Privacy Policy | MailCountdowns - Data Protection Guide

Privacy Policy

Effective Date: 2026-04-19

Sea View Software GmbH ("we," "our," "us") operates mailcountdowns.com (the "Service") and is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, and share information about you when you use the Service, and describes your rights under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Data Controller

The data controller responsible for the processing of your personal data is:

Sea View Software GmbH
Steinstraße 81–83
35390 Gießen
Germany

Represented by the Managing Director: Robin Heller
Commercial register: HRB 12514, Amtsgericht Gießen
VAT ID (USt-IdNr.): applied for ("beantragt")

Email: [email protected]
Contact form

We have not appointed a dedicated Data Protection Officer as we are not required to do so under Art. 37 GDPR / §38 BDSG. For any data protection matters please use the contact details above.

2. Information We Collect

We process the following categories of personal data:

2.1 Information you provide to us

  • Account information: name, email address, hashed password.
  • Billing information: billing name, address, country and VAT ID where applicable. Card details are collected and stored exclusively by our payment processor (Paddle, acting as Merchant of Record); we never see your full card number.
  • Content: any countdown configurations, text, images or other material you upload or create using the Service.
  • Support communications: messages you send us via the contact form or by email.

2.2 Information collected automatically

  • Server logs: IP address (truncated where feasible), user agent, referrer, requested URL and timestamp. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the Service).
  • Strictly necessary cookies: session cookie, CSRF token, authentication cookie, and the consent preferences cookie described in Section 11. Legal basis: Art. 6(1)(f) GDPR / §25(2) Nr. 2 TTDSG.
  • Consent-based analytics and product-improvement data: see Section 11. Legal basis: Art. 6(1)(a) GDPR / §25(1) TTDSG (your explicit consent).

3. Purposes of Processing

We process your data in order to:

  • Provide, operate and maintain the Service and your account;
  • Process payments and send transactional receipts and service notifications;
  • Respond to inquiries and provide customer support;
  • Detect, prevent and investigate abuse, fraud or security incidents;
  • Improve the Service through aggregate analytics and product analytics (only with your consent — see Section 11);
  • Comply with legal obligations (e.g. tax retention, invoicing, responding to lawful requests).

4. Legal Bases for Processing

We rely on the following legal bases under GDPR:

  • Art. 6(1)(b) — Contractual necessity: to perform our agreement with you (providing the Service, processing payments).
  • Art. 6(1)(a) — Consent: for analytics, product analytics and any non-essential tracking as described in Section 11. Consent can be withdrawn at any time with effect for the future.
  • Art. 6(1)(f) — Legitimate interests: for security, fraud prevention, log analysis, and for communicating with business contacts. A balancing test is performed; you may object at any time.
  • Art. 6(1)(c) — Legal obligations: tax, accounting and other statutory retention duties (e.g. §147 AO in Germany: up to 10 years for invoices).

5. Recipients and Sub-processors

We do not sell your personal data. We share data only with carefully selected service providers that process data on our behalf under Art. 28 GDPR data processing agreements, or where legally required.

Processor Purpose Location Transfer safeguard
Paddle.com Market Ltd., Judd House, 18–29 Mora St, London EC1V 8BT, UK Payments, invoicing, tax collection (Merchant of Record) UK / EU / US UK adequacy decision; EU Standard Contractual Clauses (SCCs) for onward US transfers
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland Google Analytics 4 and Google Consent Mode v2 (only with consent) EU / US EU–US Data Privacy Framework; SCCs
Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland Microsoft Clarity product analytics and session replay (only with consent) EU / US EU–US Data Privacy Framework; SCCs
Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA CDN, DDoS protection, Turnstile CAPTCHA on the contact form Global edge network incl. EU PoPs EU–US Data Privacy Framework; SCCs
Bunny.net (BunnyWay d.o.o.), Cesta komandanta Staneta 4A, 4270 Jesenice, Slovenia Privacy-friendly web font delivery (fonts.bunny.net) EU Intra-EU transfer
Coolify / hosting infrastructure provider Application hosting, database, backups EU Intra-EU transfer
Email delivery provider (SMTP) Transactional email (account, password reset, billing) EU Intra-EU transfer

In addition we may disclose personal data to competent authorities where we are legally obliged to do so, and to professional advisors (lawyers, accountants, auditors) under their professional duty of confidentiality.

In the case of a merger, acquisition or asset sale, personal data may be transferred to the acquiring entity subject to the same protections described in this Policy.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) — primarily to the USA and UK — we rely on one or more of the following transfer mechanisms under Chapter V GDPR:

  • the European Commission's adequacy decision for the UK,
  • the EU–US Data Privacy Framework for certified US recipients,
  • EU Standard Contractual Clauses (2021/914) supplemented by technical and organisational measures where appropriate.

A copy of the relevant safeguards can be requested using the contact details in Section 1.

7. Your Rights under GDPR

You have the following rights regarding your personal data:

  • Access (Art. 15): obtain a copy of the data we hold about you.
  • Rectification (Art. 16): have inaccurate or incomplete data corrected.
  • Erasure / "right to be forgotten" (Art. 17): have your data deleted where applicable.
  • Restriction (Art. 18): restrict processing in certain circumstances.
  • Data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interests, including profiling.
  • Withdraw consent (Art. 7(3)): withdraw any previously given consent at any time, with effect for the future. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise these rights, contact us or email [email protected]. We will respond within one month (Art. 12(3) GDPR).

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
https://datenschutz.hessen.de

8. Data Retention

We retain personal data only as long as necessary for the purposes set out above:

  • Account data: for the duration of your account, plus up to 30 days after deletion in backups.
  • Billing and invoice data: retained for up to 10 years pursuant to §147 AO and §257 HGB.
  • Server logs: typically deleted or anonymised within 30 days.
  • Contact form submissions: up to 12 months after the case is closed.
  • Consent records: for up to 3 years after withdrawal to demonstrate compliance with Art. 7 GDPR.

9. Data Security

We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR, including TLS encryption in transit, hashed credentials, least-privilege access controls, logging of administrative access, and regular security reviews. No system is perfectly secure; in the event of a personal data breach affecting you, we will notify you and the supervisory authority in accordance with Art. 33–34 GDPR.

10. Automated Decision-Making

We do not engage in automated decision-making or profiling producing legal or similarly significant effects within the meaning of Art. 22 GDPR.

11. Cookies and Similar Technologies

We use cookies and comparable technologies (localStorage entries) for two categories of purpose:

  1. Strictly necessary — session, CSRF, authentication and the mcd_consent preference record. These are required to deliver the Service you explicitly request and do not need consent (§25(2) Nr. 2 TTDSG, Art. 6(1)(f) GDPR).
  2. Consent-based — Google Analytics 4 (provider: Google Ireland Ltd.) and Microsoft Clarity (provider: Microsoft Ireland Operations Ltd.). These are only loaded after you give your explicit consent via our cookie banner.

We implement Google Consent Mode v2. This means:

  • Before you make a choice, analytics and advertising storage are set to denied by default. No Google Analytics or Microsoft Clarity script is loaded.
  • If you consent, the relevant scripts are injected and analytics_storage is set to granted.
  • If you decline or do not respond, no analytics cookies are set. Google Consent Mode may still transmit anonymous, aggregated pings (no identifiers, no IP storage) to Google; this is part of the consent-mode mechanism itself and cannot be used to track individuals.

Withdrawing or changing consent: you can change your preferences at any time via the "Manage cookies" link in the website footer. Changes take effect immediately; already-set cookies will be cleared on next page load.

Consent versioning: if we add a new processor or materially change our tracking setup, we will bump an internal consent version number; you will then see the banner again and be asked for a fresh decision.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced on the website and, where required by law, communicated to you directly (e.g. by email). The "Effective Date" at the top indicates the current version.

13. Contact

If you have any questions or concerns about this Privacy Policy or our processing of your personal data:

Sea View Software GmbH
Steinstraße 81–83, 35390 Gießen, Germany
Email: [email protected]
Contact form