Privacy Policy

Last updated: April 14, 2026

Table of Contents

1. Purpose and Responsibility

2. General Information on Data Processing and Legal Basis

3. Security Measures

4. Transfer of Data to Third Parties and Third-Party Providers

5. Processing of Data in the Context of Customer Relationships

6. Data Processing Agreement (DPA)

7. Domain Registrations

8. Identity Verification for .de Domain Registrations (NIS-2 / DENIC)

9. AI-based Features and Processing of Input Data

10. Collection of Access Data

11. Cookies, Consent, and Analytics

12. Online Presence on Social Media

13. Google Analytics 4

14. Matomo

15. Google AdSense

16. Meta Social Plugins

17. Meta Marketing Services (Meta Pixel and Custom Audiences)

18. Newsletter and Contact

19. Integration of Third-Party Services and Content

20. Data Deletion

21. User Rights and Right to Object

22. Changes to the Privacy Policy

1.1. This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data within our online offering and the associated websites, mobile applications, and content (hereinafter collectively referred to as the “online offering”). This Privacy Policy applies regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) used to access the online offering.

1.2. The provider of the online offering and the controller responsible for data processing within the meaning of the GDPR is webme GmbH, Straßburger Straße 55, 10405 Berlin, Germany, Managing Director: Sven Lubek (hereinafter referred to as “webme”, “we”, or “us”). For further information and contact details, please refer to our legal notice (Imprint) at https://www.webme.com.

1.3. For data protection inquiries and to exercise your data subject rights, please contact: datenschutz@webme.com.

2.1. The personal data processed within the scope of our online offering includes inventory data (e.g., names and addresses of customers), contractual data (e.g., services used, payment information), usage data (e.g., visited webpages, product interests), metadata and communication data (device IDs, IP addresses), as well as content data (e.g., entries in contact forms or AI features).

2.2. The term “user” includes all categories of individuals affected by data processing, including customers, prospects, and other visitors. The terminology used is to be understood as gender-neutral.

2.3. We process users’ personal data only in compliance with the applicable data protection regulations, in particular the GDPR. Processing is carried out only where there is a legal basis.

2.4. Overview of legal bases: consent (Art. 6(1)(a), Art. 7 GDPR); performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR); legal obligations (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR). For cookie-based processing, Section 25 TDDDG also applies.

3.1. We implement organizational, contractual, and technical security measures in accordance with the state of the art to ensure compliance with data protection laws and to protect the data processed by us against accidental or intentional manipulation, loss, destruction, or unauthorized access.

3.2. In particular, security measures include the encrypted transmission of data between your browser and our server using SSL/TLS encryption.

4.1. Data is only transferred to third parties on the basis of legal permissions and in compliance with statutory requirements. We only share user data with third parties if this is necessary to fulfill our contractual obligations or if we use third-party services within the scope of our legitimate interests.

4.2. If we engage third parties as data processors, we conclude data processing agreements with them in accordance with Art. 28 GDPR and implement appropriate technical and organizational measures to protect personal data.

4.3. If third-party providers are located in a third country outside the EU or EEA, data transfers are carried out on the basis of an adequacy decision by the European Commission, appropriate safeguards (in particular EU Standard Contractual Clauses in accordance with Art. 46 GDPR), user consent, or another legal basis. For US providers certified under the EU-US Data Privacy Framework (DPF), an adequate level of data protection is ensured.

5.1. We process inventory and contractual data of our customers and prospective customers for the purpose of fulfilling our contractual obligations and providing services in accordance with Art. 6(1)(b) GDPR.

5.2. During registration, the following mandatory data is collected: domain name, email address, and password (stored in encrypted form).

5.3. Users may request the deactivation of their accounts within their user profiles. In addition, users have the right to erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR). Even in the event of deletion of other content, we retain the user's email address to prevent misuse; it is stored in an irreversibly encrypted form.

5.4. We also process customer data on the basis of our legitimate interests for marketing and market research purposes (Art. 6(1)(f) GDPR), as well as due to legal obligations under commercial and tax law (Art. 6(1)(c) GDPR).

5.5. When contacting us, the user’s information is processed for the purpose of handling the inquiry and may be stored in our CRM system.

If users process personal data of third parties within the websites they operate and webme acts as a data processor within the meaning of Art. 28 GDPR, the conclusion of a separate Data Processing Agreement (DPA) is required. This particularly applies to commercial users who collect customer data, contact form entries, or similar personal data through websites created with webme.

The user, as the controller within the meaning of the GDPR, is responsible for ensuring that the legal requirements for data processing on their website are met. Users can request the conclusion of a DPA via webme support at support.webme.com.

7.1. In the case of domain registrations, we transfer certain personal data to registrars and registration authorities to the extent necessary for domain registration, on the basis of Art. 6(1)(b) GDPR. This data is stored by the registration authorities and published in generally publicly accessible Whois databases.

7.2. For the registration of a .de domain, the name and address of the domain holder, as well as the contact details of the technical and administrative contacts, are currently transmitted to and stored by DENIC eG. The name and address can be viewed via the Whois query at www.denic.de.

7.3. Domain hosting is provided by InterNetX GmbH, Johanna-Dachs-Str. 55, 93055 Regensburg, Germany (Privacy Policy: https://www.internetx.com/rechtliches/datenschutz/).

8.1. Due to the requirements of Directive (EU) 2022/2555 (NIS-2) and the resulting binding regulations of DENIC eG, webme is obliged, as of April 14, 2026, to verify the email address and, upon request by DENIC, to carry out identity verification of the domain holder for .de domain registrations and transfers.

8.2. For identity verification, we use the identification service provider IDnow GmbH, Ridlerstraße 55, 80339 Munich, Germany (www.idnow.io). webme acts as the data controller vis-à-vis the domain holder, while IDnow acts as a data processor in accordance with Art. 28 GDPR. The result of the verification is transmitted to DENIC eG, which acts as an independent controller.

8.3. As part of the verification process, the following personal data is processed: name, address, date of birth, and image data from an identity card or passport. The legal basis is Art. 6(1)(c) GDPR (compliance with a legal obligation under the NIS-2 requirements of DENIC eG) in conjunction with Art. 6(1)(b) GDPR (contractual relationship with the domain holder).

8.4. The identification data is processed exclusively for the purpose of verification. Copies of identification documents are not stored beyond the verification process unless statutory retention obligations apply. IDnow’s Privacy Policy is available at https://www.idnow.io/de/datenschutz/.

8.5. The verification service is available in German, English, French, Spanish, and Portuguese.

9.1. webme provides users with AI-based features for the automated creation and optimization of website content. When using these features, we process the texts and requests entered by users (so-called prompts) as well as the resulting generated content.

9.2. Legal bases for processing: Art. 6(1)(b) GDPR (contractual relationship with the user) for the provision of AI features; Art. 6(1)(f) GDPR (legitimate interests in quality assurance and further development) for the analysis of anonymized usage data.

9.3. Purpose of processing: Prompts are processed exclusively for providing the requested AI functionality and for technical quality assurance. Personally identifiable data is not used for training AI models without explicit consent. Anonymized or aggregated usage data may be used to further develop the services.

9.4. Use of third-party AI services: To provide AI features, we use third-party services, in particular services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (including Google Gemini / AI Studio). These third parties act as data processors in accordance with Art. 28 GDPR. Data transfers to the United States are carried out on the basis of the EU-US Data Privacy Framework as well as EU Standard Contractual Clauses. Google’s Privacy Policy is available at https://policies.google.com/privacy.

9.5. Retention period: Prompts and generated content are stored only for as long as necessary to provide the service, but no longer than 90 days, unless the user requests earlier deletion.

9.6. Users who do not wish their inputs to be shared with third-party models should refrain from using the AI features.

10.1. Based on our legitimate interests (Art. 6(1)(f) GDPR), we collect data on every access to the server on which this service is hosted (so-called server log files). The access data includes the name of the accessed webpage, date and time of access, amount of data transferred, browser type and version, the user’s operating system, referrer URL, and IP address.

10.2. Log file information is stored for security reasons for a period of 14 days. After that, IP addresses are deleted or anonymized. Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally resolved.

11.1. Cookies are information that are transmitted from our web server or third-party web servers to users’ browsers and stored there. The legal basis for the use of technically necessary cookies is Section 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR (legitimate interest in operating the service). The legal basis for all other cookies (analytics, marketing, personalization) is your consent in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

11.2. Consent for non-essential cookies is obtained via our cookie consent tool, which appears upon your first visit to our online offering. Consent can be withdrawn at any time via the cookie settings on our website.

11.3. Technically necessary cookies (session cookies) are deleted when you end your use of our online offering. Additional opt-out options are available at: http://optout.networkadvertising.org/ and http://www.youronlinechoices.com/de/.

12.1. We maintain online presences on social networks in order to communicate with customers, prospective customers, and users, and to inform them about our services.

12.2. User data may be processed outside the EU. Transfers to US providers are based on EU Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the EU-US Data Privacy Framework (DPF).

12.3. The legal basis for our own processing is Art. 6(1)(f) GDPR (legitimate interests in effective communication). The respective platform providers are responsible for data processing on their platforms.

12.4. Meta / Facebook and Instagram (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland) – Privacy Policy: https://www.facebook.com/privacy/policy/, Opt-out: https://www.facebook.com/settings?tab=ads.

12.5. Google / YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy: https://policies.google.com/privacy, Opt-out: https://adssettings.google.com/authenticated.

13.1. We use Google Analytics 4 (GA4), a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GA4 collects and processes usage data to provide us with insights into user behavior on our online offering.

13.2. The legal basis is your consent in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR, which you provide via our cookie consent tool. GA4 is activated only after your consent has been given.

13.3. GA4 uses first-party cookies (in particular _ga, ga*) to recognize users across sessions. IP addresses are anonymized by default and are not stored in full. GA4 does not use third-party cookies for cross-site tracking.

13.4. The data collected by GA4 is stored on Google servers in the United States. Data transfers to the US are based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

13.5. Users can object to data collection by GA4 by withdrawing their consent in the cookie consent tool or by installing the browser add-on: https://tools.google.com/dlpage/gaoptout.

We use Matomo, a privacy-friendly web analytics service, hosted on our own servers. Matomo processes usage data exclusively on our servers; no data is shared with third parties. IP addresses are anonymized before being stored. The legal basis is Art. 6(1)(f) GDPR (legitimate interests in analyzing and optimizing our online offering). Further information: https://matomo.org/privacy-policy/.

15.1. We integrate Google AdSense, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for the delivery of advertisements. Google AdSense uses cookies and web beacons to display interest-based advertising and to measure the effectiveness of ads.

15.2. The legal basis is your consent in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR, which you provide via our cookie consent tool. Google AdSense is activated only after your consent has been given.

15.3. The data collected by AdSense is processed on Google servers in the United States. Data transfers are based on the EU-US Data Privacy Framework and EU Standard Contractual Clauses.

15.4. Opt-out: https://adssettings.google.com/authenticated. Google’s Privacy Policy: https://policies.google.com/privacy.

16.1. We integrate social plugins of the Facebook social network operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The plugins can be recognized by Facebook logos or the label “Facebook Social Plugin.”

16.2. The legal basis for integrating social plugins is your consent in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR, insofar as cookies are set or data is transmitted to Meta via the plugins. Where possible, we use social plugins in a privacy-friendly “2-click solution,” so that a connection to Meta servers is only established after an active click.

16.3. If the user is logged into Facebook at the same time, Meta may associate the visit with the user’s profile. Opt-out: https://www.facebook.com/settings?tab=ads. Meta’s Privacy Policy: https://www.facebook.com/privacy/policy/.

17.1. We use the Meta Pixel provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The Meta Pixel enables remarketing and conversion tracking.

17.2. The legal basis is your consent in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR, which you provide via our cookie consent tool. The Meta Pixel is activated only after your consent has been given.

17.3. Data transfers to Meta in the United States are based on the EU-US Data Privacy Framework and EU Standard Contractual Clauses.

17.4. Opt-out: https://www.facebook.com/settings?tab=ads. Meta’s Privacy Policy: https://www.facebook.com/privacy/policy/.

18.1. We send newsletters and promotional emails only with the consent of the recipients or on the basis of a legal permission. The legal basis is Art. 6(1)(a), Art. 7 GDPR in conjunction with Section 7(2) No. 3 UWG.

18.2. Newsletter service provider: Our newsletters are sent via Mailchimp, a service of Intuit Inc. (formerly The Rocket Science Group LLC), 2700 Coast Avenue, Mountain View, CA 94043, USA. Mailchimp is certified under the EU-US Data Privacy Framework. Privacy Policy: https://mailchimp.com/legal/privacy/.

18.3. Double opt-in procedure: The time of registration, confirmation time, and IP address are logged.

18.4. Statistical analysis: Newsletters may contain web beacons that track open and click rates. These analyses are carried out on the basis of our legitimate interests (Art. 6(1)(f) GDPR).

18.5. Unsubscription: Newsletter recipients can withdraw their consent at any time via the unsubscribe link. Upon unsubscription, data used exclusively for the newsletter will be deleted, unless retention obligations apply.

19.1. We integrate content and service offerings from third-party providers (e.g., videos, fonts, maps). In doing so, third-party providers receive the user’s IP address, which is technically required to deliver the content.

19.2. Integrated third-party providers:

• YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy: https://policies.google.com/privacy

• Google Maps (Google Ireland Limited) – Privacy Policy: https://policies.google.com/privacy

• Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (CDN) – Privacy Policy: https://www.cloudflare.com/privacypolicy/

• Criteo SA, 32 Rue Blanche, 75009 Paris, France (Remarketing) – Privacy Policy: https://www.criteo.com/de/privacy/

20.1. The data stored by us will be deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations prevent its deletion.

20.2. Statutory retention periods: 6 years in accordance with Section 257(1) HGB and 10 years in accordance with Section 147(1) AO for tax-relevant documents.

20.3. Personal data from identity verifications (IDnow) is deleted after completion of the verification process and transmission to DENIC, unless retention obligations apply.

20.4. Prompts and generated AI content are deleted after a maximum of 90 days, unless the user requests earlier deletion.

Under the GDPR, users have the following rights, which they can exercise by contacting datenschutz@webme.com:

• Right of access (Art. 15 GDPR): Free information about the personal data stored about them.

• Right to rectification (Art. 16 GDPR): Correction of inaccurate data.

• Right to erasure (Art. 17 GDPR): Deletion of personal data (“right to be forgotten”).

• Right to restriction of processing (Art. 18 GDPR).

• Right to data portability (Art. 20 GDPR): Receipt of the data provided in a structured, commonly used, and machine-readable format.

• Right to object (Art. 21 GDPR): Objection to processing based on legitimate interests, in particular for direct marketing purposes. Objection to direct marketing is effective at any time without the need to state reasons.

• Withdrawal of consent (Art. 7(3) GDPR): Consent can be withdrawn at any time with effect for the future, e.g., via the cookie consent tool or by email.

• Right to lodge a complaint: Right to lodge a complaint with the competent data protection supervisory authority, for webme in particular with the Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin (https://www.datenschutz-berlin.de).

22.1. We reserve the right to amend this Privacy Policy in order to adapt it to changes in the legal framework or changes to our services. Where user consent is required or where provisions of the Privacy Policy form part of the contractual relationship, changes will only be made with the user’s consent.

22.2. In the case of significant changes, we will actively inform users by email to the email address provided. Otherwise, users are asked to regularly review the content of the Privacy Policy.

Last updated: April 14, 2026