Privacy Policy

Last updated: January 2026

1. Data Controller

nckr GmbH
Pestalozzistraße 25
22305 Hamburg
Germany
Email: [email protected]

2. Scope of Data Processing

This Privacy Policy applies to the dhino website and related services, including early access sign-ups and feedback submissions.

3. Data We Collect

When you contact us, sign up for early access, or submit feedback, we may process the following personal data:

  • Name
  • Email address
  • Company name
  • Any information voluntarily provided in form fields

4. Purpose of Processing

We process personal data for the following purposes:

  • To respond to inquiries and communicate with users
  • To manage early access registrations and product updates
  • To understand user needs and improve our product and services
  • To operate and secure our website

5. Legal Basis

Personal data is processed on the following legal bases under Article 6 GDPR:

  • Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures), where processing is necessary to respond to requests or manage early access registrations
  • Article 6(1)(f) GDPR (legitimate interests), where processing is necessary to operate, secure, and improve our website and services
  • Article 6(1)(a) GDPR (consent), where users voluntarily provide information and explicitly consent to specific processing activities

Consent can be withdrawn at any time with effect for the future by contacting us.

6. Hosting, Infrastructure, and Security

Our website is built using Astro and is hosted via Cloudflare. Cloudflare acts as a data processor and provides content delivery, security, and protection against abuse.

In this context, Cloudflare automatically collects and stores information in so-called server log files, which your browser transmits automatically. This technical data includes:

  • IP address
  • Browser type and version
  • Operating system
  • Referrer URL and host name of the accessing computer
  • Date and time of access
  • Other similar data and information that serve to prevent attacks on our IT systems

This processing is strictly limited to what is technically necessary to ensure the reliable, stable, and secure operation of the website (e.g., defense against DDoS attacks). The legal basis for this processing is our legitimate interest pursuant to Article 6(1)(f) GDPR.

7. Forms, API, and CRM Processing

When users submit forms on our website, the data is transmitted via our own API and stored in our customer relationship management system built on Microsoft Power Platform (including Dataverse).

Microsoft acts as a data processor on our behalf and processes personal data solely in accordance with our instructions and applicable data protection agreements.

8. Data Transfers Outside the EU

Where personal data is processed or stored outside the European Union or the European Economic Area, such transfers are safeguarded by appropriate data protection mechanisms, including the European Commissions Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.

9. Cookies and Technical Data

Cookies and similar technologies are used only to the extent necessary to operate and secure our website. This may include essential technical cookies or comparable mechanisms provided by our hosting and security providers (e.g., Cloudflare) for purposes such as load balancing, abuse prevention, and system security.

We do not use cookies or similar technologies for tracking, analytics, advertising, or profiling purposes.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by applicable law. Users may request deletion of their data at any time.

11. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Request erasure of your data
  • Restrict processing
  • Object to processing
  • Receive your data in a structured, commonly used format
  • Withdraw consent at any time

12. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.