
Mixpanel
Our Service uses features provided by Mixpanel S.L., Avenida Diagonal, 442 – P. 3 PTA. 1 08037, Barcelona, Spain ("Mixpanel"). Mixpanel is an analytics platform that helps us understand how our visitors interact with the Service by tracking users’ actions and events on our website.
Mixpanel uses tracking technologies to collect information about your use of our Service and to profile your browsing behavior. The information collected by Mixpanel may include the type of device, the operating system, the browser used, and your interactions with our website.
We process your data with Mixpanel based on your consent in accordance with Art. 6 (1) (a) GDPR, which you may withdraw at any time for future use by changing the cookie settings.
Mixpanel may process personal data in the United States. We ensure that appropriate safeguards are in place to secure the data and maintain an adequate level of data protection, including adherence to the Data Privacy Framework between the EU and the U.S.
Please refer to Mixpanel’s Privacy Policy for more details on data processing and on how to opt-out of Mixpanel’s data collection: https://mixpanel.com/legal/privacy-policy
Segment
We utilize the data analytics service Segment.io, provided by Twilio Ireland Ltd.,3 Dublin Landings, North Wall Quay, Dublin 1, Ireland ("Segment"). Segment is a data platform that collects, stores, and routes your data to help us understand your use of our website and improve your experience.
Segment employs cookies and similar tracking technologies to collect information such as your device type, operating system, browser version, and interactions with our website. This data is collected in real-time and is used to compile user behavior analytics, which aids us in optimizing our website and aligning it more closely with your interests.
We process your data with Segment based on your consent in accordance with Art. 6 (1) (a) GDPR, which you may withdraw at any time for future use by changing the cookie settings.
Segment may process personal data in the United States. We ensure that appropriate safeguards are in place to secure the data and maintain an adequate level of data protection, including adherence to the Data Privacy Framework between the EU and the U.S.
For detailed information about Segment's data processing activities and for instructions on how to opt-out of their data collection, please consult Segment's Privacy Policy: https://segment.com/docs/privacy/complying-with-the-gdpr/
Hotjar
We utilize the data analytics service Hotjar Ltd., Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta (”Hotjar”)
We use Hotjar to better understand the needs of our users and to optimize the offering and experience on this website. With the help of Hotjar's technology, we gain a better understanding of our users' experiences (e.g. how much time users spend on which pages, which links they click, what they like and what they don't, etc.) and this helps us align our offering with user feedback. Hotjar uses cookies and other technologies to collect data about the behavior of our users and their devices, in particular the IP address of the device (which is only collected and stored in anonymized form during your website usage), screen size, device type (unique device identifiers), information about the browser used, location (country only), and the preferred language for displaying our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.
We process your data with Hotjar based on your consent in accordance with Art. 6 (1) (a) GDPR, which you may withdraw at any time for future use by changing the cookie settings.
For more information, please refer to the 'about Hotjar' section on Hotjar's help page.
We may use anonymized data derived from the databases created during your use of the Service to perform analyses or improve our Services. Anonymized data is data that has been processed to remove all identifying elements, ensuring that it can no longer be associated with any individual.
Examples of how anonymized data is used include:
The processing of anonymized data is based on our legitimate interest (Art. 6 (1) (f) GDPR) in improving and developing our Services, optimizing Service performance, and contributing to technological advancements such as artificial intelligence. We have carefully weighed this interest against your rights and freedoms, and as anonymized data no longer identifies individuals, we ensure no undue impact on your data protection rights.
Anonymized data is solely used internally and is not shared with third parties unless explicitly mentioned.
Obligation to provide data:
Providing certain personal data is necessary for us to deliver our Services. Without this data, the use of our Services may not be possible or may be limited. For example, providing your username and login credentials is essential to create an account and access the Services.
Providing other data, such as cookies or data for analytical purposes, is voluntary. You can refuse or withdraw your consent at any time without affecting the core functionality of our Services.
Automated Decision-Making and Profiling:
We do not engage in automated decision-making, including profiling, as defined in Article 22 GDPR. If this changes in the future, we will update this privacy policy accordingly and inform you as required by applicable data protection laws.
In accordance with the GDPR, you have the following rights regarding your personal data: