Privacy Policy

Voyfai GmbH

Privacy Policy

06.11.2025

1. General Information

1.1 We, Voyfai GmbH (hereinafter: "we" or "Voyfai"), would like to inform you about the processing of personal data when you visit our website, apply to our company, use our services, participate in digital events and contact us.

1.2 The terms used below have the same meaning as in the General Data Protection Regulation (EU) 2016/679; hereinafter: "GDPR").

2. Data Controller

The Controller responsible for the processing of personal data within the meaning of Art. 4 No. 7 GDPR is

Voyfai GmbH

Münzstraße 21, 10178 Berlin, Germany

3. Data Protection Contact

Our company contact dedicated to data protection and privacy is available at all times to answer any questions and act as a contact person about data protection. The contact details are

Voyfai GmbH

Münzstraße 21, 10178 Berlin, Germany

E-Mail: [email protected]

4. Rights of data subjects

4.1 You have the following rights regarding the processing of your Personal Data and can assert them against us at any time

a) In accordance with Art. 15 GDPR, to request information about the data processed by us. In particular, you can request information about the purposes of processing, the category of data, the categories of recipients to whom your data has been or will be disclosed , the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of appeal, the origin of the data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information on its details;

b) in accordance with Art. 16 GDPR, to demand the immediate rectification of incorrect data or the completion of your data stored by us;

c) in accordance with Art. 17 GDPR, to request the erasure of your data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;

d) in accordance with Art. 18 GDPR, to demand the restriction of the processing of your data if the accuracy of the data is disputed by you or the processing is unlawful;

e) in accordance with Art. 20 GDPR, to receive the data you have provided to us in a structured, commonly used and machine-readable format or to request its transmission to another controller ("data portability");

f) to object to the processing pursuant to Art. 21 GDPR, provided that the processing is based on Art. 6 para. 1 lit. e or lit. f GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which overrides your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. If you object to the processing of data for the purpose of direct marketing, we will cease processing immediately. This also applies to profiling insofar as it is associated with direct advertising.

g) in accordance with Art. 7 para. 3 GDPR, to revoke your consent to us at any time if given. As a result, we may no longer continue the data processing that was based on this consent in the future.

h) And to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. You can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

4.2 We would like to point out that we will process your personal data in accordance with Art. 6 para. 1 lit. c GDPR in order to process your request and for identification purposes.

5. Visiting the website

5.1 When you visit our website, the following categories of personal data are collected, stored and processed by us:

a) Scope of data processing

When you visit our website, a so-called log data record (server log files) is temporarily stored on our web server. This consists of

· the page from which the website was requested (so-called referrer URL),

· the name and URL of the requested page

· the date and time of the request

· the description of the type, language and version of the web browser used

· the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established.

· the amount of data transferred,

· the browser,

· the operating system,

· the message as to whether the request was successful (access status/Http status code),

· the GMT time zone difference.

b) Purpose of data processing

The storage of log data for the duration of the session is necessary in order to be able to display our website to you. The processing also serves to ensure the permanent functionality and security of our websites and information technology systems.

c) Legal basis for data processing

The legal basis for the processing of log data is Art. 6 para. 1 lit. f GDPR with our legitimate interest in achieving the stated purposes.

d) Recipients of the data

We use external service providers for the operation of the website, who process personal data strictly in accordance with instructions on the basis of an order processing agreement in accordance with Art. 28 GDPR. We use the following service provider to host the website: Elementor Ltd.

e) Storage duration

The log data is stored for the duration of 14 days and then deleted, unless it must be kept for longer in exceptional cases to track an identified attack.

6. Voyfai SaaS Platform

In the following we will inform you about how we process data of our customers or employees of our customers. This also applies to potential customers who are interested parties and receive test access to the platform. The data controller in each case is the company that is our customer. We act as a Processor. However, for some data we also act as the Controller as stated below.

The creation of a user account for individuals is necessary in order to be able to use the Voyfai software. User accounts require that organizations are customers of Voyfai, unless they are test accounts. Customers can create users for their employees to interact with the services.

6.1 Scope of data processing as a Processor:
As part of our business relationship with you as an employee of customer, we process the data that we receive from you or your employer. When a new user is created, personal data such as name, job title and e-mail address are collected. We process the following categories of data in this context:

· Professional contact and organizational data: e.g. surname, first name, title, name of the company you work for, department, professional e-mail address,

· Data on professional circumstances: e.g. job title,

· Other: In addition, we may process other data that you provide during interactions with our employees or that we have legitimately collected about you from publicly available sources (e.g. commercial register).

6.2 Purpose of data processing:
Your data will be processed by us for the purpose of establishing and implementing the contractual relationship with our customer and complying with legal requirements.

6.3 The legal basis for data processing is the concluded order data processing agreement ("DPA").

6.4 Recipients of the data:
At our company, only those people who need it for the purposes described above have access to your data. Personal data may be processed by external service providers (e.g. support, hosting providers) on the basis of contracts in accordance with Art. 28 GDPR. The external service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us. The external service providers of our Voyfai application can be reviewed in the DPA concluded with the customers.

6.5 Storage period:

a) We store the aforementioned data for as long as we need it for the specific processing purpose. We regularly store your data for at least the duration of our business relationship with the customer for whom you work.

b) We also store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code) prescribe (but usually for a maximum of ten years).

c) Under certain circumstances, we may have to store your data for longer. This is the case, for example, if a ban on data erasure is ordered for the duration of the proceedings in connection with official or court proceedings.

6.6 Scope of data processing as a Controller:

We may also process your Personal Data as a Controller during your usage of our services. This applies to platform monitoring and tracking. We process the following data in this context:

a) User identifiers: User ID, email, role, organization/account ID

b) Login activity: Timestamps, IP addresses, device/browser info

c) Session data: Session duration, pages/screens visited, navigation flow

d) Feature usage: Which features are used, how often, and in what order

e) Key actions: Actions like creating reports, uploading files, inviting users

f) Workflow completion: Onboarding steps, task completions, drop-offs

g) Engagement metrics: DAU/WAU/MAU, retention trends, churn indicators

h) API & integration usage: Calls made, success/failure rates, integrations enabled

i) Error tracking: Form errors, failed actions, system or API errors

j) Billing-related usage: Seats used, usage against quotas, overages

6.7 Purpose of data processing:

Your data will be processed by us in accordance with our legitimate interests of observing the stability and security of our software applications and the further development of new use cases in accordance with usage of specific platform features.

6.8 Legal Basis:

The legal basis of the processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR.

6.9 Recipients of the data:

Personal data may be processed by external service providers (e.g. support, hosting providers) on the basis of contracts in accordance with Art. 28 GDPR. The external service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us. The external service providers used are:

a) Amazon (AWS)

b) Microsoft Azure

c) Notion Labs Inc.

d) Neon.Tech

e) Google (Cloud Platform + Firebase)

f) Anthropic PBC

g) OpenAI Inc.

h) Switchboard Inc.

6.10 Storage period:

We store the aforementioned data for minimum 30 days and after that anonymize the data completely for statistical reasons only.

7. Business communication

In the following, we inform you about how we process general business communication data of our business partners or employees of our business partners, including any visitors at our offices and prospective partners.

7.1 Scope of data processing:

As part of our business relationship with you as a business partner or employee of business partners, we process the data that we receive from you or your employer. In particular, this is data that we receive if you have contact with our employees. We process the following categories of data in this context:

a) Professional contact and organizational data: e.g. surname, first name, title, academic degree, gender, name of the company you work for, department, professional email address, address, telephone number;

b) Data on professional circumstances: e.g. job title, tasks, activity, qualifications;

c) Other: In addition, we may process other data that you provide during interactions with our employees or that we have legitimately collected about you from publicly available sources (e.g. commercial register).

7.2 Purpose of data processing:

Your data will be processed by us for the purpose of establishing and implementing the contractual relationship with our business partner and to comply with legal requirements.

7.3 Legal basis for data processing:

a) If you are personally our business partner, the processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR for the execution or initiation of a contract.

b) For the purpose of fulfilling legal obligations, processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with legal and official requirements (e.g. from tax and commercial law).

c) If you are an employee of one of our business partners, your data will be processed on the basis of our overriding legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the functioning and practicable cooperation with our business partners and the employees of our business partners.

7.4 Recipients of the data:
At our company, only those people who need it for the purposes described above have access to your data. Personal data may be processed by external service providers (e.g. support, hosting or analysis service providers) on the basis of contracts in accordance with Art. 28 GDPR. The external service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects and are regularly monitored by us. We use cloud storage providers, collaboration and communication tools, customer relationships management solutions and AI services.

7.5 Storage duration:

8. Contact Form

8.1 Scope of data processing:

If you use our contact form to get in touch with us, we process the personal data provided by you in this case.

8.2 Purpose of data processing:

The purpose of the processing is to contact you as requested and to provide the information you have requested.

8.3 Legal basis for data processing:

If the purpose of the contact is to initiate or execute a contract, the legal basis is Art. 6 para. 1 lit. b GDPR.

If it is not a (pre-)contractual purpose, the processing is carried out on the basis of a legitimate interest of the controller (e.g. for general communication, answering questions) in accordance with Art. 6 para. 1 lit. f GDPR.

8.4 Recipients of the data:

At our company, only those people who need it for the purposes described above have access to your data. Personal data may be processed by external service providers (e.g. support, hosting or analysis service providers) on the basis of contracts in accordance with Art. 28 GDPR. These include communication tools and cloud infrastructure services.

8.5 Storage period:

The data will be stored for as long as it is necessary to respond to your request. If this results in a contract, the data will be stored in accordance with the previous section. Otherwise, we store the data within the statutory periods and then delete it.

9. Marketing e-mails

9.1 We occasionally send e-mails with advertising content. In this context, we generally process the following data

a) Surname, first name, title;

b) Professional position and company affiliation;

c) e-mail address and

d) Information about whether and when the emails were opened and what content in the email was clicked on, if any.

9.2 We send promotional emails for marketing purposes. If a business relationship already exists and our advertising measure relates to similar services, the legal basis is Art. 6 para. 1 lit. f GDPR. Otherwise, we obtain consent in advance. In this case, the legal basis is Art. 6 para. 1 lit. a GDPR.

9.3 We use the service Outlook and Pipedrive to send and analyze marketing emails. We have concluded an order processing agreement with Pipedrive in accordance with Art. 28 GDPR.

9.4 You can object to receiving marketing emails at any time and without giving reasons. To do so, click on the unsubscribe link contained in every marketing email or contact us using the contact details above.

10. Video conferencing tools

10.1 We use third-party video conferencing tools to conduct video and audio conferences, webinars and other types of video and audio meetings. The following categories of data are processed:

a) Inventory data (e.g. names, addresses),

b) Contact data (e.g. email, telephone numbers),

c) Content data (e.g. text entries, photographs, videos),

d) meta/communication data (e.g. device information, IP addresses).

10.2 The data is processed in order to set up and conduct online meetings or video conferences. The processing is carried out on the legal basis of Art. 6 para. 1 lit. b GDPR for the execution of the contract or in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in efficient and secure communication with our communication partners.

10.3 We have concluded an agreement with the providers of the video conferencing solution for order processing in accordance with Art. 28 GDPR.

11. Job applications

If you would like to become part of our team and you apply to us, we will process your personal data as follows:

11.1 Scope of data processing:

During the application process, we process the following categories of data

a) Private contact and identification data: e.g. surname, first name, academic degree, gender, e-mail address, address and telephone number;

b) Data on professional qualifications, such as school and educational qualifications, language skills, as well as your place of study or training, certificates;

c) Curriculum vitae and data contained therein and

d) Other data provided as part of the application.

11.2 Purpose of data processing:

We process the application data exclusively for the purpose of carrying out the application process.

11.3 Legal basis for data processing:

The legal basis for data processing is § 26 para. 1 BDSG and Art. 6 para. 1 lit. b GDPR.

11.4 Recipient of the data:

The application documents are sent to the contact person named in the job advertisement and are forwarded internally to other employees responsible for the application process. We use external service providers for the application process who process personal data strictly in accordance with instructions on the basis of an order processing agreement in accordance with Art. 28 GDPR. We use the following service provider for the application process: Leapsome GmbH, Brunnenstraße 153, 10115 Berlin, Germany.

11.5 Storage period:

If an employment relationship is established, we will continue to process the application data for the purposes of the employment relationship. Detailed information on this is provided in the data protection information for employees. In the event that no employment relationship is established, we generally store the application data for a period of six months from the date of rejection. The application documents are then deleted.

12. Social media

12.1 We operate various profiles in social media in order to provide information there and to be able to contact you. Please note that the respective social media operators may store cookies in your browser in which your usage behavior is stored for market research and advertising purposes. These usage profiles can also be created across devices. The platform operators evaluate these usage profiles in order to display personalized advertising to you. People who are not registered as users with the respective platform may also be affected by data processing. The data may also be shared by platform operators with other companies and transferred to countries outside the EU.

12.2 We receive information from the platform operator, in particular statistical evaluations, about visits to our profile. This may also involve personal data. Both we and the respective platform operator are jointly responsible for the processing of personal data in this context. A corresponding agreement on joint processing will be published by the respective platform operator. The processing of your personal data when you visit one of our profiles is based on our legitimate interests in a diverse external presentation of our company and the use of an effective information option to improve our external presentation and communication with you. The legal basis for this is Art. 6 para. 1 lit. f GDPR. If you have given a platform operator your consent to data processing, Art. 6 para. 1 lit. a GDPR is the legal basis.

12.3 Further information on the scope, purpose and legal basis of data processing on LinkedIn and your rights vis-à-vis the platform operator can be found here: https://de.linkedin.com/legal/privacy-policy

13. Data security

13.1 We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties, taking into account the state of the art, implementation costs and the nature, scope, context and purpose of processing as well as the existing risks of a data breach (including its likelihood and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

13.2 We will be happy to provide you with more detailed information on request. Please contact our data protection officer for more information.

14. Profiling

We will not use personal data collected from you for any automated decision-making process (including profiling).

15. Competent supervisory authority

Responsible for the supervision of us is

Berlin Commissioner for Data Protection and Freedom of Information

Alt-Moabit 59-61, 10555 Berlin

Telephone: +49 30 13889-0

E-mail: [email protected]

General Cookies

Cookies from WordPress

Name	Purpose	Validity
wordpress_test_cookie	This cookie determines whether the use of cookies has been disabled in the browser. Duration of storage: Until the end of the browser session (will be deleted when closing your internet browser).	Session
PHPSESSID	This cookie stores your current session with respect to PHP applications, ensuring that all features of this website based on the PHP programming language are fully displayed. Duration of storage: Until the end of the browser session (will be deleted when closing your internet browser).	Session
wordpress_akm_mobile	These cookies are only used for the administration area of WordPress.	1 Year
wordpress_logged_in_akm_mobile	These cookies are only used for the administration area of WordPress and do not apply to other site visitors.	Session
wp-settings-akm_mobile	These cookies are only used for the administration area of WordPress and do not apply to other site visitors.	Session
wp-settings-time-akm_mobile	These cookies are only used for the administration area of WordPress and do not apply to other site visitors.	Session
ab	Is used for A / B testing of new features.	Session
akm_mobile	saves if the visitor wants to see the mobile version of a website.	1 Day

Cookies from DSGVO AIO for WordPress

Name	Purpose	Validity
dsgvoaio	This LocalStorage key / value stores which services the user has agreed to or not.	variable
_uniqueuid	This LocalStorage key / value stores a generated ID so that the user's opt-in / opt-out actions can be documented. The ID is stored anonymously.	variable
dsgvoaio_create	This LocalStorage key / value stores the time when _uniqueuid was generated.	variable
dsgvoaio_vgwort_disable	This LocalStorage key / value stores whether the service VG word standard is allowed or not (setting of the page operator).	variable
dsgvoaio_ga_disable	This LocalStorage key / value stores whether the service Google Analytics Standard is allowed or not (Hiring the site operator).	variable