recash logo

Data Protection Policy

Valid from: 01.02.2025

1. Who is responsible for data processing?

In accordance with the General Data Protection Regulation (GDPR), the responsible entity is:

Circular Service GmbH
c/o TT63 GmbH
Gustav-Schwab-Str. 9
81673 Munich, Germany

Commercial Register: HRB 290030
Registration Court: Munich
Email: info@getrecash.com

We have appointed a Data Protection Officer who can be contacted at the above address or by email.

2. What data do we collect and why?

When using our website or the Recash app:

Automatically collected data:

  • IP address
  • Device ID
  • Browser and OS information
  • Date/time of access
  • Referrer URL
  • Session and interaction data

Purpose:
To operate and secure the website/app (Art. 6 para. 1 lit. f GDPR).

User-provided data (during registration and platform use):

  • Name and address of the company
  • Company location
  • Name of registered individuals, profile pictures, email addresses, preferred language
  • Username and password
  • Contact phone numbers
  • Email addresses
  • Account and payment data
  • Tax ID

Purpose:
To provide a user account, enable contract formation, and fulfill platform obligations (Art. 6 para. 1 subpara. 1 (b) and (f) GDPR).

We assign an ID number to every registered person.

Direct marketing:
We may use your data, particularly contact data, for direct advertising via email if obtained during service/product sale (Art. 6 para. 1 subpara. 1 (f) GDPR).

Credit checks:
Rarely, we may use your data to verify creditworthiness (Art. 6 para. 1 subpara. 1 (f) GDPR).

Processing order data:
Details of orders processed on the platform are stored to fulfill contracts and maintain legal clarity (Art. 6 para. 1 subpara. 1 (b) and (f) GDPR).

Processing creditworthiness data:
In rare cases, we may use data from third-party sources (e.g. Schufa, Creditreform, trade registers) (Art. 6 para. 1 subpara. 1 (f) GDPR).

Tracking data:
We collect browser/device/user behavior data to ensure safe operation. If not technically necessary, processing is based on your consent (Art. 6 para. 1 subpara. 1 (a) GDPR).

3. Who can obtain your data?

We may pass on your data to third parties to execute contracts and manage the platform.

Recipients include:

  • Trade partners
  • Suppliers
  • Carriers and freight forwarders
  • Service providers (e.g., for payments, administration, and advertising)

Legal basis:
Art. 28 GDPR or other contractual agreements.

International transfers:
When outside the EU/EEA, we ensure data protection standards via adequacy decisions (Art. 45 GDPR) or other safeguards (Art. 46 GDPR).

Example:

  • Hubspot | Name, address, email, payment data, phone number, tax number | Sales | Germany, USA

4. Analytics and Third-Party Tools

4.1. Cookies

Used for functionality and analytics.

  • Necessary cookies: Art. 6 para. 1 lit. f GDPR
  • Other cookies: Art. 6 para. 1 lit. a GDPR

4.2. Google Analytics

Used for visitor analytics and service optimization.

  • Provider: Google Ireland Limited
  • Legal basis: Art. 6 para. 1 lit. a GDPR
  • Data transfer: USA (EU-U.S. Data Privacy Framework)
  • Retention: 14 months
  • DPA: Concluded

4.3. Brevo (Sendinblue GmbH)

Used to send transactional emails.

  • Legal basis: Art. 6 para. 1 lit. b GDPR
  • Recipients: Brevo
  • Third-country transfers: India, USA (SCCs), Canada (adequacy decision)
  • Retention: 14 months
  • DPA: Concluded

4.4. Google Tag Manager

Used to manage and fire tracking/analytics tags.

  • Legal basis: Art. 6 para. 1 lit. a GDPR
  • Recipient: Google Ireland Limited
  • Data collected: IP, usage, referrer, geo-location
  • Retention: Tag Manager itself stores no personal data

4.6. Cookie Consent Management – Cookiebot (Usercentrics)

Manages and documents consent.

  • Legal basis: Art. 6 para. 1 lit. c GDPR
  • Provider: Usercentrics GmbH, Munich
  • Data collected: Consent info, IP, timestamp, banner language, settings
  • Retention: 1 year
  • No third-country transfer

5. Social Media & Embedded Third-Party Content

When clicking external links (e.g., YouTube, social media), their own privacy policies apply.
No data is shared unless you interact (e.g., click a link).

6. How long do we store your data?

Data is retained only as long as needed for processing or legal compliance.
Afterward, it is deleted unless statutory retention periods apply.

7. Your rights

Under the GDPR, you have the right to:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Object (Art. 21)
  • Withdraw consent (Art. 7 para. 3)
  • Lodge a complaint (Art. 77)

Supervisory Authority:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 18, 91522 Ansbach, Germany

8. Updates to this policy

This privacy policy may be updated at any time to reflect legal or service changes.
The current version will always be available on our website.